diff options
| author | Russ Allbery <eagle@eyrie.org> | 2014-01-06 21:09:00 -0800 | 
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2014-01-06 21:13:33 -0800 | 
| commit | 782e71d568957e05233f63fa8dca7cc53ba1afa1 (patch) | |
| tree | d8372803edd356cf7b18d5a9020215215b1b4b2b /tests | |
| parent | 0cc453bcfb8fc4b5cf7378fa8d6496f7d6f6efc3 (diff) | |
Fix wallet-rekey on keytabs containing multiple principals
Fix wallet-rekey on keytabs containing multiple principals.  Previous
versions assumed one could concatenate keytab files together to make a
valid keytab file, which doesn't work with some Kerberos libraries.
This caused new keys downloaded for principals after the first to be
discarded.  As a side effect of this fix, wallet-rekey always appends
new keys directly to the existing keytab file, and never creates a
backup copy of that file.
Change-Id: I5f863239ce4ebba66b35ff09454f2897367bd359
Reviewed-on: https://gerrit.stanford.edu/1369
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/client/rekey-t.in | 18 | 
1 files changed, 7 insertions, 11 deletions
| diff --git a/tests/client/rekey-t.in b/tests/client/rekey-t.in index 0cfcb5d..c6d0e41 100644 --- a/tests/client/rekey-t.in +++ b/tests/client/rekey-t.in @@ -45,7 +45,7 @@ elif [ -z '@REMCTLD@' ] ; then      rm krb5.conf      skip_all 'No remctld found'  else -    plan 9 +    plan 8  fi  remctld_start '@REMCTLD@' "$SOURCE/data/basic.conf"  wallet="$BUILD/../client/wallet-rekey" @@ -68,31 +68,27 @@ ok '...and the keytab was untouched' cmp keytab data/fake-keytab-foreign  rm -f keytab  # Rekeying a keytab where we can't retrieve the principal should produce an -# error message and abort when it's the first principal. +# error message.  cp data/fake-keytab-unknown keytab  ok_program 'unknown wallet-rekey' 1 \  'wallet: Unknown keytab service/real-keytab  wallet: error rekeying for principal service/real-keytab -wallet: aborting, keytab unchanged' \ +wallet: no rekeyable principals found' \      "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab  ok '...and the keytab was untouched' cmp keytab data/fake-keytab-unknown  rm -f keytab -# Rekeying a keytab where we can't retrieve a later principal should leave the -# original keytab as keytab.old and store, in the new keytab, only the things -# that it was able to rekey. +# Rekeying a keytab where we can't retrieve a later principal should add the +# things we were able to download and produce a warning.  cp data/fake-keytab-partial keytab  ok_program 'partial wallet-rekey' 1 \  'wallet: Unknown keytab service/real-keytab -wallet: error rekeying for principal service/real-keytab -wallet: partial failure to rekey keytab keytab, old keytab left in keytab.old'\ +wallet: error rekeying for principal service/real-keytab'\      "$wallet" -k "$principal" -p 14373 -s localhost -c fake-wallet keytab  ktutil_list keytab klist-seen  ktutil_list data/fake-keytab-partial-result klist-good  ok '...and the rekeyed keytab is correct' cmp klist-seen klist-good -ok '...and the backup keytab is correct' \ -    cmp keytab.old data/fake-keytab-partial -rm -f keytab keytab.old klist-seen klist-good +rm -f keytab klist-seen klist-good  # Clean up.  rm -f autocreated krb5.conf | 
