1#!/bin/sh 2# 3# Build a Kerberos test realm for Heimdal. 4# 5# This script automates the process of setting up a Kerberos test realm from 6# scratch suitable for testing pam-krb5. It is primarily intended to be run 7# from inside CI in a VM or container from the top of the pam-krb5 source 8# tree, and must be run as root. It expects to be operating on the Debian 9# Heimdal package. 10# 11# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> 12# 13# SPDX-License-Identifier: MIT 14 15set -eux 16 17# Install the KDC. 18apt-get install heimdal-kdc 19 20# Install its configuration files. 21cp ci/files/heimdal/heimdal-kdc /etc/default/heimdal-kdc 22cp ci/files/heimdal/kadmind.acl /etc/heimdal-kdc/kadmind.acl 23cp ci/files/heimdal/kdc.conf /etc/heimdal-kdc/kdc.conf 24cp ci/files/heimdal/krb5.conf /etc/krb5.conf 25cp ci/files/heimdal/pki-mapping /etc/heimdal-kdc/pki-mapping 26 27# Some versions of heimdal-kdc require this. 28ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl 29 30# Add domain-realm mappings for the local host, since otherwise Heimdal and 31# MIT Kerberos may attempt to discover the realm of the local domain, and the 32# DNS server for GitHub Actions has a habit of just not responding and causing 33# the test to hang. 34cat <<EOF >>/etc/krb5.conf 35[domain_realm] 36 $(hostname -f) = HEIMDAL.TEST 37EOF 38cat <<EOF >>/etc/heimdal-kdc/kdc.conf 39[domain_realm] 40 $(hostname -f) = HEIMDAL.TEST 41EOF 42 43# Create the basic KDC. 44kstash --random-key 45kadmin -l init --realm-max-ticket-life='1 day 1 hour' \ 46 --realm-max-renewable-life='1 week' HEIMDAL.TEST 47 48# Set default principal policies. 49kadmin -l modify --attributes=requires-pre-auth,disallow-svr \ 50 default@HEIMDAL.TEST 51 52# Create and store the keytabs. 53kadmin -l add -r --use-defaults --attributes=requires-pre-auth \ 54 test/admin@HEIMDAL.TEST 55kadmin -l ext_keytab -k tests/config/admin-keytab test/admin@HEIMDAL.TEST 56kadmin -l add -r --use-defaults --attributes=requires-pre-auth \ 57 test/keytab@HEIMDAL.TEST 58kadmin -l ext_keytab -k tests/config/keytab test/keytab@HEIMDAL.TEST 59 60# Create a user principal with a known password. 61password="iceedKaicVevjunwiwyd" 62kadmin -l add --use-defaults --password="$password" testuser@HEIMDAL.TEST 63echo 'testuser@HEIMDAL.TEST' >tests/config/password 64echo "$password" >>tests/config/password 65 66# Create the root CA for PKINIT. 67mkdir -p /etc/heimdal-kdc/ca 68hxtool issue-certificate --self-signed --issue-ca --generate-key=rsa \ 69 --subject=CN=CA,DC=HEIMDAL,DC=TEST --lifetime=10years \ 70 --certificate=FILE:/etc/heimdal-kdc/ca/ca.pem 71chmod 644 /etc/heimdal-kdc/ca/ca.pem 72 73# Create the certificate for the Heimdal Kerberos KDC. 74hxtool issue-certificate --ca-certificate=FILE:/etc/heimdal-kdc/ca/ca.pem \ 75 --generate-key=rsa --type=pkinit-kdc \ 76 --pk-init-principal=krbtgt/HEIMDAL.TEST@HEIMDAL.TEST \ 77 --subject=uid=kdc,DC=HEIMDAL,DC=TEST \ 78 --certificate=FILE:/etc/heimdal-kdc/kdc.pem 79chmod 644 /etc/heimdal-kdc/kdc.pem 80 81# Create the certificate for the Heimdal client. 82hxtool issue-certificate --ca-certificate=FILE:/etc/heimdal-kdc/ca/ca.pem \ 83 --generate-key=rsa --type=pkinit-client \ 84 --pk-init-principal=testuser@HEIMDAL.TEST \ 85 --subject=UID=testuser,DC=HEIMDAL,DC=TEST \ 86 --certificate=FILE:tests/config/pkinit-cert 87echo 'testuser@HEIMDAL.TEST' >tests/config/pkinit-principal 88 89# Fix permissions on all the newly-created files. 90chmod 644 tests/config/* 91 92# Restart the Heimdal KDC and services. 93systemctl stop heimdal-kdc 94systemctl start heimdal-kdc 95 96# Ensure that the KDC is running. 97for n in $(seq 1 5); do 98 if echo "$password" \ 99 | kinit --password-file=STDIN testuser@HEIMDAL.TEST; then 100 break 101 fi 102 sleep 1 103done 104klist 105kdestroy 106