9 files changed, 143 insertions, 8 deletions
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 737860c..1904201 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -28,6 +28,7 @@ jobs:
           - "gcc"
         kerberos:
           - "mit"
+          - "heimdal"
 
     steps:
       - uses: actions/checkout@v2
@@ -36,6 +37,9 @@ jobs:
       - name: kdc-setup-mit
         run: sudo ci/kdc-setup-mit
         if: matrix.kerberos == 'mit'
+      - name: kdc-setup-heimdal
+        run: sudo ci/kdc-setup-heimdal
+        if: matrix.kerberos == 'heimdal'
       - name: test
         run: ci/test
         env:
diff --git a/ci/files/heimdal/heimdal-kdc b/ci/files/heimdal/heimdal-kdc
new file mode 100644
index 0000000..d781463
--- /dev/null
+++ b/ci/files/heimdal/heimdal-kdc
@@ -0,0 +1,9 @@
+# Heimdal KDC init script setup.  -*- sh -*-
+
+# KDC configuration.
+KDC_ENABLED=yes
+KDC_PARAMS='--config-file=/etc/heimdal-kdc/kdc.conf'
+
+# kpasswdd configuration.
+KPASSWDD_ENABLED=yes
+KPASSWDD_PARAMS='-r HEIMDAL.TEST'
diff --git a/ci/files/heimdal/kadmind.acl b/ci/files/heimdal/kadmind.acl
new file mode 100644
index 0000000..2f4a084
--- /dev/null
+++ b/ci/files/heimdal/kadmind.acl
@@ -0,0 +1 @@
+test/wallet@HEIMDAL.TEST  all,get-keys  wallet/*@HEIMDAL.TEST
diff --git a/ci/files/heimdal/kdc.conf b/ci/files/heimdal/kdc.conf
new file mode 100644
index 0000000..bd00dcd
--- /dev/null
+++ b/ci/files/heimdal/kdc.conf
@@ -0,0 +1,22 @@
+# Heimdal KDC configuration.  -*- conf -*-
+
+[kadmin]
+    default_keys           = aes256-cts-hmac-sha1-96:pw-salt
+
+[kdc]
+    acl_file               = /etc/heimdal-kdc/kadmind.acl
+    check-ticket-addresses = false
+    logging                = SYSLOG:NOTICE
+    ports                  = 88
+
+[libdefaults]
+    default_realm          = HEIMDAL.TEST
+    dns_lookup_kdc         = false
+    dns_lookup_realm       = false
+
+[realms]
+    HEIMDAL.TEST.EYRIE.ORG = {
+        kdc            = 127.0.0.1
+        master_kdc     = 127.0.0.1
+        admin_server   = 127.0.0.1
+    }
diff --git a/ci/files/heimdal/krb5.conf b/ci/files/heimdal/krb5.conf
new file mode 100644
index 0000000..65dc71e
--- /dev/null
+++ b/ci/files/heimdal/krb5.conf
@@ -0,0 +1,18 @@
+[libdefaults]
+    default_realm         = HEIMDAL.TEST
+    dns_lookup_kdc        = false
+    dns_lookup_realm      = false
+    rdns                  = false
+    renew_lifetime        = 7d
+    ticket_lifetime       = 25h
+
+[realms]
+    HEIMDAL.TEST = {
+        kdc               = 127.0.0.1
+        master_kdc        = 127.0.0.1
+        admin_server      = 127.0.0.1
+    }
+
+[logging]
+    kdc                   = SYSLOG:NOTICE
+    default               = SYSLOG:NOTICE
diff --git a/ci/files/mit/kdc.conf b/ci/files/mit/kdc.conf
index 7bf4e6a..09e6795 100644
--- a/ci/files/mit/kdc.conf
+++ b/ci/files/mit/kdc.conf
@@ -1,7 +1,6 @@
 [kdcdefaults]
-    kdc_ports                   = 88
-    kdc_tcp_ports               = 88
-    restrict_anonymous_to_tgt   = true
+    kdc_ports     = 88
+    kdc_tcp_ports = 88
 
 [realms]
     MIT.TEST = {
@@ -14,6 +13,4 @@
         master_key_type         = aes256-cts
         supported_enctypes      = aes256-cts:normal
         default_principal_flags = +preauth
-        pkinit_identity         = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
-        pkinit_anchors          = FILE:/etc/krb5kdc/cacert.pem
     }
diff --git a/ci/files/mit/krb5.conf b/ci/files/mit/krb5.conf
index 9b0d5ab..37816a2 100644
--- a/ci/files/mit/krb5.conf
+++ b/ci/files/mit/krb5.conf
@@ -11,7 +11,6 @@
         kdc               = 127.0.0.1
         master_kdc        = 127.0.0.1
         admin_server      = 127.0.0.1
-        pkinit_anchors    = FILE:/etc/krb5kdc/cacert.pem
     }
 
 [logging]
diff --git a/ci/kdc-setup-heimdal b/ci/kdc-setup-heimdal
new file mode 100755
index 0000000..e393fc9
--- /dev/null
+++ b/ci/kdc-setup-heimdal
@@ -0,0 +1,85 @@
+#!/bin/sh
+#
+# Build a Kerberos test realm for Heimdal.
+#
+# This script automates the process of setting up a Kerberos test realm from
+# scratch suitable for testing pam-krb5.  It is primarily intended to be run
+# from inside CI in a VM or container from the top of the wallet source tree,
+# and must be run as root.  It expects to be operating on the Debian Heimdal
+# package.
+#
+# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org>
+#
+# SPDX-License-Identifier: MIT
+
+set -eux
+
+# Install the KDC and user programs.
+apt-get install heimdal-clients heimdal-kdc
+
+# Install its configuration files.
+cp ci/files/heimdal/heimdal-kdc /etc/default/heimdal-kdc
+cp ci/files/heimdal/kadmind.acl /etc/heimdal-kdc/kadmind.acl
+cp ci/files/heimdal/kdc.conf /etc/heimdal-kdc/kdc.conf
+cp ci/files/heimdal/krb5.conf /etc/krb5.conf
+
+# Some versions of heimdal-kdc require this.
+ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl
+
+# Add domain-realm mappings for the local host, since otherwise Heimdal and
+# MIT Kerberos may attempt to discover the realm of the local domain, and the
+# DNS server for GitHub Actions has a habit of just not responding and causing
+# the test to hang.
+cat <<EOF >>/etc/krb5.conf
+[domain_realm]
+    $(hostname -f) = HEIMDAL.TEST
+EOF
+cat <<EOF >>/etc/heimdal-kdc/kdc.conf
+[domain_realm]
+    $(hostname -f) = HEIMDAL.TEST
+EOF
+
+# Create the basic KDC.
+kstash --random-key
+kadmin -l init --realm-max-ticket-life='1 day 1 hour' \
+    --realm-max-renewable-life='1 week' HEIMDAL.TEST
+
+# Set default principal policies.
+kadmin -l modify --attributes=requires-pre-auth,disallow-svr \
+    default@HEIMDAL.TEST
+
+# Create and store the keytab.
+kadmin -l add -r --use-defaults --attributes=requires-pre-auth \
+    test/wallet@HEIMDAL.TEST
+kadmin -l ext_keytab -k tests/config/keytab test/wallet@HEIMDAL.TEST
+echo 'test/wallet@HEIMDAL.TEST' >tests/config/principal
+
+# Create a user principal with a known password.
+password="iceedKaicVevjunwiwyd"
+kadmin -l add --use-defaults --password="$password" testuser@HEIMDAL.TEST
+echo 'testuser@HEIMDAL.TEST' >tests/config/password
+echo "$password" >>tests/config/password
+
+# Copy some of those files to the Perl test suite.
+cp tests/config/keytab perl/t/data/test.keytab
+cp tests/config/principal perl/t/data/test.principal
+echo 'HEIMDAL.TEST' >perl/t/data/test.realm
+echo 'Heimdal' >perl/t/data/test.krbtype
+
+# Fix permissions on all the newly-created files.
+chmod 644 tests/config/* perl/t/data/test.*
+
+# Restart the Heimdal KDC and services.
+systemctl stop heimdal-kdc
+systemctl start heimdal-kdc
+
+# Ensure that the KDC is running.
+for n in $(seq 1 5); do
+    if echo "$password" \
+            | kinit --password-file=STDIN testuser@HEIMDAL.TEST; then
+        break
+    fi
+    sleep 1
+done
+klist
+kdestroy
diff --git a/ci/kdc-setup-mit b/ci/kdc-setup-mit
index d4bd820..396362f 100755
--- a/ci/kdc-setup-mit
+++ b/ci/kdc-setup-mit
@@ -14,8 +14,8 @@
 
 set -eux
 
-# Install the KDC.
-apt-get install krb5-admin-server krb5-kdc
+# Install the KDC and user programs.
+apt-get install krb5-admin-server krb5-kdc krb5-user
 
 # Install its configuration files.
 cp ci/files/mit/kadm5.acl /etc/krb5kdc/kadm5.acl