1*bf6873c5SCy Schubert#!/bin/sh 2*bf6873c5SCy Schubert# 3*bf6873c5SCy Schubert# Build a Kerberos test realm for Heimdal. 4*bf6873c5SCy Schubert# 5*bf6873c5SCy Schubert# This script automates the process of setting up a Kerberos test realm from 6*bf6873c5SCy Schubert# scratch suitable for testing pam-krb5. It is primarily intended to be run 7*bf6873c5SCy Schubert# from inside CI in a VM or container from the top of the pam-krb5 source 8*bf6873c5SCy Schubert# tree, and must be run as root. It expects to be operating on the Debian 9*bf6873c5SCy Schubert# Heimdal package. 10*bf6873c5SCy Schubert# 11*bf6873c5SCy Schubert# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> 12*bf6873c5SCy Schubert# 13*bf6873c5SCy Schubert# SPDX-License-Identifier: MIT 14*bf6873c5SCy Schubert 15*bf6873c5SCy Schubertset -eux 16*bf6873c5SCy Schubert 17*bf6873c5SCy Schubert# Install the KDC. 18*bf6873c5SCy Schubertapt-get install heimdal-kdc 19*bf6873c5SCy Schubert 20*bf6873c5SCy Schubert# Install its configuration files. 21*bf6873c5SCy Schubertcp ci/files/heimdal/heimdal-kdc /etc/default/heimdal-kdc 22*bf6873c5SCy Schubertcp ci/files/heimdal/kadmind.acl /etc/heimdal-kdc/kadmind.acl 23*bf6873c5SCy Schubertcp ci/files/heimdal/kdc.conf /etc/heimdal-kdc/kdc.conf 24*bf6873c5SCy Schubertcp ci/files/heimdal/krb5.conf /etc/krb5.conf 25*bf6873c5SCy Schubertcp ci/files/heimdal/pki-mapping /etc/heimdal-kdc/pki-mapping 26*bf6873c5SCy Schubert 27*bf6873c5SCy Schubert# Some versions of heimdal-kdc require this. 28*bf6873c5SCy Schubertln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/kadmind.acl 29*bf6873c5SCy Schubert 30*bf6873c5SCy Schubert# Add domain-realm mappings for the local host, since otherwise Heimdal and 31*bf6873c5SCy Schubert# MIT Kerberos may attempt to discover the realm of the local domain, and the 32*bf6873c5SCy Schubert# DNS server for GitHub Actions has a habit of just not responding and causing 33*bf6873c5SCy Schubert# the test to hang. 34*bf6873c5SCy Schubertcat <<EOF >>/etc/krb5.conf 35*bf6873c5SCy Schubert[domain_realm] 36*bf6873c5SCy Schubert $(hostname -f) = HEIMDAL.TEST 37*bf6873c5SCy SchubertEOF 38*bf6873c5SCy Schubertcat <<EOF >>/etc/heimdal-kdc/kdc.conf 39*bf6873c5SCy Schubert[domain_realm] 40*bf6873c5SCy Schubert $(hostname -f) = HEIMDAL.TEST 41*bf6873c5SCy SchubertEOF 42*bf6873c5SCy Schubert 43*bf6873c5SCy Schubert# Create the basic KDC. 44*bf6873c5SCy Schubertkstash --random-key 45*bf6873c5SCy Schubertkadmin -l init --realm-max-ticket-life='1 day 1 hour' \ 46*bf6873c5SCy Schubert --realm-max-renewable-life='1 week' HEIMDAL.TEST 47*bf6873c5SCy Schubert 48*bf6873c5SCy Schubert# Set default principal policies. 49*bf6873c5SCy Schubertkadmin -l modify --attributes=requires-pre-auth,disallow-svr \ 50*bf6873c5SCy Schubert default@HEIMDAL.TEST 51*bf6873c5SCy Schubert 52*bf6873c5SCy Schubert# Create and store the keytabs. 53*bf6873c5SCy Schubertkadmin -l add -r --use-defaults --attributes=requires-pre-auth \ 54*bf6873c5SCy Schubert test/admin@HEIMDAL.TEST 55*bf6873c5SCy Schubertkadmin -l ext_keytab -k tests/config/admin-keytab test/admin@HEIMDAL.TEST 56*bf6873c5SCy Schubertkadmin -l add -r --use-defaults --attributes=requires-pre-auth \ 57*bf6873c5SCy Schubert test/keytab@HEIMDAL.TEST 58*bf6873c5SCy Schubertkadmin -l ext_keytab -k tests/config/keytab test/keytab@HEIMDAL.TEST 59*bf6873c5SCy Schubert 60*bf6873c5SCy Schubert# Create a user principal with a known password. 61*bf6873c5SCy Schubertpassword="iceedKaicVevjunwiwyd" 62*bf6873c5SCy Schubertkadmin -l add --use-defaults --password="$password" testuser@HEIMDAL.TEST 63*bf6873c5SCy Schubertecho 'testuser@HEIMDAL.TEST' >tests/config/password 64*bf6873c5SCy Schubertecho "$password" >>tests/config/password 65*bf6873c5SCy Schubert 66*bf6873c5SCy Schubert# Create the root CA for PKINIT. 67*bf6873c5SCy Schubertmkdir -p /etc/heimdal-kdc/ca 68*bf6873c5SCy Schuberthxtool issue-certificate --self-signed --issue-ca --generate-key=rsa \ 69*bf6873c5SCy Schubert --subject=CN=CA,DC=HEIMDAL,DC=TEST --lifetime=10years \ 70*bf6873c5SCy Schubert --certificate=FILE:/etc/heimdal-kdc/ca/ca.pem 71*bf6873c5SCy Schubertchmod 644 /etc/heimdal-kdc/ca/ca.pem 72*bf6873c5SCy Schubert 73*bf6873c5SCy Schubert# Create the certificate for the Heimdal Kerberos KDC. 74*bf6873c5SCy Schuberthxtool issue-certificate --ca-certificate=FILE:/etc/heimdal-kdc/ca/ca.pem \ 75*bf6873c5SCy Schubert --generate-key=rsa --type=pkinit-kdc \ 76*bf6873c5SCy Schubert --pk-init-principal=krbtgt/HEIMDAL.TEST@HEIMDAL.TEST \ 77*bf6873c5SCy Schubert --subject=uid=kdc,DC=HEIMDAL,DC=TEST \ 78*bf6873c5SCy Schubert --certificate=FILE:/etc/heimdal-kdc/kdc.pem 79*bf6873c5SCy Schubertchmod 644 /etc/heimdal-kdc/kdc.pem 80*bf6873c5SCy Schubert 81*bf6873c5SCy Schubert# Create the certificate for the Heimdal client. 82*bf6873c5SCy Schuberthxtool issue-certificate --ca-certificate=FILE:/etc/heimdal-kdc/ca/ca.pem \ 83*bf6873c5SCy Schubert --generate-key=rsa --type=pkinit-client \ 84*bf6873c5SCy Schubert --pk-init-principal=testuser@HEIMDAL.TEST \ 85*bf6873c5SCy Schubert --subject=UID=testuser,DC=HEIMDAL,DC=TEST \ 86*bf6873c5SCy Schubert --certificate=FILE:tests/config/pkinit-cert 87*bf6873c5SCy Schubertecho 'testuser@HEIMDAL.TEST' >tests/config/pkinit-principal 88*bf6873c5SCy Schubert 89*bf6873c5SCy Schubert# Fix permissions on all the newly-created files. 90*bf6873c5SCy Schubertchmod 644 tests/config/* 91*bf6873c5SCy Schubert 92*bf6873c5SCy Schubert# Restart the Heimdal KDC and services. 93*bf6873c5SCy Schubertsystemctl stop heimdal-kdc 94*bf6873c5SCy Schubertsystemctl start heimdal-kdc 95*bf6873c5SCy Schubert 96*bf6873c5SCy Schubert# Ensure that the KDC is running. 97*bf6873c5SCy Schubertfor n in $(seq 1 5); do 98*bf6873c5SCy Schubert if echo "$password" \ 99*bf6873c5SCy Schubert | kinit --password-file=STDIN testuser@HEIMDAL.TEST; then 100*bf6873c5SCy Schubert break 101*bf6873c5SCy Schubert fi 102*bf6873c5SCy Schubert sleep 1 103*bf6873c5SCy Schubertdone 104*bf6873c5SCy Schubertklist 105*bf6873c5SCy Schubertkdestroy 106