Add Heimdal CI testing

Set up a Heimdal KDC and add Heimdal to the test matrix.  Remove
some unnecessary configuration from the MIT Kerberos CI
configuration.  Ensure the user programs are installed for
whatever Kerberos we're using, which will enable more of the
Perl test suite.

8 files changed, 139 insertions, 8 deletions

diff --git a/ci/files/heimdal/heimdal-kdc b/ci/files/heimdal/heimdal-kdc
new file mode 100644
index 0000000..d781463
--- /dev/null
+++ b/ci/files/heimdal/heimdal-kdc
@@ -0,0 +1,9 @@
+# Heimdal KDC init script setup.  -*- sh -*-
+
+# KDC configuration.
+KDC_ENABLED=yes
+KDC_PARAMS='--config-file=/etc/heimdal-kdc/kdc.conf'
+
+# kpasswdd configuration.
+KPASSWDD_ENABLED=yes
+KPASSWDD_PARAMS='-r HEIMDAL.TEST'
diff --git a/ci/files/heimdal/kadmind.acl b/ci/files/heimdal/kadmind.acl
new file mode 100644
index 0000000..2f4a084
--- /dev/null
+++ b/ci/files/heimdal/kadmind.acl
@@ -0,0 +1 @@
+test/wallet@HEIMDAL.TEST  all,get-keys  wallet/*@HEIMDAL.TEST
diff --git a/ci/files/heimdal/kdc.conf b/ci/files/heimdal/kdc.conf
new file mode 100644
index 0000000..bd00dcd
--- /dev/null
+++ b/ci/files/heimdal/kdc.conf
@@ -0,0 +1,22 @@
+# Heimdal KDC configuration.  -*- conf -*-
+
+[kadmin]
+    default_keys           = aes256-cts-hmac-sha1-96:pw-salt
+
+[kdc]
+    acl_file               = /etc/heimdal-kdc/kadmind.acl
+    check-ticket-addresses = false
+    logging                = SYSLOG:NOTICE
+    ports                  = 88
+
+[libdefaults]
+    default_realm          = HEIMDAL.TEST
+    dns_lookup_kdc         = false
+    dns_lookup_realm       = false
+
+[realms]
+    HEIMDAL.TEST.EYRIE.ORG = {
+        kdc            = 127.0.0.1
+        master_kdc     = 127.0.0.1
+        admin_server   = 127.0.0.1
+    }
diff --git a/ci/files/heimdal/krb5.conf b/ci/files/heimdal/krb5.conf
new file mode 100644
index 0000000..65dc71e
--- /dev/null
+++ b/ci/files/heimdal/krb5.conf
@@ -0,0 +1,18 @@
+[libdefaults]
+    default_realm         = HEIMDAL.TEST
+    dns_lookup_kdc        = false
+    dns_lookup_realm      = false
+    rdns                  = false
+    renew_lifetime        = 7d
+    ticket_lifetime       = 25h
+
+[realms]
+    HEIMDAL.TEST = {
+        kdc               = 127.0.0.1
+        master_kdc        = 127.0.0.1
+        admin_server      = 127.0.0.1
+    }
+
+[logging]
+    kdc                   = SYSLOG:NOTICE
+    default               = SYSLOG:NOTICE
diff --git a/ci/files/mit/kdc.conf b/ci/files/mit/kdc.conf
index 7bf4e6a..09e6795 100644
--- a/ci/files/mit/kdc.conf
+++ b/ci/files/mit/kdc.conf
@@ -1,7 +1,6 @@
 [kdcdefaults]
-    kdc_ports                   = 88
-    kdc_tcp_ports               = 88
-    restrict_anonymous_to_tgt   = true
+    kdc_ports     = 88
+    kdc_tcp_ports = 88
 
 [realms]
     MIT.TEST = {
@@ -14,6 +13,4 @@
         master_key_type         = aes256-cts
         supported_enctypes      = aes256-cts:normal
         default_principal_flags = +preauth
-        pkinit_identity         = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
-        pkinit_anchors          = FILE:/etc/krb5kdc/cacert.pem
     }
diff --git a/ci/files/mit/krb5.conf b/ci/files/mit/krb5.conf
index 9b0d5ab..37816a2 100644
--- a/ci/files/mit/krb5.conf
+++ b/ci/files/mit/krb5.conf
@@ -11,7 +11,6 @@
         kdc               = 127.0.0.1
         master_kdc        = 127.0.0.1
         admin_server      = 127.0.0.1
-        pkinit_anchors    = FILE:/etc/krb5kdc/cacert.pem
     }
 
 [logging]
diff --git a/ci/kdc-setup-heimdal b/ci/kdc-setup-heimdal
new file mode 100755
index 0000000..e393fc9
--- /dev/null
+++ b/ci/kdc-setup-heimdal
@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# Build a Kerberos test realm for Heimdal.
+#
+# This script automates the process of setting up a Kerberos test realm from
+# scratch suitable for testing pam-krb5.  It is primarily intended to be run
+# from inside CI in a VM or container from the top of the wallet source tree,
+# and must be run as root.  It expects to be operating on the Debian Heimdal
+# package.
+#
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: MIT
+
+set -eux
+
+# Install the KDC and user programs.
+apt-get install heimdal-clients heimdal-kdc
+
+# Install its configuration files.
+cp ci/files/heimdal/heimdal-kdc /etc/default/heimdal-kdc
+cp ci/files/heimdal/kadmind.acl /etc/heimdal-kdc/kadmind.acl
+cp ci/files/heimdal/kdc.conf /etc/heimdal-kdc/kdc.conf
+cp ci/files/heimdal/krb5.conf /etc/krb5.conf
+
+# Some versions of heimdal-kdc require this.
+ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl
+
+# Add domain-realm mappings for the local host, since otherwise Heimdal and
+# MIT Kerberos may attempt to discover the realm of the local domain, and the
+# DNS server for GitHub Actions has a habit of just not responding and causing
+# the test to hang.
+cat <<EOF >>/etc/krb5.conf
+[domain_realm]
+    $(hostname -f) = HEIMDAL.TEST
+EOF
+cat <<EOF >>/etc/heimdal-kdc/kdc.conf
+[domain_realm]
+    $(hostname -f) = HEIMDAL.TEST
+EOF
+
+# Create the basic KDC.
+kstash --random-key
+kadmin -l init --realm-max-ticket-life='1 day 1 hour' \
+    --realm-max-renewable-life='1 week' HEIMDAL.TEST
+
+# Set default principal policies.
+kadmin -l modify --attributes=requires-pre-auth,disallow-svr \
+    default@HEIMDAL.TEST
+
+# Create and store the keytab.
+kadmin -l add -r --use-defaults --attributes=requires-pre-auth \
+    test/wallet@HEIMDAL.TEST
+kadmin -l ext_keytab -k tests/config/keytab test/wallet@HEIMDAL.TEST
+echo 'test/wallet@HEIMDAL.TEST' >tests/config/principal
+
+# Create a user principal with a known password.
+password="iceedKaicVevjunwiwyd"
+kadmin -l add --use-defaults --password="$password" testuser@HEIMDAL.TEST
+echo 'testuser@HEIMDAL.TEST' >tests/config/password
+echo "$password" >>tests/config/password
+
+# Copy some of those files to the Perl test suite.
+cp tests/config/keytab perl/t/data/test.keytab
+cp tests/config/principal perl/t/data/test.principal
+echo 'HEIMDAL.TEST' >perl/t/data/test.realm
+echo 'Heimdal' >perl/t/data/test.krbtype
+
+# Fix permissions on all the newly-created files.
+chmod 644 tests/config/* perl/t/data/test.*
+
+# Restart the Heimdal KDC and services.
+systemctl stop heimdal-kdc
+systemctl start heimdal-kdc
+
+# Ensure that the KDC is running.
+for n in $(seq 1 5); do
+    if echo "$password" \
+            | kinit --password-file=STDIN testuser@HEIMDAL.TEST; then
+        break
+    fi
+    sleep 1
+done
+klist
+kdestroy
diff --git a/ci/kdc-setup-mit b/ci/kdc-setup-mit
index d4bd820..396362f 100755
--- a/ci/kdc-setup-mit
+++ b/ci/kdc-setup-mit
@@ -14,8 +14,8 @@
 
 set -eux
 
-# Install the KDC.
-apt-get install krb5-admin-server krb5-kdc
+# Install the KDC and user programs.
+apt-get install krb5-admin-server krb5-kdc krb5-user
 
 # Install its configuration files.
 cp ci/files/mit/kadm5.acl /etc/krb5kdc/kadm5.acl