From: Mark Andrews <marka@isc.org>
Date: Wed, 17 Aug 2022 01:13:41 +0000 (+1000)
Subject: tsiggss: regenerate kerberos credentials
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48eb8487c432fb608947a7c588ee1b4e1de34eba;p=thirdparty%2Fbind9.git

tsiggss: regenerate kerberos credentials

The existing set of kerberos credential used deprecated algorithms
which are not supported by some implementations in FIPS mode.
Regenerate the saved credentials using more modern algorithms.

Added tsiggss/krb/setup.sh which sets up a test KDC with the required
principals for the system test to work.  The tsiggss system test
needs to be run once with this active and KRB5_CONFIG appropriately.
set.  See tsiggss/tests.sh for an example of how to do this.

(cherry picked from commit 3da79d408f3dcbe040a29298fbe3f6d5f57b278d)
---

diff --git a/bin/tests/system/tsiggss/krb/setup.sh b/bin/tests/system/tsiggss/krb/setup.sh
new file mode 100644
index 00000000000..9d9d1cb7709
--- /dev/null
+++ b/bin/tests/system/tsiggss/krb/setup.sh
@@ -0,0 +1,103 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -x
+
+PWD=$(pwd)
+
+KRB5_CONFIG="${PWD}/krb5.conf"
+export KRB5_CONFIG
+
+KRB5_KDC_PROFILE=${PWD}/krb5kdc
+export KRB5_KDC_PROFILE
+
+now=$(date +%s)
+lifetime=$(2147483647 - now)
+lifetime=$(lifetime / 3600 / 24 - 30)
+
+cat <<EOF >"${KRB5_CONFIG}"
+[libdefaults]
+   default_realm = EXAMPLE.NIL
+   dns_lookup_kdc = false
+   # Depending on what you are testing, you may want something like:
+   # default_keytab_name = FILE:/usr/local/var/keytab
+[realms]
+   EXAMPLE.NIL = {
+     admin_server = 127.0.0.1:50001
+     kdc = 127.0.0.1:50000
+     database_module = DB2
+     kdc_ports = 50000
+     kadmind_port = 50001
+   }
+[dbmodules]
+   DB2 = {
+     db_library = db2
+   }
+[logging]
+   # Use any pathnames you want here.
+   kdc = FILE:${PWD}/kdc.log
+   admin_server = FILE:${PWD}/kadmin.log
+# Depending on what you are testing, you may want:
+# [domain_realm]
+#   your.domain = EXAMPLE.COM
+EOF
+
+rm -rf ${KRB5_KDC_PROFILE}
+mkdir -p ${KRB5_KDC_PROFILE}
+chmod 700 ${KRB5_KDC_PROFILE}
+
+cat <<EOF >"${KRB5_KDC_PROFILE}"/kdc.conf
+[kdcdefaults]
+  kdc_ports = 50000
+  kdc_tcp_ports = 50000
+
+[realms]
+  EXAMPLE.NIL = {
+    key_stash_file = ${KRB5_KDC_PROFILE}/.k5.EXAMPLE.NIL
+    database_module = EXAMPLE.NIL
+    max_life = ${lifetime}d
+}
+
+[dbmodules]
+  EXAMPLE.NIL = {
+    db_library = db2
+    database_name = ${KRB5_KDC_PROFILE}/principal
+  }
+EOF
+
+kdb5_util create -s <<EOF
+master
+master
+EOF
+
+krb5kdc -n &
+krb5kdcpid=$!
+#trap "kill $krb5kdcpid; wait; trap 0; exit" 0 15
+
+kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/example.nil@EXAMPLE.NIL
+kadmin.local addprinc -maxlife ${lifetime}d -randkey DNS/blu.example.nil@EXAMPLE.NIL
+kadmin.local addprinc -maxlife ${lifetime}d -randkey dns-blu@EXAMPLE.NIL
+kadmin.local addprinc -maxlife ${lifetime}d -randkey administrator@EXAMPLE.NIL
+kadmin.local addprinc -maxlife ${lifetime}d -randkey testdenied@EXAMPLE.NIL
+
+kadmin.local ktadd -k dns.keytab DNS/example.nil@EXAMPLE.NIL
+kadmin.local ktadd -k dns.keytab DNS/blu.example.nil@EXAMPLE.NIL
+kadmin.local ktadd -k dns.keytab dns-blu@EXAMPLE.NIL
+kadmin.local ktadd -k administrator.keytab administrator@EXAMPLE.NIL
+kadmin.local ktadd -k testdenied.keytab testdenied@EXAMPLE.NIL
+
+kinit -V -k -t administrator.keytab -l ${lifetime}d -c administrator.ccache administrator@EXAMPLE.NIL
+kinit -V -k -t testdenied.keytab -l ${lifetime}d -c testdenied.ccache testdenied@EXAMPLE.NIL
+
+cp dns.keytab administrator.ccache testdenied.ccache ../ns1/
+
+echo "krb5kdc pid:$krb5kdcpid"
+echo "KRB5_CONFIG=$KRB5_CONFIG"
diff --git a/bin/tests/system/tsiggss/ns1/administrator.ccache b/bin/tests/system/tsiggss/ns1/administrator.ccache
index e6c2e747709..c81cc884e4a 100644
Binary files a/bin/tests/system/tsiggss/ns1/administrator.ccache and b/bin/tests/system/tsiggss/ns1/administrator.ccache differ
diff --git a/bin/tests/system/tsiggss/ns1/dns.keytab b/bin/tests/system/tsiggss/ns1/dns.keytab
index dcb863b7b2b..d5a09b060a2 100644
Binary files a/bin/tests/system/tsiggss/ns1/dns.keytab and b/bin/tests/system/tsiggss/ns1/dns.keytab differ
diff --git a/bin/tests/system/tsiggss/ns1/testdenied.ccache b/bin/tests/system/tsiggss/ns1/testdenied.ccache
index 070e85b5aac..772b9535a41 100644
Binary files a/bin/tests/system/tsiggss/ns1/testdenied.ccache and b/bin/tests/system/tsiggss/ns1/testdenied.ccache differ
diff --git a/bin/tests/system/tsiggss/tests.sh b/bin/tests/system/tsiggss/tests.sh
index 004ad83f946..902ed961126 100644
--- a/bin/tests/system/tsiggss/tests.sh
+++ b/bin/tests/system/tsiggss/tests.sh
@@ -17,6 +17,9 @@ set -e
 
 . ../conf.sh
 
+# Uncomment to regenerate credential caches after running krb5/setup.sh
+# KRB5_CONFIG=$(pwd)/krb/krb5.conf
+
 status=0
 n=1