* d/t/{ssh-gssapi,util}: ssh-gssapi DEP8 test for gssapi-with-mic

and gssapi-keyex authentication methods
author: Andreas Hasenack <andreas.hasenack@canonical.com> 2024-03-15 17:14:06 -0300
committer: Colin Watson <cjwatson@debian.org> 2024-05-11 15:57:36 +0100
commit: 1491959050cacdf8e2e82b6d71482c48aedfe0e6 (patch)
tree: 9527cdb51296d83ab925e7866e3e2751acd9591c
parent: a980bf94a32f191a9e412eb0550c74ca6d96940b (diff)
3 files changed, 238 insertions, 0 deletions
diff --git a/debian/tests/control b/debian/tests/control
index 3c7b14d99..efd6c45a7 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -9,3 +9,9 @@ Depends: devscripts,
          python3-twisted,
          sudo,
          sysvinit-utils,
+
+Tests: ssh-gssapi
+Restrictions: needs-root allow-stderr isolation-container
+Depends: openssh-server,
+         krb5-kdc,
+         krb5-admin-server
diff --git a/debian/tests/ssh-gssapi b/debian/tests/ssh-gssapi
new file mode 100755
index 000000000..20d604901
--- /dev/null
+++ b/debian/tests/ssh-gssapi
@@ -0,0 +1,156 @@
+#!/bin/bash
+
+set -e
+set -o pipefail
+
+realm="EXAMPLE.FAKE"
+myhostname="sshd-gssapi.${realm,,}"
+testuser="testuser$$"
+adduser --quiet --disabled-password --gecos "" "${testuser}"
+password="secret"
+user_principal="${testuser}@${realm}"
+service_principal="host/${myhostname}"
+
+source debian/tests/util
+
+cleanup() {
+    if [ $? -ne 0 ]; then
+        echo "## Something failed"
+        echo
+        echo "## ssh server log"
+        journalctl -b -u ssh.service --lines 100
+        echo
+        echo "## Kerberos KDC logs"
+        journalctl -b -u krb5-kdc.service --lines 100
+        echo
+        echo "## Kerberos Admin server logs"
+        journalctl -b -u krb5-admin-server.service --lines 100
+        echo
+        echo "## Skipping cleanup to facilitate troubleshooting"
+    else
+        echo "## ALL TESTS PASSED"
+        echo "## Cleaning up"
+        rm -f /etc/krb5.keytab
+        rm -f /etc/ssh/sshd_config.d/gssapi.conf
+        rm -f /etc/ssh/ssh_config.d/gssapi.conf
+        rm -f /etc/ssh/ssh_config.d/dep8.conf
+    fi
+}
+
+trap cleanup EXIT
+
+setup() {
+    echo "## Setting up test environment"
+    adjust_hostname "${myhostname}"
+    echo "## Creating Kerberos realm ${realm}"
+    create_realm "${realm}" "${myhostname}"
+    echo "## Creating principals"
+    kadmin.local -q "addprinc -clearpolicy -pw ${password} ${user_principal}"
+    kadmin.local -q "addprinc -clearpolicy -randkey ${service_principal}"
+    echo "## Extracting service principal ${service_principal}"
+    kadmin.local -q "ktadd -k /etc/krb5.keytab ${service_principal}"
+    cat > /etc/ssh/ssh_config.d/dep8.conf <<EOF
+Host *
+    StrictHostKeyChecking no
+    UserKnownHostsFile /dev/null
+EOF
+    echo "## Adjusting /etc/krb5.conf"
+    cat > /etc/krb5.conf <<EOF
+[libdefaults]
+    default_realm = ${realm}
+    rdns = false
+    forwardable = true
+    dns_lookup_kdc = falase
+    dns_uri_lookup = false
+    dns_lookup_realm = false
+
+[realms]
+    ${realm} = {
+        kdc = ${myhostname}
+        admin_server = ${myhostname}
+    }
+EOF
+}
+
+configure_sshd() {
+    local auth_method="${1}"
+
+    if [ "${auth_method}" = "gssapi-with-mic" ]; then
+        # server
+        echo "## Configuring sshd for ${auth_method} authentication"
+        cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
+GSSAPIAuthentication yes
+GSSAPIKeyExchange no
+GSSAPICleanupCredentials yes
+PubkeyAuthentication no
+AuthenticationMethods ${auth_method}
+EOF
+    # client
+    cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
+Host *
+    GSSAPIAuthentication yes
+    GSSAPIKeyExchange no
+    PubkeyAuthentication no
+EOF
+    elif [ "${auth_method}" = "gssapi-keyex" ]; then
+        # server
+        echo "## Configuring sshd for ${auth_method} authentication"
+        cat > /etc/ssh/sshd_config.d/gssapi.conf <<EOF
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
+GSSAPICleanupCredentials yes
+PubkeyAuthentication no
+AuthenticationMethods ${auth_method}
+EOF
+    # client
+    cat > /etc/ssh/ssh_config.d/gssapi.conf <<EOF
+Host *
+    GSSAPIAuthentication yes
+    GSSAPIKeyExchange yes
+    PubkeyAuthentication no
+EOF
+    else
+        echo "## ERROR: unknown auth_method \"${auth_method}\""
+        return 1
+    fi
+    echo "## Restarting ssh"
+    systemctl restart ssh.service
+    echo
+}
+
+_test_ssh_login() {
+    local auth_method="${1}"
+
+    kdestroy 2>/dev/null || :
+    configure_sshd "${auth_method}"
+    echo "## Obtaining TGT"
+    echo "${password}" | timeout --verbose 30 kinit "${user_principal}"
+    klist
+    echo
+    echo "## ssh'ing into localhost using ${auth_method} auth"
+    timeout --verbose 30 ssh "${testuser}@${myhostname}" date
+    echo
+    echo "## checking that we got a service ticket for ssh (host/)"
+    klist | grep -F "${service_principal}"
+    echo
+    echo "## Checking ssh logs to confirm ${auth_method} auth was used"
+    journalctl -u ssh.service -b --grep "${auth_method}"
+}
+
+test_gssapi_login() {
+    local auth_method="gssapi-with-mic"
+
+    _test_ssh_login "${auth_method}"
+}
+
+test_gssapi_keyex_login() {
+    local auth_method="gssapi-keyex"
+
+    _test_ssh_login "${auth_method}"
+}
+
+setup
+echo "## TESTS"
+echo
+run_test test_gssapi_login
+run_test test_gssapi_keyex_login
diff --git a/debian/tests/util b/debian/tests/util
new file mode 100644
index 000000000..e6035c467
--- /dev/null
+++ b/debian/tests/util
@@ -0,0 +1,76 @@
+# Copyright 2018 Canonical Ltd.
+# This code is licensed under the same terms as MIT Kerberos.
+
+set -e
+
+adjust_hostname() {
+    local myhostname="$1"
+
+    echo "${myhostname}" > /etc/hostname
+    hostname "${myhostname}"
+    if ! grep -qE "${myhostname}" /etc/hosts; then
+        # just so it's resolvable
+        echo "127.0.1.10 ${myhostname}" >> /etc/hosts
+    fi
+}
+
+create_realm() {
+    local realm_name="$1"
+    local kerberos_server="$2"
+
+    # start fresh
+    rm -rf /var/lib/krb5kdc/*
+    rm -rf /etc/krb5kdc/*
+    rm -f /etc/krb5.keytab
+
+    # setup some defaults
+    cat > /etc/krb5kdc/kdc.conf <<EOF
+[kdcdefaults]
+    kdc_ports = 750,88
+[realms]
+    ${realm_name} = {
+	    database_name = /var/lib/krb5kdc/principal
+	    admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
+	    acl_file = /etc/krb5kdc/kadm5.acl
+	    key_stash_file = /etc/krb5kdc/stash
+	    kdc_ports = 750,88
+	    max_life = 10h 0m 0s
+	    max_renewable_life = 7d 0h 0m 0s
+	    default_principal_flags = +preauth
+    }
+EOF
+
+    cat > /etc/krb5.conf <<EOF
+[libdefaults]
+    default_realm = ${realm_name}
+    rdns = false
+
+[realms]
+	${realm_name} = {
+		kdc = ${kerberos_server}
+		admin_server = ${kerberos_server}
+	}
+EOF
+    echo "# */admin *" > /etc/krb5kdc/kadm5.acl
+
+    # create the realm
+    kdb5_util create -s -P secretpassword
+
+    # restart services
+    systemctl restart krb5-kdc.service krb5-admin-server.service
+}
+
+run_test() {
+    local testfunc="${1}"
+    local -i result=0
+    shift
+    echo "## TEST ${testfunc}"
+    "${testfunc}" "${@}" || result=$?
+    if [ ${result} -ne 0 ]; then
+        echo "## FAIL ${testfunc}"
+    else
+        echo "## PASS ${testfunc}"
+    fi
+    echo
+    return ${result}
+}
author	Andreas Hasenack <andreas.hasenack@canonical.com>	2024-03-15 17:14:06 -0300
committer	Colin Watson <cjwatson@debian.org>	2024-05-11 15:57:36 +0100
commit	1491959050cacdf8e2e82b6d71482c48aedfe0e6 (patch)
tree	9527cdb51296d83ab925e7866e3e2751acd9591c
parent	a980bf94a32f191a9e412eb0550c74ca6d96940b (diff)