diff options
| author | Russ Allbery <eagle@eyrie.org> | 2014-01-06 21:09:00 -0800 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2014-01-06 21:13:33 -0800 |
| commit | 782e71d568957e05233f63fa8dca7cc53ba1afa1 (patch) | |
| tree | d8372803edd356cf7b18d5a9020215215b1b4b2b /tests/client | |
| parent | 0cc453bcfb8fc4b5cf7378fa8d6496f7d6f6efc3 (diff) | |
Fix wallet-rekey on keytabs containing multiple principals
Fix wallet-rekey on keytabs containing multiple principals. Previous
versions assumed one could concatenate keytab files together to make a
valid keytab file, which doesn't work with some Kerberos libraries.
This caused new keys downloaded for principals after the first to be
discarded. As a side effect of this fix, wallet-rekey always appends
new keys directly to the existing keytab file, and never creates a
backup copy of that file.
Change-Id: I5f863239ce4ebba66b35ff09454f2897367bd359
Reviewed-on: https://gerrit.stanford.edu/1369
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
Diffstat (limited to 'tests/client')
| -rw-r--r-- | tests/client/rekey-t.in | 18 |
1 files changed, 7 insertions, 11 deletions
diff --git a/tests/client/rekey-t.in b/tests/client/rekey-t.in index 0cfcb5d..c6d0e41 100644 --- a/tests/client/rekey-t.in +++ b/tests/client/rekey-t.in @@ -45,7 +45,7 @@ elif [ -z '@REMCTLD@' ] ; then rm krb5.conf skip_all 'No remctld found' else - plan 9 + plan 8 fi remctld_start '@REMCTLD@' "$SOURCE/data/basic.conf" wallet="$BUILD/../client/wallet-rekey" @@ -68,31 +68,27 @@ ok '...and the keytab was untouched' cmp keytab data/fake-keytab-foreign rm -f keytab # Rekeying a keytab where we can't retrieve the principal should produce an -# error message and abort when it's the first principal. +# error message. cp data/fake-keytab-unknown keytab ok_program 'unknown wallet-rekey' 1 \ 'wallet: Unknown keytab service/real-keytab wallet: error rekeying for principal service/real-keytab -wallet: aborting, keytab unchanged' \ +wallet: no rekeyable principals found' \ "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab ok '...and the keytab was untouched' cmp keytab data/fake-keytab-unknown rm -f keytab -# Rekeying a keytab where we can't retrieve a later principal should leave the -# original keytab as keytab.old and store, in the new keytab, only the things -# that it was able to rekey. +# Rekeying a keytab where we can't retrieve a later principal should add the +# things we were able to download and produce a warning. cp data/fake-keytab-partial keytab ok_program 'partial wallet-rekey' 1 \ 'wallet: Unknown keytab service/real-keytab -wallet: error rekeying for principal service/real-keytab -wallet: partial failure to rekey keytab keytab, old keytab left in keytab.old'\ +wallet: error rekeying for principal service/real-keytab'\ "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab ktutil_list keytab klist-seen ktutil_list data/fake-keytab-partial-result klist-good ok '...and the rekeyed keytab is correct' cmp klist-seen klist-good -ok '...and the backup keytab is correct' \ - cmp keytab.old data/fake-keytab-partial -rm -f keytab keytab.old klist-seen klist-good +rm -f keytab klist-seen klist-good # Clean up. rm -f autocreated krb5.conf |