xref: /freebsd/crypto/krb5/src/tests/t_skew.py (revision b670c9bafc0e31c7609969bf374b2e80bdc00211) 
1from k5test import *
2
3# Create a realm with the KDC one hour in the past.
4realm = K5Realm(start_kdc=False)
5realm.start_kdc(['-T', '-3600'])
6
7# kinit (no preauth) should work, and should set a clock skew allowing
8# kvno to work, with or without FAST.
9mark('kdc_timesync enabled, no preauth')
10realm.kinit(realm.user_princ, password('user'))
11realm.run([kvno, realm.host_princ])
12realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
13realm.run([kvno, realm.host_princ])
14realm.run([kdestroy])
15
16# kinit (with preauth) should work, with or without FAST.
17mark('kdc_timesync enabled, with preauth')
18realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
19realm.kinit(realm.user_princ, password('user'))
20realm.run([kvno, realm.host_princ])
21realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache])
22realm.run([kvno, realm.host_princ])
23realm.run([kdestroy])
24
25realm.stop()
26
27# Repeat the above tests with kdc_timesync disabled.
28conf = {'libdefaults': {'kdc_timesync': '0'}}
29realm = K5Realm(start_kdc=False, krb5_conf=conf)
30realm.start_kdc(['-T', '-3600'])
31
32# Get tickets to use for FAST kinit tests.  The start time offset is
33# ignored by the KDC since we aren't getting postdatable tickets, but
34# serves to suppress the client clock skew check on the KDC reply.
35fast_cache = realm.ccache + '.fast'
36realm.kinit(realm.user_princ, password('user'),
37            flags=['-s', '-3600s', '-c', fast_cache])
38
39# kinit should detect too much skew in the KDC response.  kinit with
40# FAST should fail from the KDC since the armor AP-REQ won't be valid.
41mark('KDC timesync disabled, no preauth')
42realm.kinit(realm.user_princ, password('user'), expected_code=1,
43            expected_msg='Clock skew too great in KDC reply')
44realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1,
45            expected_msg='Clock skew too great while')
46
47# kinit (with preauth) should fail from the KDC, with or without FAST.
48mark('KDC timesync disabled, with preauth')
49realm.run([kadminl, 'modprinc', '+requires_preauth', 'user'])
50realm.kinit(realm.user_princ, password('user'), expected_code=1,
51            expected_msg='Clock skew too great while')
52realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1,
53            expected_msg='Clock skew too great while')
54
55success('Clock skew tests')
56