Configure Kerberos tests for CI

Install a full MIT Kerberos KDC when running CI tests with the MIT library and generate the files required to run the full test suite.
author: Russ Allbery <eagle@eyrie.org> 2020-05-17 18:34:33 -0700
committer: Russ Allbery <eagle@eyrie.org> 2020-05-17 18:34:33 -0700
commit: 47203873c0fc284b69a6c5c8d709e90d69554637 (patch)
tree: eba4ed5b7626c475cff90ac760f868f4e81b65c9 /ci/files
parent: 27662bbd5b1381e0e2b00e060bdb1c873cb22141 (diff)
3 files changed, 39 insertions, 0 deletions
diff --git a/ci/files/mit/kadm5.acl b/ci/files/mit/kadm5.acl
new file mode 100644
index 0000000..fa14eae
--- /dev/null
+++ b/ci/files/mit/kadm5.acl
@@ -0,0 +1 @@
+test/wallet@EYRIE.ORG  admci  wallet/*@EYRIE.ORG
diff --git a/ci/files/mit/kdc.conf b/ci/files/mit/kdc.conf
new file mode 100644
index 0000000..7bf4e6a
--- /dev/null
+++ b/ci/files/mit/kdc.conf
@@ -0,0 +1,19 @@
+[kdcdefaults]
+    kdc_ports                   = 88
+    kdc_tcp_ports               = 88
+    restrict_anonymous_to_tgt   = true
+
+[realms]
+    MIT.TEST = {
+        database_name           = /var/lib/krb5kdc/principal
+        admin_keytab            = /var/lib/krb5kdc/kadm5.keytab
+        acl_file                = /etc/krb5kdc/kadm5.acl
+        key_stash_file          = /var/lib/krb5kdc/stash
+        max_life                = 1d 1h 0m 0s
+        max_renewable_life      = 7d 0h 0m 0s
+        master_key_type         = aes256-cts
+        supported_enctypes      = aes256-cts:normal
+        default_principal_flags = +preauth
+        pkinit_identity         = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
+        pkinit_anchors          = FILE:/etc/krb5kdc/cacert.pem
+    }
diff --git a/ci/files/mit/krb5.conf b/ci/files/mit/krb5.conf
new file mode 100644
index 0000000..9b0d5ab
--- /dev/null
+++ b/ci/files/mit/krb5.conf
@@ -0,0 +1,19 @@
+[libdefaults]
+    default_realm         = MIT.TEST
+    dns_lookup_kdc        = false
+    dns_lookup_realm      = false
+    rdns                  = false
+    renew_lifetime        = 7d
+    ticket_lifetime       = 25h
+
+[realms]
+    MIT.TEST = {
+        kdc               = 127.0.0.1
+        master_kdc        = 127.0.0.1
+        admin_server      = 127.0.0.1
+        pkinit_anchors    = FILE:/etc/krb5kdc/cacert.pem
+    }
+
+[logging]
+    kdc                   = SYSLOG:NOTICE
+    default               = SYSLOG:NOTICE
author	Russ Allbery <eagle@eyrie.org>	2020-05-17 18:34:33 -0700
committer	Russ Allbery <eagle@eyrie.org>	2020-05-17 18:34:33 -0700
commit	47203873c0fc284b69a6c5c8d709e90d69554637 (patch)
tree	eba4ed5b7626c475cff90ac760f868f4e81b65c9 /ci/files
parent	27662bbd5b1381e0e2b00e060bdb1c873cb22141 (diff)