From 47203873c0fc284b69a6c5c8d709e90d69554637 Mon Sep 17 00:00:00 2001
From: Russ Allbery <eagle@eyrie.org>
Date: Sun, 17 May 2020 18:34:33 -0700
Subject: Configure Kerberos tests for CI

Install a full MIT Kerberos KDC when running CI tests with the MIT
library and generate the files required to run the full test suite.
---
 ci/files/mit/kadm5.acl |  1 +
 ci/files/mit/kdc.conf  | 19 +++++++++++++++++++
 ci/files/mit/krb5.conf | 19 +++++++++++++++++++
 3 files changed, 39 insertions(+)
 create mode 100644 ci/files/mit/kadm5.acl
 create mode 100644 ci/files/mit/kdc.conf
 create mode 100644 ci/files/mit/krb5.conf

(limited to 'ci/files')

diff --git a/ci/files/mit/kadm5.acl b/ci/files/mit/kadm5.acl
new file mode 100644
index 0000000..fa14eae
--- /dev/null
+++ b/ci/files/mit/kadm5.acl
@@ -0,0 +1 @@
+test/wallet@EYRIE.ORG  admci  wallet/*@EYRIE.ORG
diff --git a/ci/files/mit/kdc.conf b/ci/files/mit/kdc.conf
new file mode 100644
index 0000000..7bf4e6a
--- /dev/null
+++ b/ci/files/mit/kdc.conf
@@ -0,0 +1,19 @@
+[kdcdefaults]
+    kdc_ports                   = 88
+    kdc_tcp_ports               = 88
+    restrict_anonymous_to_tgt   = true
+
+[realms]
+    MIT.TEST = {
+        database_name           = /var/lib/krb5kdc/principal
+        admin_keytab            = /var/lib/krb5kdc/kadm5.keytab
+        acl_file                = /etc/krb5kdc/kadm5.acl
+        key_stash_file          = /var/lib/krb5kdc/stash
+        max_life                = 1d 1h 0m 0s
+        max_renewable_life      = 7d 0h 0m 0s
+        master_key_type         = aes256-cts
+        supported_enctypes      = aes256-cts:normal
+        default_principal_flags = +preauth
+        pkinit_identity         = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
+        pkinit_anchors          = FILE:/etc/krb5kdc/cacert.pem
+    }
diff --git a/ci/files/mit/krb5.conf b/ci/files/mit/krb5.conf
new file mode 100644
index 0000000..9b0d5ab
--- /dev/null
+++ b/ci/files/mit/krb5.conf
@@ -0,0 +1,19 @@
+[libdefaults]
+    default_realm         = MIT.TEST
+    dns_lookup_kdc        = false
+    dns_lookup_realm      = false
+    rdns                  = false
+    renew_lifetime        = 7d
+    ticket_lifetime       = 25h
+
+[realms]
+    MIT.TEST = {
+        kdc               = 127.0.0.1
+        master_kdc        = 127.0.0.1
+        admin_server      = 127.0.0.1
+        pkinit_anchors    = FILE:/etc/krb5kdc/cacert.pem
+    }
+
+[logging]
+    kdc                   = SYSLOG:NOTICE
+    default               = SYSLOG:NOTICE
-- 
cgit v1.2.3