1*7f2fe78bSCy Schubertfrom k5test import * 2*7f2fe78bSCy Schubert 3*7f2fe78bSCy Schubertrealm = K5Realm(create_host=False, get_creds=False, start_kadmind=True) 4*7f2fe78bSCy Schubertrealm.prep_kadmin() 5*7f2fe78bSCy Schubert 6*7f2fe78bSCy Schubert# Mark a principal as expired and change its password through kinit. 7*7f2fe78bSCy Schubertmark('password change via kinit') 8*7f2fe78bSCy Schubertrealm.run([kadminl, 'modprinc', '-pwexpire', '1 day ago', 'user']) 9*7f2fe78bSCy Schubertpwinput = password('user') + '\nabcd\nabcd\n' 10*7f2fe78bSCy Schubertrealm.run([kinit, realm.user_princ], input=pwinput) 11*7f2fe78bSCy Schubert 12*7f2fe78bSCy Schubert# Regression test for #7868 (preauth options ignored when 13*7f2fe78bSCy Schubert# krb5_get_init_creds_password() initiates a password change). This 14*7f2fe78bSCy Schubert# time use the REQUIRES_PWCHANGE bit instead of the password 15*7f2fe78bSCy Schubert# expiration time. 16*7f2fe78bSCy Schubertmark('password change via kinit with FAST') 17*7f2fe78bSCy Schubertrealm.run([kadminl, 'modprinc', '+needchange', 'user']) 18*7f2fe78bSCy Schubertpwinput = 'abcd\nefgh\nefgh\n' 19*7f2fe78bSCy Schubertout, trace = realm.run([kinit, '-T', realm.ccache, realm.user_princ], 20*7f2fe78bSCy Schubert input=pwinput, return_trace=True) 21*7f2fe78bSCy Schubert# Check that FAST was used when getting the kadmin/changepw ticket. 22*7f2fe78bSCy Schubertgetting_changepw = fast_used_for_changepw = False 23*7f2fe78bSCy Schubertfor line in trace.splitlines(): 24*7f2fe78bSCy Schubert if 'Getting initial credentials for user@' in line: 25*7f2fe78bSCy Schubert getting_changepw_ticket = False 26*7f2fe78bSCy Schubert if 'Setting initial creds service to kadmin/changepw' in line: 27*7f2fe78bSCy Schubert getting_changepw_ticket = True 28*7f2fe78bSCy Schubert if getting_changepw_ticket and 'Using FAST' in line: 29*7f2fe78bSCy Schubert fast_used_for_changepw = True 30*7f2fe78bSCy Schubertif not fast_used_for_changepw: 31*7f2fe78bSCy Schubert fail('FAST was not used to get kadmin/changepw ticket') 32*7f2fe78bSCy Schubert 33*7f2fe78bSCy Schubert# Test that passwords specified via kadmin and kpasswd are usable with 34*7f2fe78bSCy Schubert# kinit. 35*7f2fe78bSCy Schubertmark('password change usability by kinit') 36*7f2fe78bSCy Schubertrealm.run([kadminl, 'addprinc', '-pw', 'pw1', 'testprinc']) 37*7f2fe78bSCy Schubert# Run kpasswd with an active cache to exercise automatic FAST use. 38*7f2fe78bSCy Schubertrealm.kinit('testprinc', 'pw1') 39*7f2fe78bSCy Schubertrealm.run([kpasswd, 'testprinc'], input='pw1\npw2\npw2\n') 40*7f2fe78bSCy Schubertrealm.kinit('testprinc', 'pw2') 41*7f2fe78bSCy Schubertrealm.run([kdestroy]) 42*7f2fe78bSCy Schubertrealm.run([kpasswd, 'testprinc'], input='pw2\npw3\npw3\n') 43*7f2fe78bSCy Schubertrealm.kinit('testprinc', 'pw3') 44*7f2fe78bSCy Schubertrealm.run([kdestroy]) 45*7f2fe78bSCy Schubertrealm.run_kadmin(['cpw', '-pw', 'pw4', 'testprinc']) 46*7f2fe78bSCy Schubertrealm.kinit('testprinc', 'pw4') 47*7f2fe78bSCy Schubertrealm.run([kdestroy]) 48*7f2fe78bSCy Schubertrealm.run([kadminl, 'delprinc', 'testprinc']) 49*7f2fe78bSCy Schubert 50*7f2fe78bSCy Schubertsuccess('Password change tests') 51