testenv

testdata/test_vectors.go

@@ -185,6 +185,8 @@ const (
   dns_lookup_kdc = false
   ticket_lifetime = 24h
   forwardable = yes
+  default_tkt_enctypes = aes256-cts-hmac-sha1-96
+  default_tgs_enctypes = aes256-cts-hmac-sha1-96
 
 [realms]
  TEST.GOKRB5 = {

testenv/docker/krb5kdc-latest/kdc.conf

@@ -4,12 +4,11 @@
 
 [realms]
  TEST.GOKRB5 = {
-  master_key_type = aes256-cts
+  master_key_type = aes256-cts-hmac-sha1-96
   max_life = 12h 0m 0s
   max_renewable_life = 7d 0h 0m 0s
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab
-  supported_enctypes = des3-cbc-sha1-kd:normal aes128-sha2:normal aes256-sha2:normal aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+  supported_enctypes = aes128-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha384-192:normal des3-cbc-sha1-kd:normal rc4-hmac:normal
  }
-

testenv/docker/krb5kdc-latest/krb5kdc-init.sh

@@ -27,7 +27,7 @@ ENTROPY_PID=$!
   /usr/local/sbin/kadmin.local -q "add_principal -randkey ${ADMIN_USERNAME}/admin"
   echo "Kerberos admin user created: ${ADMIN_USERNAME} To update password: sudo /usr/sbin/kadmin.local -q \"change_password ${ADMIN_USERNAME}/admin\""
 
-  KEYTAB_DIR="/opt/krb5/data/keytabs"
+  KEYTAB_DIR="/keytabs"
   mkdir -p $KEYTAB_DIR
 
   if [ ! -z "${HOST_PRINCIPALS}" ]; then
@@ -38,13 +38,7 @@ ENTROPY_PID=$!
     done
   fi
 
-  if [ ! -z "${SPNs}" ]; then
-    for service in ${SPNs}
-    do
-      /usr/local/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 ${service}"
-      echo "Created principal for service $service"
-    done
-  fi
+  /usr/local/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 HTTP/host.test.gokrb5"
 
   /usr/local/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser1"
   /usr/local/sbin/kadmin.local -q "add_principal +requires_preauth -pw passwordvalue -kvno 1 testuser2"

testenv/docker/krb5kdc-older/kdc.conf

@@ -4,12 +4,11 @@
 
 [realms]
  TEST.GOKRB5 = {
-  master_key_type = aes256-cts
+  master_key_type = aes256-cts-hmac-sha1-96
   max_life = 12h 0m 0s
   max_renewable_life = 7d 0h 0m 0s
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab
-  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
- }
-
+  supported_enctypes = aes128-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:normal des3-cbc-sha1-kd:normal rc4-hmac:normal
+ }

testenv/docker/krb5kdc-older/krb5kdc-init.sh

@@ -27,7 +27,7 @@ ENTROPY_PID=$!
   /usr/local/sbin/kadmin.local -q "add_principal -randkey ${ADMIN_USERNAME}/admin"
   echo "Kerberos admin user created: ${ADMIN_USERNAME} To update password: sudo /usr/sbin/kadmin.local -q \"change_password ${ADMIN_USERNAME}/admin\""
 
-  KEYTAB_DIR="/opt/krb5/data/keytabs"
+  KEYTAB_DIR="/keytabs"
   mkdir -p $KEYTAB_DIR
 
   if [ ! -z "${HOST_PRINCIPALS}" ]; then
@@ -38,13 +38,7 @@ ENTROPY_PID=$!
     done
   fi
 
-  if [ ! -z "${SPNs}" ]; then
-    for service in ${SPNs}
-    do
-      /usr/local/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 ${service}"
-      echo "Created principal for service $service"
-    done
-  fi
+  /usr/local/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 HTTP/host.test.gokrb5"
 
   /usr/local/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser1"
   /usr/local/sbin/kadmin.local -q "add_principal +requires_preauth -pw passwordvalue -kvno 1 testuser2"

testenv/docker/krb5kdc/kdc.conf

@@ -4,12 +4,11 @@
 
 [realms]
  TEST.GOKRB5 = {
-  master_key_type = aes256-cts
+  master_key_type = aes256-cts-hmac-sha1-96
   max_life = 12h 0m 0s
   max_renewable_life = 7d 0h 0m 0s
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab
-  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-cbc-sha1-kd:normal aes128-sha2:normal aes256-sha2:normal arcfour-hmac:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+  supported_enctypes = aes128-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha384-192:normal des3-cbc-sha1-kd:normal rc4-hmac:normal
  }
-

testenv/docker/krb5kdc/krb5kdc-init.sh

@@ -28,7 +28,7 @@ ENTROPY_PID=$!
   /usr/sbin/kadmin.local -q "add_principal -randkey ${ADMIN_USERNAME}/admin"
   echo "Kerberos admin user created: ${ADMIN_USERNAME} To update password: sudo /usr/sbin/kadmin.local -q \"change_password ${ADMIN_USERNAME}/admin\""
 
-  KEYTAB_DIR="/opt/krb5/data/keytabs"
+  KEYTAB_DIR="/keytabs"
   mkdir -p $KEYTAB_DIR
 
   if [ ! -z "${HOST_PRINCIPALS}" ]; then
@@ -39,13 +39,7 @@ ENTROPY_PID=$!
     done
   fi
 
-  if [ ! -z "${SPNs}" ]; then
-    for service in ${SPNs}
-    do
-      /usr/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 ${service}"
-      echo "Created principal for service $service"
-    done
-  fi
+  /usr/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 HTTP/host.test.gokrb5"
 
   /usr/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser1"
   /usr/sbin/kadmin.local -q "add_principal +requires_preauth -pw passwordvalue -kvno 1 testuser2"

testenv/krb5kdc-vagrant/kdc-setup.sh

@@ -6,8 +6,6 @@ DOMAIN=test.gokrb5
 SERVER_HOST=kdc.test.gokrb5
 ADMIN_USERNAME=adminuser
 HOST_PRINCIPALS="kdc.test.gokrb5 host.test.gokrb5"
-SPNs="HTTP/host.test.gokrb5"
-KEYTABS="http.testtab!0:48!HTTP/host.test.gokrb5"
 
 cp /vagrant/krb5.conf /etc/krb5.conf
 cp /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf-old
@@ -39,27 +37,18 @@ create_entropy &
   /usr/sbin/kadmin.local -q "add_principal -randkey ${ADMIN_USERNAME}/admin"
   echo "Kerberos admin user created: ${ADMIN_USERNAME} To update password: sudo /usr/sbin/kadmin.local -q \"change_password ${ADMIN_USERNAME}/admin\""
 
-  KEYTAB_DIR="/opt/krb5/data/keytabs"
+  KEYTAB_DIR="/keytabs"
   mkdir -p $KEYTAB_DIR
 
   if [ ! -z "${HOST_PRINCIPALS}" ]; then
     for host in ${HOST_PRINCIPALS}
     do
       /usr/sbin/kadmin.local -q "add_principal -pw hostpasswordvalue -kvno 1 host/$host"
-      #/usr/sbin/kadmin.local -q "ktadd -k ${KEYTAB_DIR}/${host}.keytab host/$host"
-      #chmod 600 ${KEYTAB_DIR}/${host}.keytab
       echo "Created host principal host/$host"
     done
   fi
 
-  if [ ! -z "${SPNs}" ]; then
-    for service in ${SPNs}
-    do
-      /usr/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 ${service}"
-      #/usr/sbin/kadmin.local -q "cpw -pw passwordvalue ${service}"
-      echo "Created principal for service $service"
-    done
-  fi
+  /usr/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 HTTP/host.test.gokrb5"
 
   /usr/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser1"
   /usr/sbin/kadmin.local -q "add_principal +requires_preauth -pw passwordvalue -kvno 1 testuser2"

testenv/krb5kdc-vagrant/kdc.conf

@@ -4,11 +4,11 @@
 
 [realms]
  __REALM__ = {
-  master_key_type = aes256-cts
+  master_key_type = aes256-cts-hmac-sha1-96
   max_life = 12h 0m 0s
   max_renewable_life = 7d 0h 0m 0s
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab
-  supported_enctypes = des3-cbc-sha1-kd:normal aes128-sha2:normal aes256-sha2:normal aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+  supported_enctypes = aes128-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha384-192:normal des3-cbc-sha1-kd:normal rc4-hmac:normal
  }

testenv/krbclient-vagrant/krb5.conf

@@ -10,6 +10,8 @@
   dns_lookup_kdc = false
   ticket_lifetime = 24h
   forwardable = yes
+  default_tkt_enctypes = aes256-cts-hmac-sha1-96
+  default_tgs_enctypes = aes256-cts-hmac-sha1-96
 
 [realms]
  TEST.GOKRB5 = {

testenv/latest-krb5kdc-vagrant/kdc-setup.sh

@@ -7,9 +7,6 @@ DOMAIN=test.gokrb5
 SERVER_HOST=kdc.test.gokrb5
 ADMIN_USERNAME=adminuser
 HOST_PRINCIPALS="kdc.test.gokrb5 host.test.gokrb5"
-SPNs="HTTP/host.test.gokrb5"
-KEYTABS="http.testtab!0:48!HTTP/host.test.gokrb5"
-INITIAL_USERS="testuser1 testuser2 testuser3"
 
 cp /vagrant/krb5.conf /etc/krb5.conf
 cp /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf-old
@@ -41,36 +38,22 @@ create_entropy &
   /usr/local/sbin/kadmin.local -q "add_principal -randkey ${ADMIN_USERNAME}/admin"
   echo "Kerberos admin user created: ${ADMIN_USERNAME} To update password: sudo /usr/local/sbin/kadmin.local -q \"change_password ${ADMIN_USERNAME}/admin\""
 
-  KEYTAB_DIR="/opt/krb5/data/keytabs"
+  KEYTAB_DIR="/keytabs"
   mkdir -p $KEYTAB_DIR
 
   if [ ! -z "${HOST_PRINCIPALS}" ]; then
     for host in ${HOST_PRINCIPALS}
     do
       /usr/local/sbin/kadmin.local -q "add_principal -pw hostpasswordvalue -kvno 1 host/$host"
-      #/usr/sbin/kadmin.local -q "ktadd -k ${KEYTAB_DIR}/${host}.keytab host/$host"
-      #chmod 600 ${KEYTAB_DIR}/${host}.keytab
       echo "Created host principal host/$host"
     done
   fi
 
-  if [ ! -z "${SPNs}" ]; then
-    for service in ${SPNs}
-    do
-      /usr/local/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 ${service}"
-      #/usr/sbin/kadmin.local -q "cpw -pw passwordvalue ${service}"
-      echo "Created principal for service $service"
-    done
-  fi
+  /usr/local/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 HTTP/host.test.gokrb5"
 
-  if [ ! -z "$INITIAL_USERS" ]; then
-    for user in $INITIAL_USERS
-    do
-      /usr/local/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 $user"
-      #/usr/sbin/kadmin.local -q "ktadd -k ${KEYTAB_DIR}/${user}.testtab $user"
-      echo "User $user added to kerberos database. To update password: sudo /usr/local/sbin/kadmin.local -q \"change_password $user\""
-    done
-  fi
+  /usr/local/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser1"
+  /usr/local/sbin/kadmin.local -q "add_principal +requires_preauth -pw passwordvalue -kvno 1 testuser2"
+  /usr/local/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser3"
 
   echo "Kerberos initialisation complete"
 

testenv/latest-krb5kdc-vagrant/kdc.conf

@@ -4,11 +4,11 @@
 
 [realms]
  __REALM__ = {
-  master_key_type = aes256-cts
+  master_key_type = aes256-cts-hmac-sha1-96
   max_life = 12h 0m 0s
   max_renewable_life = 7d 0h 0m 0s
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab
-  supported_enctypes = des3-cbc-sha1-kd:normal aes128-sha2:normal aes256-sha2:normal aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+  supported_enctypes = aes128-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha384-192:normal des3-cbc-sha1-kd:normal rc4-hmac:normal
  }

testenv/mit-krb5kdc/bootstrap.sh

@@ -6,7 +6,7 @@ setenforce 0
 sed -i "s/SELINUX=enforcing/SELINUX=permissive/g" /etc/sysconfig/selinux
 
 yum update -y && yum clean all
-yum install -y tcpdump ntp docker net-tools
+yum install -y tcpdump ntp docker net-tools krb5-workstation vim
 
 systemctl stop firewalld
 systemctl disable firewalld
@@ -24,6 +24,7 @@ net.ipv6.conf.default.disable_ipv6 = 1
 net.ipv6.conf.lo.disable_ipv6 = 1
 EOF
 
+cp /vagrant/krb5.conf /etc/krb5.conf
 cp /vagrant/*.service /etc/systemd/system/
 systemctl enable krb5kdc krb5kdc-latest krb5kdc-older httpd
 

testenv/mit-krb5kdc/krb5.conf

@@ -0,0 +1,34 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+
+[libdefaults]
+  default_realm = TEST.GOKRB5
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  ticket_lifetime = 24h
+  forwardable = yes
+  default_tkt_enctypes = aes256-cts-hmac-sha1-96
+  default_tgs_enctypes = aes256-cts-hmac-sha1-96
+
+[realms]
+ TEST.GOKRB5 = {
+  kdc = 10.80.88.88:88
+  admin_server = 10.80.88.88:749
+  default_domain = test.gokrb5
+ }
+
+[domain_realm]
+ .test.com = TEST.GOKRB5
+ test.com = TEST.GOKRB5
+
+[appdefaults]
+ pam = {
+   debug = false
+   ticket_lifetime = 36000
+   renew_lifetime = 36000
+   forwardable = true
+   krb4_convert = false
+ }

testenv/older-krb5kdc-vagrant/kdc-setup.sh

@@ -7,9 +7,6 @@ DOMAIN=test.gokrb5
 SERVER_HOST=kdc.test.gokrb5
 ADMIN_USERNAME=adminuser
 HOST_PRINCIPALS="kdc.test.gokrb5 host.test.gokrb5"
-SPNs="HTTP/host.test.gokrb5"
-KEYTABS="http.testtab!0:48!HTTP/host.test.gokrb5"
-INITIAL_USERS="testuser1 testuser2 testuser3"
 
 cp /vagrant/krb5.conf /etc/krb5.conf
 cp /var/kerberos/krb5kdc/kdc.conf /var/kerberos/krb5kdc/kdc.conf-old
@@ -41,36 +38,24 @@ create_entropy &
   /usr/local/sbin/kadmin.local -q "add_principal -randkey ${ADMIN_USERNAME}/admin"
   echo "Kerberos admin user created: ${ADMIN_USERNAME} To update password: sudo /usr/local/sbin/kadmin.local -q \"change_password ${ADMIN_USERNAME}/admin\""
 
-  KEYTAB_DIR="/opt/krb5/data/keytabs"
+  KEYTAB_DIR="/keytabs"
   mkdir -p $KEYTAB_DIR
 
   if [ ! -z "${HOST_PRINCIPALS}" ]; then
     for host in ${HOST_PRINCIPALS}
     do
       /usr/local/sbin/kadmin.local -q "add_principal -pw hostpasswordvalue -kvno 1 host/$host"
-      #/usr/sbin/kadmin.local -q "ktadd -k ${KEYTAB_DIR}/${host}.keytab host/$host"
-      #chmod 600 ${KEYTAB_DIR}/${host}.keytab
+      #/usr/local/sbin/kadmin.local -q "ktadd -norandkey -k ${KEYTAB_DIR}/${host}.testtab host/$host"
       echo "Created host principal host/$host"
     done
   fi
 
-  if [ ! -z "${SPNs}" ]; then
-    for service in ${SPNs}
-    do
-      /usr/local/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 ${service}"
-      #/usr/sbin/kadmin.local -q "cpw -pw passwordvalue ${service}"
-      echo "Created principal for service $service"
-    done
-  fi
+  /usr/local/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 HTTP/host.test.gokrb5"
+  #/usr/local/sbin/kadmin.local -q "ktadd -norandkey -k ${KEYTAB_DIR}/http.testtab HTTP/host.test.gokrb5"
 
-  if [ ! -z "$INITIAL_USERS" ]; then
-    for user in $INITIAL_USERS
-    do
-      /usr/local/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 $user"
-      #/usr/sbin/kadmin.local -q "ktadd -k ${KEYTAB_DIR}/${user}.testtab $user"
-      echo "User $user added to kerberos database. To update password: sudo /usr/local/sbin/kadmin.local -q \"change_password $user\""
-    done
-  fi
+  /usr/local/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser1"
+  /usr/local/sbin/kadmin.local -q "add_principal +requires_preauth -pw passwordvalue -kvno 1 testuser2"
+  /usr/local/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser3"
 
   echo "Kerberos initialisation complete"
 

testenv/older-krb5kdc-vagrant/kdc.conf

@@ -4,11 +4,11 @@
 
 [realms]
  __REALM__ = {
-  master_key_type = aes256-cts
+  master_key_type = aes256-cts-hmac-sha1-96
   max_life = 12h 0m 0s
   max_renewable_life = 7d 0h 0m 0s
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab
-  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
- }
+  supported_enctypes = aes128-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:normal des3-cbc-sha1-kd:normal rc4-hmac:normal
+ }