diff options
Diffstat (limited to 'ci/kdc-setup-mit')
| -rwxr-xr-x | ci/kdc-setup-mit | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/ci/kdc-setup-mit b/ci/kdc-setup-mit new file mode 100755 index 0000000..d4bd820 --- /dev/null +++ b/ci/kdc-setup-mit @@ -0,0 +1,70 @@ +#!/bin/sh +# +# Build a Kerberos test realm for MIT Kerberos +# +# This script automates the process of setting up a Kerberos test realm from +# scratch suitable for testing pam-krb5. It is primarily intended to be run +# from inside CI in a VM or container from the top of the wallet source tree, +# and must be run as root. It expects to be operating on the Debian MIT +# Kerberos package. +# +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: MIT + +set -eux + +# Install the KDC. +apt-get install krb5-admin-server krb5-kdc + +# Install its configuration files. +cp ci/files/mit/kadm5.acl /etc/krb5kdc/kadm5.acl +cp ci/files/mit/kdc.conf /etc/krb5kdc/kdc.conf +cp ci/files/mit/krb5.conf /etc/krb5.conf + +# Add domain-realm mappings for the local host, since otherwise Heimdal and +# MIT Kerberos may attempt to discover the realm of the local domain, and the +# DNS server for GitHub Actions has a habit of just not responding and causing +# the test to hang. +cat <<EOF >>/etc/krb5.conf +[domain_realm] + $(hostname -f) = MIT.TEST +EOF + +# Create the basic KDC. +kdb5_util create -s -P 'this is a test master database password' + +# Create and store the keytab. +kadmin.local -q 'add_principal +requires_preauth -randkey test/wallet@MIT.TEST' +kadmin.local -q 'ktadd -k tests/config/keytab test/wallet@MIT.TEST' +echo 'test/wallet@MIT.TEST' >tests/config/principal + +# Create a user principal with a known password. +password="iceedKaicVevjunwiwyd" +kadmin.local -q \ + "add_principal +requires_preauth -pw $password testuser@MIT.TEST" +echo 'testuser@MIT.TEST' >tests/config/password +echo "$password" >>tests/config/password + +# Copy some of those files to the Perl test suite. +cp tests/config/keytab perl/t/data/test.keytab +cp tests/config/principal perl/t/data/test.principal +echo 'MIT.TEST' >perl/t/data/test.realm +echo 'MIT' >perl/t/data/test.krbtype + +# Fix permissions on all the newly-created files. +chmod 644 tests/config/* perl/t/data/test.* + +# Restart the MIT Kerberos KDC and services. +systemctl stop krb5-kdc krb5-admin-server +systemctl start krb5-kdc krb5-admin-server + +# Ensure that the KDC is running. +for n in $(seq 1 5); do + if echo "$password" | kinit testuser@MIT.TEST; then + break + fi + sleep 1 +done +klist +kdestroy |