1#!/bin/sh 2# 3# Build a Kerberos test realm for MIT Kerberos 4# 5# This script automates the process of setting up a Kerberos test realm from 6# scratch suitable for testing pam-krb5. It is primarily intended to be run 7# from inside CI in a VM or container from the top of the pam-krb5 source 8# tree, and must be run as root. It expects to be operating on the Debian 9# MIT Kerberos package. 10# 11# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> 12# 13# SPDX-License-Identifier: MIT 14 15set -eux 16 17# Install the KDC and the OpenSSL command line tool. 18apt-get install krb5-admin-server krb5-kdc krb5-pkinit openssl 19 20# Install its configuration files. 21cp ci/files/mit/extensions.client /etc/krb5kdc/extensions.client 22cp ci/files/mit/extensions.kdc /etc/krb5kdc/extensions.kdc 23cp ci/files/mit/kadm5.acl /etc/krb5kdc/kadm5.acl 24cp ci/files/mit/kdc.conf /etc/krb5kdc/kdc.conf 25cp ci/files/mit/krb5.conf /etc/krb5.conf 26 27# Add domain-realm mappings for the local host, since otherwise Heimdal and 28# MIT Kerberos may attempt to discover the realm of the local domain, and the 29# DNS server for GitHub Actions has a habit of just not responding and causing 30# the test to hang. 31cat <<EOF >>/etc/krb5.conf 32[domain_realm] 33 $(hostname -f) = MIT.TEST 34EOF 35 36# Create the basic KDC. 37kdb5_util create -s -P 'this is a test master database password' 38 39# Create and store the keytabs. 40kadmin.local -q 'add_principal +requires_preauth -randkey test/admin@MIT.TEST' 41kadmin.local -q 'ktadd -k tests/config/admin-keytab test/admin@MIT.TEST' 42kadmin.local -q 'add_principal +requires_preauth -randkey test/keytab@MIT.TEST' 43kadmin.local -q 'ktadd -k tests/config/keytab test/keytab@MIT.TEST' 44 45# Enable anonymous PKINIT. 46kadmin.local -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' 47 48# Create a user principal with a known password. 49password="iceedKaicVevjunwiwyd" 50kadmin.local -q \ 51 "add_principal +requires_preauth -pw $password testuser@MIT.TEST" 52echo 'testuser@MIT.TEST' >tests/config/password 53echo "$password" >>tests/config/password 54 55# Create the root CA for PKINIT. 56openssl genrsa -out /etc/krb5kdc/cakey.pem 2048 57openssl req -key /etc/krb5kdc/cakey.pem -new -x509 \ 58 -out /etc/krb5kdc/cacert.pem -subj "/CN=MIT.TEST CA" -days 3650 59chmod 755 /etc/krb5kdc 60chmod 644 /etc/krb5kdc/cacert.pem 61 62# Create the certificate for the MIT Kerberos KDC. 63openssl genrsa -out /var/lib/krb5kdc/kdckey.pem 2048 64openssl req -new -out /var/lib/krb5kdc/kdc.req \ 65 -key /var/lib/krb5kdc/kdckey.pem -subj "/CN=MIT.TEST" 66REALM=MIT.TEST openssl x509 -req -in /var/lib/krb5kdc/kdc.req \ 67 -CAkey /etc/krb5kdc/cakey.pem -CA /etc/krb5kdc/cacert.pem \ 68 -out /var/lib/krb5kdc/kdc.pem -days 365 \ 69 -extfile /etc/krb5kdc/extensions.kdc -extensions kdc_cert \ 70 -CAcreateserial 71rm /var/lib/krb5kdc/kdc.req 72 73# Create the certificate for the MIT Kerberos client. 74openssl genrsa -out clientkey.pem 2048 75openssl req -new -key clientkey.pem -out client.req \ 76 -subj "/CN=testuser@MIT.TEST" 77REALM="MIT.TEST" CLIENT="testuser" openssl x509 \ 78 -CAkey /etc/krb5kdc/cakey.pem -CA /etc/krb5kdc/cacert.pem -req \ 79 -in client.req -extensions client_cert \ 80 -extfile /etc/krb5kdc/extensions.client -days 365 -out client.pem 81cat client.pem clientkey.pem >tests/config/pkinit-cert 82rm clientkey.pem client.pem client.req 83echo 'testuser@MIT.TEST' >tests/config/pkinit-principal 84 85# Fix permissions on all the newly-created files. 86chmod 644 tests/config/* 87 88# Restart the MIT Kerberos KDC and services. 89systemctl stop krb5-kdc krb5-admin-server 90systemctl start krb5-kdc krb5-admin-server 91 92# Ensure that the KDC is running. 93for n in $(seq 1 5); do 94 if echo "$password" | kinit testuser@MIT.TEST; then 95 break 96 fi 97 sleep 1 98done 99klist 100kdestroy 101kinit -n @MIT.TEST 102kinit -X X509_user_identity=FILE:tests/config/pkinit-cert testuser@MIT.TEST 103