From d67d35a3c66a7c210b347191a78a158172ff0330 Mon Sep 17 00:00:00 2001 From: Filip Dvorak Date: Mar 29 2021 15:21:43 +0000 Subject: Update tests/inplace-upgrade-sanity-test/runtest.sh --- diff --git a/tests/inplace-upgrade-sanity-test/runtest.sh b/tests/inplace-upgrade-sanity-test/runtest.sh index cdd4744..7454540 100755 --- a/tests/inplace-upgrade-sanity-test/runtest.sh +++ b/tests/inplace-upgrade-sanity-test/runtest.sh @@ -36,15 +36,10 @@ PACKAGES="krb5-libs krb5-server krb5-workstation openssh" TEST_ENTROPY_SOURCE=${TEST_ENTROPY_SOURCE:-no} echo TEST_ENTROPY_SOURCE=$TEST_ENTROPY_SOURCE -hostnamectl set-hostname test.fedora.com - -host_ip=`hostname -I | awk '{print$1}'` -echo "$host_ip test.fedora.com" >> /etc/hosts - -krb5REALM1='ZMRAZ.COM' -krb5REALM2='PKIS.NET' +krb5REALM1='TEST1.REDHAT.COM' +krb5REALM2='TEST2.REDHAT.COM' krb5HostName=`hostname` -krb5DomainName='fedora.com' +krb5DomainName=`hostname -d` krb5User='alice' krb5UserPass='alice' krb5UserKrbPass='aaa' @@ -58,6 +53,8 @@ krb5confdir="/etc/krb5.conf.d" krb5kdcconf="/var/kerberos/krb5kdc/kdc.conf" krb5kadmacl="/var/kerberos/krb5kdc/kadm5.acl" + + rlJournalStart rlPhaseStartSetup for pkg in $PACKAGES; do @@ -65,6 +62,8 @@ rlJournalStart done rlRun "TmpDir=\$(mktemp -d)" rlRun "pushd $TmpDir" + echo "-----/etc/krb5.conf----"; cat /etc/krb5.conf + echo "-----/var/kerberos/krb5kdc/kdc.conf-----"; cat /var/kerberos/krb5kdc/kdc.conf rlPhaseEnd # Run this part on OLD and in "normal" mode @@ -73,9 +72,19 @@ rlJournalStart # Stop and backup rlRun "rlServiceStop kadmin krb5kdc" rlRun "rm -f /var/kerberos/krb5kdc/principal* /var/kerberos/krb5kdc/.k5*" - rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc} + rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc} /etc/hosts + rlFileBackup --clean /root/.k5login [ -e /etc/krb5.keytab ] && rlFileBackup /etc/krb5.keytab [ -e $krb5confdir ] && rlFileBackup $krb5confdir + # Make sure IPv4 is used for ssh connection + if ! grep `hostname` /etc/hosts; then + DEF_DEV=`ip route |grep default |awk '{print $5}'` + echo DEF_DEV=$DEF_DEV + DEF_IP=`ip -o -4 addr show dev $DEF_DEV |awk '{print $4}' |grep -v '/32' |sed 's|/.*||'` + echo DEF_IP=$DEF_IP + rlRun "echo '$DEF_IP `hostname`' >>/etc/hosts" + grep `hostname` /etc/hosts + fi # Basic setup of KDC and krb5.conf if rlIsRHEL 6; then rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf" @@ -99,28 +108,59 @@ rlJournalStart dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal - } +} _EOF - rlIsRHEL 6 || rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf" + + +if rlIsRHEL '7'; then + rlLog "Modify supported_enctypes for RHEL-7." + rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf" + # Remove 3DES and DES cipher suite from kdc.conf - Fedora 31 + # Fedora 31 - krb5 will be removing support for DES, 3DES, and crc-32 entirely + # they will not be allowed in session keys or long-term keys. (BZ#1670398) + # https://fedoraproject.org/wiki/Changes/krb5_crypto_modernization +elif rlIsFedora '>=31';then + rlLog "Modify supported_enctypes for Fedora >=31. Remove *DES ciphers." + rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf" +elif rlIsRHEL '8' && [ `rpm -q --qf '%{VERSION}' krb5-server | cut -d"." -f2` -lt 18 ];then + rlLog "Modify supported_enctypes for RHEL-8." + rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf" +else + #RHEL-8 Bug 1802334 - [Rebase] krb5: rebase to 1.18: + #- Removal of *DES encryption types + #https://bugzilla.redhat.com/show_bug.cgi?id=1802334 + rlLog "Modify supported_enctypes for RHEL-8 with krb-1.18. Remove *DES ciphers." + rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf" +fi rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM2 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf" - cat >> $krb5conf << _EOF + cat >> $krb5conf << _EOF [capaths] $krb5REALM1 = { $krb5REALM2 = . } _EOF - # Test the entropy source (not relevant for RHEL6) + # BZ#1394908: Test the entropy source (not relevant for RHEL6) if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then - rlLog "The source of entropy will be tested as well" + rlLog "BZ#1394908: The source of entropy will be tested as well" + # Check number of audit rules + number_rules=$(auditctl -l | grep -v "No rules" | wc -l) + if [[ ${number_rules} -ne 0 ]];then + truncate -s0 /var/log/audit/audit.log + rlRun "auditctl -D" 0 "Delete previous audit rules" + fi START_DATE=`date +%H:%M:%S` echo START_DATE=$START_DATE sleep 1 rlRun "auditctl -w /dev/random -p rwxa -k RAND" auditctl -l - sleep 1 + sleep 5 rlRun "ausearch -i -k RAND -ts $START_DATE" fi + + echo "-----/etc/krb5.conf----"; cat /etc/krb5.conf + echo "-----/var/kerberos/krb5kdc/kdc.conf-----"; cat /var/kerberos/krb5kdc/kdc.conf + # Create the realm databases rlRun "rngd -r /dev/urandom" rlRun "kdb5_util create -s -r $krb5REALM1 -P $krb5KDCPass" @@ -145,12 +185,12 @@ _EOF rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -randkey host/$krb5HostName\"" rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\"" rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\"" - # Create test system user + # Create test system user [ $krb5User != "root" ] && rlRun "useradd $krb5User" rlRun "echo $krb5UserPass | passwd --stdin $krb5User" rlPhaseEnd fi - + rlPhaseStartTest "Daemon start and log file test" # Make sure there is enough entropy and start recording of the logs rlRun "rngd -r /dev/urandom" @@ -190,6 +230,10 @@ _EOF echo "/var/log/kadmind.log:" tail -n 100 /var/log/kadmind.log fi + + #add 'list' privilege for root/master + sed -i -e '$a*/master@EXAMPLE.COM *' /var/kerberos/krb5kdc/kadm5.acl + # Restart daemon auto start if rlIsRHEL 6; then rlRun "service krb5kdc restart" @@ -204,11 +248,21 @@ _EOF fi rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist" rlRun "kdestroy" - rlRun "kadmin -p root/master -w rrr -q ''" + rlRun "kadmin -p root/master -w rrr -q 'getprincs'" rlAssertGrep "AS_REQ.*$krb5User@$krb5REALM1.*krbtgt/$krb5REALM1@$krb5REALM1" krb5kdc.log.record - cat krb5kdc.log.record - rlAssertGrep "Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/`hostname`@$krb5REALM1" kadmind.log.record - cat kadmind.log.record + +#The principal related to kadmin are not created with hostname (kadmin/hostname@REALM) during creating krb5 DB +#RHEL9 constains only kadmin/admin@REALM - this change was intentional - Don't create hostbased principals in new KDBs +#https://krbdev.mit.edu/rt/Ticket/Display.html?id=8935 + if rlIsRHEL 9 || rlIsFedora '>=33';then + kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/admin@$krb5REALM1" + else + kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/.*`hostname`@$krb5REALM1" + fi + rlAssertGrep "${kadmin_princ}" kadmind.log.record + #rlAssertGrep "Request: kadm5_init.*root\/master@$krb5REALM1.*service=kadmin\/(admin|.*`hostname`)@$krb5REALM1" kadmind.log.record -E + echo "***krb5kdc.log.record***" && cat krb5kdc.log.record + echo "***kadmind.log.record***" && cat kadmind.log.record # Stop log recording kill $KADMIND_LOG_PID kill $KRB5KDC_LOG_PID @@ -238,6 +292,13 @@ _EOF cat klist.log rlAssertGrep "host/`hostname`@$krb5REALM1" klist.log rlRun "kdestroy" + #BZ1841488-sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context + #The problem is that this file had security context: system_u:object_r:kadmind_tmp_t:s0. + #This is a problem when the ssh via krb5-GSSAPI is used because sshd service cannot write into this file. + if rlIsRHEL '>=8.3' || rlIsFedora '>=32'; then + rlLog "BZ1841488-sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context" + rlRun "sesearch -s sshd_t -t kadmind_tmp_t -c file -p write --allow | grep ^allow" + fi rlPhaseEnd rlPhaseStartTest "Basic kadmin and kpasswd test" @@ -279,13 +340,14 @@ _EOF rlRun "kdestroy" rlPhaseEnd - # Test the entropy source (not relevant for RHEL6) + # BZ#1394908: Test the entropy source (not relevant for RHEL6) if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then - rlPhaseStartTest "Enable faster getrandom-based entropy system" + rlPhaseStartTest "BZ#1394908: Enable faster getrandom-based entropy system" echo START_DATE=$START_DATE auditctl -l + sleep 5 rlRun "ausearch -i -k RAND -ts $START_DATE" - rlRun "ausearch -i -k RAND -ts $START_DATE |grep comm= |grep -v 'comm=rngd'" 1 + rlRun "ausearch -i -k RAND -ts $START_DATE |grep comm= | grep -v comm=auditctl |grep -v 'comm=rngd'" 1 rlRun "auditctl -D" rlPhaseEnd fi @@ -299,10 +361,11 @@ _EOF [ $krb5User != "root" ] && rlRun "userdel -r -f $krb5User" rlPhaseEnd fi - + rlPhaseStartCleanup + rlRun "kdestroy -A" rlRun "popd" rlRun "rm -r $TmpDir" rlPhaseEnd rlJournalPrintText -rlJournalEnd +rlJournalEnd \ No newline at end of file