1*bf6873c5SCy SchubertThis directory contains configuration required to run the complete 2*bf6873c5SCy Schubertpam-krb5 test suite. If there is no configuration in this directory, many 3*bf6873c5SCy Schubertof the tests will be skipped. To enable the full test suite, create the 4*bf6873c5SCy Schubertfollowing files: 5*bf6873c5SCy Schubert 6*bf6873c5SCy Schubertadmin-keytab 7*bf6873c5SCy Schubert 8*bf6873c5SCy Schubert A keytab for a principal (in the same realm as the test principal 9*bf6873c5SCy Schubert configured in password) that has admin access to inspect and modify 10*bf6873c5SCy Schubert that test principal. For an MIT Kerberos KDC, it needs "mci" 11*bf6873c5SCy Schubert permissions in kadm5.acl for that principal. For a Heimdal KDC, it 12*bf6873c5SCy Schubert needs "cpw,list,modify" permissions (obviously, "all" will do). This 13*bf6873c5SCy Schubert file is optional; if not present, the tests requiring admin 14*bf6873c5SCy Schubert modification of a principal will be skipped. 15*bf6873c5SCy Schubert 16*bf6873c5SCy Schubertkrb5.conf 17*bf6873c5SCy Schubert 18*bf6873c5SCy Schubert This is optional and not required if the Kerberos realm used for 19*bf6873c5SCy Schubert testing is configured in DNS or your system krb5.conf file and that 20*bf6873c5SCy Schubert file is in either /etc/krb5.conf or /usr/local/etc/krb5.conf. 21*bf6873c5SCy Schubert Otherwise, create a krb5.conf file that contains the realm information 22*bf6873c5SCy Schubert (KDC, kpasswd server, and admin server) for the realm you're using for 23*bf6873c5SCy Schubert testing. You don't need to worry about setting the default realm; 24*bf6873c5SCy Schubert this will be done automatically in the generated file used by the test 25*bf6873c5SCy Schubert suite. 26*bf6873c5SCy Schubert 27*bf6873c5SCy Schubertkeytab 28*bf6873c5SCy Schubert 29*bf6873c5SCy Schubert An optional keytab for a principal, which generally should be in the 30*bf6873c5SCy Schubert same realm as the user configured in the password file. This is used 31*bf6873c5SCy Schubert to test FAST support with a ticket cache. 32*bf6873c5SCy Schubert 33*bf6873c5SCy Schubertpassword 34*bf6873c5SCy Schubert 35*bf6873c5SCy Schubert This file should contain two lines. The first line is the 36*bf6873c5SCy Schubert fully-qualified principal (including the realm) of a Kerberos 37*bf6873c5SCy Schubert principal to use for testing authentication. The second line is the 38*bf6873c5SCy Schubert password for that principal. 39*bf6873c5SCy Schubert 40*bf6873c5SCy Schubert If the realm of the principal is not configured in either DNS or in 41*bf6873c5SCy Schubert your system krb5.conf file (/usr/local/etc/krb5.conf or 42*bf6873c5SCy Schubert /etc/krb5.conf) with the KDC, kpasswd server, and admin server, you 43*bf6873c5SCy Schubert will need to also provide a krb5.conf file in this directory. See 44*bf6873c5SCy Schubert below. 45*bf6873c5SCy Schubert 46*bf6873c5SCy Schubertpkinit-cert 47*bf6873c5SCy Schubert 48*bf6873c5SCy Schubert Certificate and private key (concatenated together) for PKINIT 49*bf6873c5SCy Schubert authentication for the user listed in the pkinit-principal file. 50*bf6873c5SCy Schubert Optional; PKINIT checks will be skipped if this file isn't present. 51*bf6873c5SCy Schubert 52*bf6873c5SCy Schubertpkinit-principal 53*bf6873c5SCy Schubert 54*bf6873c5SCy Schubert Principal to use to test PKINIT authentication. Must be the Kerberos 55*bf6873c5SCy Schubert identity corresponding to the certificate and private key given in 56*bf6873c5SCy Schubert pkinit-cert. Optional; PKINIT checks will be skipped if this file 57*bf6873c5SCy Schubert isn't present. 58*bf6873c5SCy Schubert 59*bf6873c5SCy Schubert----- 60*bf6873c5SCy Schubert 61*bf6873c5SCy SchubertCopyright 2017, 2020 Russ Allbery <eagle@eyrie.org> 62*bf6873c5SCy SchubertCopyright 2011-2012 63*bf6873c5SCy Schubert The Board of Trustees of the Leland Stanford Junior University 64*bf6873c5SCy Schubert 65*bf6873c5SCy SchubertCopying and distribution of this file, with or without modification, are 66*bf6873c5SCy Schubertpermitted in any medium without royalty provided the copyright notice and 67*bf6873c5SCy Schubertthis notice are preserved. This file is offered as-is, without any 68*bf6873c5SCy Schubertwarranty. 69*bf6873c5SCy Schubert 70*bf6873c5SCy SchubertSPDX-License-Identifier: FSFAP 71