update testenv

.travis.yml

@@ -29,6 +29,7 @@ before_install:
   - docker run -d -h kdc.test.gokrb5 -v /etc/localtime:/etc/localtime:ro -p 78:88 -p 78:88/udp --name krb5kdc-old jcmturner/gokrb5:kdc-older
   - docker run -d -h kdc.test.gokrb5 -v /etc/localtime:/etc/localtime:ro -p 98:88 -p 98:88/udp --name krb5kdc-latest jcmturner/gokrb5:kdc-latest
   - docker run -d -h kdc.resdom.gokrb5 -v /etc/localtime:/etc/localtime:ro -p 188:88 -p 188:88/udp --name krb5kdc-resdom jcmturner/gokrb5:kdc-resdom
+  - docker run -d -h kdc.test.gokrb5 -v /etc/localtime:/etc/localtime:ro -p 58:88 -p 58:88/udp --name krb5kdc-shorttickets jcmturner/gokrb5:kdc-shorttickets
   - docker run -d --add-host host.test.gokrb5:127.0.0.88 -v /etc/localtime:/etc/localtime:ro -p 80:80 -p 443:443 --name gokrb5-http jcmturner/gokrb5:http
 
 before_script:

client/client_integration_test.go

@@ -711,7 +711,7 @@ func TestClient_AutoRenew_Goroutine_Count(t *testing.T) {
 	b, _ := hex.DecodeString(testdata.TESTUSER1_KEYTAB)
 	kt, _ := keytab.Parse(b)
 	c, _ := config.NewConfigFromString(testdata.TEST_KRB5CONF)
-	c.Realms[0].KDC = []string{addr + ":" + testdata.TEST_KDC}
+	c.Realms[0].KDC = []string{addr + ":" + testdata.TEST_KDC_SHORTTICKETS}
 	cl := NewClientWithKeytab("testuser1", "TEST.GOKRB5", kt)
 	cl.WithConfig(c)
 

testdata/test_vectors.go

@@ -131,6 +131,7 @@ const (
 	TEST_KDC_LASTEST              = "98"
 	TEST_KDC_RESDOM               = "188"
 	TEST_KDC_OLD                  = "78"
+	TEST_KDC_SHORTTICKETS         = "58"
 	TEST_KDC_BADADDR              = "10.80.88.153"
 	TEST_KDC_AD                   = "10.80.88.68:88"
 	TEST_KDC_AD_TRUST_USER_DOMAIN = "10.80.88.48:88"

testenv/docker/krb5kdc-shorttickets/Dockerfile

@@ -0,0 +1,22 @@
+FROM centos:latest
+MAINTAINER Jonathan Turner <jt@jtnet.co.uk>
+
+EXPOSE 88
+EXPOSE 464
+ENTRYPOINT ["/opt/krb5/bin/start.sh"]
+
+RUN yum install -y \
+  krb5-server \
+  tcpdump krb5-workstation vim \
+ && yum update -y && yum clean all
+
+ADD krb5.conf /etc/krb5.conf
+ADD kdc.conf /var/kerberos/krb5kdc/kdc.conf
+ADD kadm5.acl /var/kerberos/krb5kdc/kadm5.acl
+ADD krb5kdc-init.sh /opt/krb5/bin/krb5kdc-init.sh
+ADD start.sh /opt/krb5/bin/start.sh
+RUN mkdir -p /opt/krb5/log && \
+  mkdir -p /var/log/kerberos && \
+  chmod 744 /opt/krb5/bin/start.sh && \
+  /bin/bash /opt/krb5/bin/krb5kdc-init.sh && \
+  ln -sf /dev/stdout /var/log/krb5kdc.log

testenv/docker/krb5kdc-shorttickets/README.md

@@ -0,0 +1,16 @@
+# KDC Intergation Test Instance for TEST.GOKRB5
+
+DO NOT USE THIS CONTAINER FOR ANY PRODUCTION USE!!!
+
+To run:
+```bash
+docker run -v /etc/localtime:/etc/localtime:ro -p 58:88 -p 58:88/udp --rm --name gokrb5-kdc-shorttickets jcmturner/gokrb5:kdc-shorttickets &
+```
+
+To build:
+```bash
+docker build -t jcmturner/gokrb5:kdc-shorttickets --force-rm=true --rm=true .
+docker push jcmturner/gokrb5:kdc-shorttickets
+```
+
+

testenv/docker/krb5kdc-shorttickets/kadm5.acl

@@ -0,0 +1,4 @@
+testuser1@TEST.GOKRB5	*
+*/admin@TEST.GOKRB5	*
+*/*@TEST.GOKRB5		i
+*@TEST.GOKRB5		i

testenv/docker/krb5kdc-shorttickets/kdc.conf

@@ -0,0 +1,14 @@
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+
+[realms]
+ TEST.GOKRB5 = {
+  master_key_type = aes256-cts-hmac-sha1-96
+  max_life = 20s
+  max_renewable_life = 55s
+  acl_file = /var/kerberos/krb5kdc/kadm5.acl
+  dict_file = /usr/share/dict/words
+  admin_keytab = /opt/krb5/data/kadm5.keytab
+  supported_enctypes = aes128-cts-hmac-sha1-96:normal aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha256-128:normal aes256-cts-hmac-sha384-192:normal des3-cbc-sha1-kd:normal rc4-hmac:normal
+ }

testenv/docker/krb5kdc-shorttickets/krb5.conf

@@ -0,0 +1,32 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+
+[libdefaults]
+  default_realm = TEST.GOKRB5
+  dns_lookup_realm = false
+  dns_lookup_kdc = false
+  ticket_lifetime = 24h
+  forwardable = yes
+
+[realms]
+ TEST.GOKRB5 = {
+  kdc = 127.0.0.1:88
+  admin_server = 127.0.0.1:749
+  default_domain = test.gokrb5
+ }
+
+[domain_realm]
+ .test.gokrb5 = TEST.GOKRB5
+ test.gokrb5 = TEST.GOKRB5
+
+[appdefaults]
+ pam = {
+   debug = false
+   ticket_lifetime = 36000
+   renew_lifetime = 36000
+   forwardable = true
+   krb4_convert = false
+ }

testenv/docker/krb5kdc-shorttickets/krb5kdc-init.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+
+REALM=TEST.GOKRB5
+DOMAIN=test.gokrb5
+SERVER_HOST=kdc.test.gokrb5
+ADMIN_USERNAME=adminuser
+HOST_PRINCIPALS="kdc.test.gokrb5 host.test.gokrb5"
+SPNs="HTTP/host.test.gokrb5"
+
+create_entropy() {
+   while true
+   do
+     sleep $(( ( RANDOM % 10 )  + 1 ))
+     echo "Generating Entropy... $RANDOM"
+   done
+}
+
+create_entropy &
+ENTROPY_PID=$!
+
+
+  echo "Kerberos initialisation required. Creating database for ${REALM} ..."
+  echo "This can take a long time if there is little entropy. A process has been started to create some."
+  MASTER_PASSWORD=$(echo $RANDOM$RANDOM$RANDOM | md5sum | awk '{print $1}')
+  /usr/sbin/kdb5_util create -r ${REALM} -s -P ${MASTER_PASSWORD}
+  kill -9 ${ENTROPY_PID}
+  echo "Kerberos database created."
+  /usr/sbin/kadmin.local -q "add_principal -randkey ${ADMIN_USERNAME}/admin"
+  echo "Kerberos admin user created: ${ADMIN_USERNAME} To update password: sudo /usr/sbin/kadmin.local -q \"change_password ${ADMIN_USERNAME}/admin\""
+
+  KEYTAB_DIR="/keytabs"
+  mkdir -p $KEYTAB_DIR
+
+  if [ ! -z "${HOST_PRINCIPALS}" ]; then
+    for host in ${HOST_PRINCIPALS}
+    do
+      /usr/sbin/kadmin.local -q "add_principal -pw hostpasswordvalue -kvno 1 host/$host"
+      echo "Created host principal host/$host"
+    done
+  fi
+
+  /usr/sbin/kadmin.local -q "add_principal -pw spnpasswordvalue -kvno 1 HTTP/host.test.gokrb5"
+
+  /usr/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser1"
+  /usr/sbin/kadmin.local -q "add_principal +requires_preauth -pw passwordvalue -kvno 1 testuser2"
+  /usr/sbin/kadmin.local -q "add_principal -pw passwordvalue -kvno 1 testuser3"
+
+  # Set up trust
+  /usr/sbin/kadmin.local -q "add_principal -requires_preauth -pw trustpasswd -kvno 1 krbtgt/TEST.GOKRB5@RESDOM.GOKRB5"
+  /usr/sbin/kadmin.local -q "add_principal -requires_preauth -pw trustpasswd -kvno 1 krbtgt/RESDOM.GOKRB5@TEST.GOKRB5"
+
+  echo "Kerberos initialisation complete"

testenv/docker/krb5kdc-shorttickets/start.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+/usr/sbin/kadmind &
+/usr/sbin/krb5kdc -n

testenv/docker/krb5kdc/kdc.conf

@@ -5,8 +5,8 @@
 [realms]
  TEST.GOKRB5 = {
   master_key_type = aes256-cts-hmac-sha1-96
-  max_life = 20s
-  max_renewable_life = 55s
+  max_life = 12h 0m 0s
+  max_renewable_life = 7d 0h 0m 0s
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab

testenv/krb5kdc-vagrant/kdc.conf

@@ -5,8 +5,8 @@
 [realms]
  __REALM__ = {
   master_key_type = aes256-cts-hmac-sha1-96
-  max_life = 1h
-  max_renewable_life = 5h
+  max_life = 12h 0m 0s
+  max_renewable_life = 7d 0h 0m 0s
   acl_file = /var/kerberos/krb5kdc/kadm5.acl
   dict_file = /usr/share/dict/words
   admin_keytab = /opt/krb5/data/kadm5.keytab