Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/crypto/krb5/src/tests/t_changepw.py
34870 views
1
from k5test import *

2


3
# Also listen on a UNIX domain sockets for kpasswd.

4
unix_conf = {'realms': {'$realm': {

5
    'kdc_listen': '$port0, $testdir/krb5.sock',

6
    'kadmind_listen': '$port1, $testdir/kadmin.sock',

7
    'kpasswd_listen': '$port2, $testdir/kpasswd.sock'}}}

8
realm = K5Realm(create_host=False,get_creds=False, kdc_conf=unix_conf)

9
realm.start_kadmind()

10
realm.prep_kadmin()

11


12
# Mark a principal as expired and change its password through kinit.

13
mark('password change via kinit')

14
realm.run([kadminl, 'modprinc', '-pwexpire', '1 day ago', 'user'])

15
pwinput = password('user') + '\nabcd\nabcd\n'

16
realm.run([kinit, realm.user_princ], input=pwinput)

17


18
# Regression test for #7868 (preauth options ignored when

19
# krb5_get_init_creds_password() initiates a password change).  This

20
# time use the REQUIRES_PWCHANGE bit instead of the password

21
# expiration time.

22
mark('password change via kinit with FAST')

23
realm.run([kadminl, 'modprinc', '+needchange', 'user'])

24
pwinput = 'abcd\nefgh\nefgh\n'

25
out, trace = realm.run([kinit, '-T', realm.ccache, realm.user_princ],

26
                       input=pwinput, return_trace=True)

27
# Check that FAST was used when getting the kadmin/changepw ticket.

28
getting_changepw = fast_used_for_changepw = False

29
for line in trace.splitlines():

30
    if 'Getting initial credentials for user@' in line:

31
        getting_changepw_ticket = False

32
    if 'Setting initial creds service to kadmin/changepw' in line:

33
        getting_changepw_ticket = True

34
    if getting_changepw_ticket and 'Using FAST' in line:

35
        fast_used_for_changepw = True

36
if not fast_used_for_changepw:

37
    fail('FAST was not used to get kadmin/changepw ticket')

38


39
# Test that passwords specified via kadmin and kpasswd are usable with

40
# kinit.

41
mark('password change usability by kinit')

42
realm.run([kadminl, 'addprinc', '-pw', 'pw1', 'testprinc'])

43
# Run kpasswd with an active cache to exercise automatic FAST use.

44
realm.kinit('testprinc', 'pw1')

45
realm.run([kpasswd, 'testprinc'], input='pw1\npw2\npw2\n')

46
realm.kinit('testprinc', 'pw2')

47
realm.run([kdestroy])

48
realm.run([kpasswd, 'testprinc'], input='pw2\npw3\npw3\n')

49
realm.kinit('testprinc', 'pw3')

50
realm.run([kdestroy])

51
realm.run_kadmin(['cpw', '-pw', 'pw4', 'testprinc'])

52
realm.kinit('testprinc', 'pw4')

53
realm.run([kdestroy])

54
realm.run([kadminl, 'delprinc', 'testprinc'])

55


56
mark('password change over UNIX domain socket')

57


58
unix_cli_conf = {'realms': {'$realm': {

59
    'kdc': '$testdir/krb5.sock',

60
    'admin_server': '$testdir/kadmin.sock',

61
    'kpasswd_server': '$testdir/kpasswd.sock'}}}

62
unix_cli = realm.special_env('unix_cli', False, krb5_conf=unix_cli_conf)

63


64
realm.run([kadminl, 'addprinc', '-pw', 'pw1', 'testprinc'])

65
msgs = ('Sending TCP request to UNIX domain socket',)

66
realm.run([kpasswd, 'testprinc'], input='pw1\npw2\npw2\n', env=unix_cli,

67
          expected_trace=msgs)

68
realm.run([kadminl, 'delprinc', 'testprinc'])

69


70
success('Password change tests')

71


72