| |
@@ -36,15 +36,10 @@
|
| |
TEST_ENTROPY_SOURCE=${TEST_ENTROPY_SOURCE:-no}
|
| |
echo TEST_ENTROPY_SOURCE=$TEST_ENTROPY_SOURCE
|
| |
|
| |
- hostnamectl set-hostname test.fedora.com
|
| |
-
|
| |
- host_ip=`hostname -I | awk '{print$1}'`
|
| |
- echo "$host_ip test.fedora.com" >> /etc/hosts
|
| |
-
|
| |
- krb5REALM1='ZMRAZ.COM'
|
| |
- krb5REALM2='PKIS.NET'
|
| |
+ krb5REALM1='TEST1.REDHAT.COM'
|
| |
+ krb5REALM2='TEST2.REDHAT.COM'
|
| |
krb5HostName=`hostname`
|
| |
- krb5DomainName='fedora.com'
|
| |
+ krb5DomainName=`hostname -d`
|
| |
krb5User='alice'
|
| |
krb5UserPass='alice'
|
| |
krb5UserKrbPass='aaa'
|
| |
@@ -58,6 +53,8 @@
|
| |
krb5kdcconf="/var/kerberos/krb5kdc/kdc.conf"
|
| |
krb5kadmacl="/var/kerberos/krb5kdc/kadm5.acl"
|
| |
|
| |
+
|
| |
+
|
| |
rlJournalStart
|
| |
rlPhaseStartSetup
|
| |
for pkg in $PACKAGES; do
|
| |
@@ -65,6 +62,8 @@
|
| |
done
|
| |
rlRun "TmpDir=\$(mktemp -d)"
|
| |
rlRun "pushd $TmpDir"
|
| |
+ echo "-----/etc/krb5.conf----"; cat /etc/krb5.conf
|
| |
+ echo "-----/var/kerberos/krb5kdc/kdc.conf-----"; cat /var/kerberos/krb5kdc/kdc.conf
|
| |
rlPhaseEnd
|
| |
|
| |
# Run this part on OLD and in "normal" mode
|
| |
@@ -73,9 +72,19 @@
|
| |
# Stop and backup
|
| |
rlRun "rlServiceStop kadmin krb5kdc"
|
| |
rlRun "rm -f /var/kerberos/krb5kdc/principal* /var/kerberos/krb5kdc/.k5*"
|
| |
- rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc}
|
| |
+ rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc} /etc/hosts
|
| |
+ rlFileBackup --clean /root/.k5login
|
| |
[ -e /etc/krb5.keytab ] && rlFileBackup /etc/krb5.keytab
|
| |
[ -e $krb5confdir ] && rlFileBackup $krb5confdir
|
| |
+ # Make sure IPv4 is used for ssh connection
|
| |
+ if ! grep `hostname` /etc/hosts; then
|
| |
+ DEF_DEV=`ip route |grep default |awk '{print $5}'`
|
| |
+ echo DEF_DEV=$DEF_DEV
|
| |
+ DEF_IP=`ip -o -4 addr show dev $DEF_DEV |awk '{print $4}' |grep -v '/32' |sed 's|/.*||'`
|
| |
+ echo DEF_IP=$DEF_IP
|
| |
+ rlRun "echo '$DEF_IP `hostname`' >>/etc/hosts"
|
| |
+ grep `hostname` /etc/hosts
|
| |
+ fi
|
| |
# Basic setup of KDC and krb5.conf
|
| |
if rlIsRHEL 6; then
|
| |
rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf"
|
| |
@@ -99,28 +108,59 @@
|
| |
dict_file = /usr/share/dict/words
|
| |
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
|
| |
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
|
| |
- }
|
| |
+ }
|
| |
_EOF
|
| |
- rlIsRHEL 6 || rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf"
|
| |
+
|
| |
+
|
| |
+ if rlIsRHEL '7'; then
|
| |
+ rlLog "Modify supported_enctypes for RHEL-7."
|
| |
+ rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf"
|
| |
+ # Remove 3DES and DES cipher suite from kdc.conf - Fedora 31
|
| |
+ # Fedora 31 - krb5 will be removing support for DES, 3DES, and crc-32 entirely
|
| |
+ # they will not be allowed in session keys or long-term keys. (BZ#1670398)
|
| |
+ # https://fedoraproject.org/wiki/Changes/krb5_crypto_modernization
|
| |
+ elif rlIsFedora '>=31';then
|
| |
+ rlLog "Modify supported_enctypes for Fedora >=31. Remove *DES ciphers."
|
| |
+ rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"
|
| |
+ elif rlIsRHEL '8' && [ `rpm -q --qf '%{VERSION}' krb5-server | cut -d"." -f2` -lt 18 ];then
|
| |
+ rlLog "Modify supported_enctypes for RHEL-8."
|
| |
+ rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"
|
| |
+ else
|
| |
+ #RHEL-8 Bug 1802334 - [Rebase] krb5: rebase to 1.18:
|
| |
+ #- Removal of *DES encryption types
|
| |
+ #https://bugzilla.redhat.com/show_bug.cgi?id=1802334
|
| |
+ rlLog "Modify supported_enctypes for RHEL-8 with krb-1.18. Remove *DES ciphers."
|
| |
+ rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal/\" /var/kerberos/krb5kdc/kdc.conf"
|
| |
+ fi
|
| |
rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM2 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf"
|
| |
- cat >> $krb5conf << _EOF
|
| |
+ cat >> $krb5conf << _EOF
|
| |
|
| |
[capaths]
|
| |
$krb5REALM1 = {
|
| |
$krb5REALM2 = .
|
| |
}
|
| |
_EOF
|
| |
- # Test the entropy source (not relevant for RHEL6)
|
| |
+ # BZ#1394908: Test the entropy source (not relevant for RHEL6)
|
| |
if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then
|
| |
- rlLog "The source of entropy will be tested as well"
|
| |
+ rlLog "BZ#1394908: The source of entropy will be tested as well"
|
| |
+ # Check number of audit rules
|
| |
+ number_rules=$(auditctl -l | grep -v "No rules" | wc -l)
|
| |
+ if [[ ${number_rules} -ne 0 ]];then
|
| |
+ truncate -s0 /var/log/audit/audit.log
|
| |
+ rlRun "auditctl -D" 0 "Delete previous audit rules"
|
| |
+ fi
|
| |
START_DATE=`date +%H:%M:%S`
|
| |
echo START_DATE=$START_DATE
|
| |
sleep 1
|
| |
rlRun "auditctl -w /dev/random -p rwxa -k RAND"
|
| |
auditctl -l
|
| |
- sleep 1
|
| |
+ sleep 5
|
| |
rlRun "ausearch -i -k RAND -ts $START_DATE"
|
| |
fi
|
| |
+
|
| |
+ echo "-----/etc/krb5.conf----"; cat /etc/krb5.conf
|
| |
+ echo "-----/var/kerberos/krb5kdc/kdc.conf-----"; cat /var/kerberos/krb5kdc/kdc.conf
|
| |
+
|
| |
# Create the realm databases
|
| |
rlRun "rngd -r /dev/urandom"
|
| |
rlRun "kdb5_util create -s -r $krb5REALM1 -P $krb5KDCPass"
|
| |
@@ -145,12 +185,12 @@
|
| |
rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -randkey host/$krb5HostName\""
|
| |
rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\""
|
| |
rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\""
|
| |
- # Create test system user
|
| |
+ # Create test system user
|
| |
[ $krb5User != "root" ] && rlRun "useradd $krb5User"
|
| |
rlRun "echo $krb5UserPass | passwd --stdin $krb5User"
|
| |
rlPhaseEnd
|
| |
fi
|
| |
-
|
| |
+
|
| |
rlPhaseStartTest "Daemon start and log file test"
|
| |
# Make sure there is enough entropy and start recording of the logs
|
| |
rlRun "rngd -r /dev/urandom"
|
| |
@@ -190,6 +230,10 @@
|
| |
echo "/var/log/kadmind.log:"
|
| |
tail -n 100 /var/log/kadmind.log
|
| |
fi
|
| |
+
|
| |
+ #add 'list' privilege for root/master
|
| |
+ sed -i -e '$a*/master@EXAMPLE.COM *' /var/kerberos/krb5kdc/kadm5.acl
|
| |
+
|
| |
# Restart daemon auto start
|
| |
if rlIsRHEL 6; then
|
| |
rlRun "service krb5kdc restart"
|
| |
@@ -204,11 +248,21 @@
|
| |
fi
|
| |
rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
|
| |
rlRun "kdestroy"
|
| |
- rlRun "kadmin -p root/master -w rrr -q ''"
|
| |
+ rlRun "kadmin -p root/master -w rrr -q 'getprincs'"
|
| |
rlAssertGrep "AS_REQ.*$krb5User@$krb5REALM1.*krbtgt/$krb5REALM1@$krb5REALM1" krb5kdc.log.record
|
| |
- cat krb5kdc.log.record
|
| |
- rlAssertGrep "Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/`hostname`@$krb5REALM1" kadmind.log.record
|
| |
- cat kadmind.log.record
|
| |
+
|
| |
+ #The principal related to kadmin are not created with hostname (kadmin/hostname@REALM) during creating krb5 DB
|
| |
+ #RHEL9 constains only kadmin/admin@REALM - this change was intentional - Don't create hostbased principals in new KDBs
|
| |
+ #https://krbdev.mit.edu/rt/Ticket/Display.html?id=8935
|
| |
+ if rlIsRHEL 9 || rlIsFedora '>=33';then
|
| |
+ kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/admin@$krb5REALM1"
|
| |
+ else
|
| |
+ kadmin_princ="Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/.*`hostname`@$krb5REALM1"
|
| |
+ fi
|
| |
+ rlAssertGrep "${kadmin_princ}" kadmind.log.record
|
| |
+ #rlAssertGrep "Request: kadm5_init.*root\/master@$krb5REALM1.*service=kadmin\/(admin|.*`hostname`)@$krb5REALM1" kadmind.log.record -E
|
| |
+ echo "***krb5kdc.log.record***" && cat krb5kdc.log.record
|
| |
+ echo "***kadmind.log.record***" && cat kadmind.log.record
|
| |
# Stop log recording
|
| |
kill $KADMIND_LOG_PID
|
| |
kill $KRB5KDC_LOG_PID
|
| |
@@ -238,6 +292,13 @@
|
| |
cat klist.log
|
| |
rlAssertGrep "host/`hostname`@$krb5REALM1" klist.log
|
| |
rlRun "kdestroy"
|
| |
+ #BZ1841488-sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context
|
| |
+ #The problem is that this file had security context: system_u:object_r:kadmind_tmp_t:s0.
|
| |
+ #This is a problem when the ssh via krb5-GSSAPI is used because sshd service cannot write into this file.
|
| |
+ if rlIsRHEL '>=8.3' || rlIsFedora '>=32'; then
|
| |
+ rlLog "BZ1841488-sshd cannot write into reply cache (/var/tmp/krb5_0.rcache2) due to security context"
|
| |
+ rlRun "sesearch -s sshd_t -t kadmind_tmp_t -c file -p write --allow | grep ^allow"
|
| |
+ fi
|
| |
rlPhaseEnd
|
| |
|
| |
rlPhaseStartTest "Basic kadmin and kpasswd test"
|
| |
@@ -279,13 +340,14 @@
|
| |
rlRun "kdestroy"
|
| |
rlPhaseEnd
|
| |
|
| |
- # Test the entropy source (not relevant for RHEL6)
|
| |
+ # BZ#1394908: Test the entropy source (not relevant for RHEL6)
|
| |
if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then
|
| |
- rlPhaseStartTest "Enable faster getrandom-based entropy system"
|
| |
+ rlPhaseStartTest "BZ#1394908: Enable faster getrandom-based entropy system"
|
| |
echo START_DATE=$START_DATE
|
| |
auditctl -l
|
| |
+ sleep 5
|
| |
rlRun "ausearch -i -k RAND -ts $START_DATE"
|
| |
- rlRun "ausearch -i -k RAND -ts $START_DATE |grep comm= |grep -v 'comm=rngd'" 1
|
| |
+ rlRun "ausearch -i -k RAND -ts $START_DATE |grep comm= | grep -v comm=auditctl |grep -v 'comm=rngd'" 1
|
| |
rlRun "auditctl -D"
|
| |
rlPhaseEnd
|
| |
fi
|
| |
@@ -299,10 +361,11 @@
|
| |
[ $krb5User != "root" ] && rlRun "userdel -r -f $krb5User"
|
| |
rlPhaseEnd
|
| |
fi
|
| |
-
|
| |
+
|
| |
rlPhaseStartCleanup
|
| |
+ rlRun "kdestroy -A"
|
| |
rlRun "popd"
|
| |
rlRun "rm -r $TmpDir"
|
| |
rlPhaseEnd
|
| |
rlJournalPrintText
|
| |
- rlJournalEnd
|
| |
+ rlJournalEnd
|
| |
\ No newline at end of file
|
| |
Update this test to run on F34.