···
name = "kerberos_server-heimdal";
14
-
services.kerberos_server = {
19
-
principal = "admin";
8
+
{ config, pkgs, ... }:
10
+
imports = [ ../common/user-account.nix ];
12
+
users.users.alice.extraGroups = [ "wheel" ];
14
+
services.getty.autologinUser = "alice";
16
+
virtualisation.vlans = [ 1 ];
18
+
time.timeZone = "Etc/UTC";
23
+
firewall.enable = false;
24
+
hosts."10.0.0.1" = [ "server.foo.bar" ];
25
+
hosts."10.0.0.2" = [ "client.foo.bar" ];
30
-
package = pkgs.heimdal;
33
-
default_realm = "FOO.BAR";
28
+
systemd.network.networks."01-eth1" = {
30
+
networkConfig.Address = "10.0.0.1/24";
35
+
package = pkgs.heimdal;
37
+
libdefaults.default_realm = "FOO.BAR";
39
+
# Enable extra debug output
41
+
admin_server = "SYSLOG:DEBUG:AUTH";
42
+
default = "SYSLOG:DEBUG:AUTH";
43
+
kdc = "SYSLOG:DEBUG:AUTH";
48
+
admin_server = "server.foo.bar";
49
+
kpasswd_server = "server.foo.bar";
50
+
kdc = [ "server.foo.bar" ];
56
+
services.kerberos_server = {
37
-
admin_server = "machine";
62
+
principal = "kadmin/admin@FOO.BAR";
66
+
principal = "alice/admin@FOO.BAR";
83
+
{ config, pkgs, ... }:
85
+
imports = [ ../common/user-account.nix ];
87
+
users.users.alice.extraGroups = [ "wheel" ];
89
+
services.getty.autologinUser = "alice";
91
+
virtualisation.vlans = [ 1 ];
93
+
time.timeZone = "Etc/UTC";
47
-
"kadmin -l init --realm-max-ticket-life='8 day' --realm-max-renewable-life='10 day' FOO.BAR",
48
-
"systemctl restart kadmind.service kdc.service",
98
+
hosts."10.0.0.1" = [ "server.foo.bar" ];
99
+
hosts."10.0.0.2" = [ "client.foo.bar" ];
102
+
systemd.network.networks."01-eth1" = {
104
+
networkConfig.Address = "10.0.0.2/24";
51
-
for unit in ["kadmind", "kdc", "kpasswdd"]:
52
-
machine.wait_for_unit(f"{unit}.service")
109
+
package = pkgs.heimdal;
111
+
libdefaults.default_realm = "FOO.BAR";
55
-
"kadmin -l add --password=admin_pw --use-defaults admin",
56
-
"kadmin -l ext_keytab --keytab=admin.keytab admin",
57
-
"kadmin -p admin -K admin.keytab add --password=alice_pw --use-defaults alice",
58
-
"kadmin -l ext_keytab --keytab=alice.keytab alice",
59
-
"kinit -kt alice.keytab alice",
114
+
admin_server = "SYSLOG:DEBUG:AUTH";
115
+
default = "SYSLOG:DEBUG:AUTH";
116
+
kdc = "SYSLOG:DEBUG:AUTH";
121
+
admin_server = "server.foo.bar";
122
+
kpasswd_server = "server.foo.bar";
123
+
kdc = [ "server.foo.bar" ];
140
+
with subtest("Server: initialize realm"):
141
+
# for unit in ["kadmind.service", "kdc.socket", "kpasswdd.socket"]:
142
+
for unit in ["kadmind.service", "kdc.service", "kpasswdd.service"]:
143
+
server.wait_for_unit(unit)
145
+
server.succeed("kadmin -l init --realm-max-ticket-life='8 day' --realm-max-renewable-life='10 day' FOO.BAR")
147
+
for unit in ["kadmind.service", "kdc.service", "kpasswdd.service"]:
148
+
server.systemctl(f"restart {unit}")
150
+
alice_krb_pw = "alice_hunter2"
151
+
alice_old_krb_pw = ""
152
+
alice_krb_admin_pw = "alice_admin_hunter2"
154
+
def random_password():
155
+
password_chars = string.ascii_letters + string.digits + string.punctuation.replace('"', "")
156
+
return "".join(random.choice(password_chars) for _ in range(16))
158
+
with subtest("Server: initialize user principals and keytabs"):
159
+
server.succeed(f'kadmin -l add --password="{alice_krb_admin_pw}" --use-defaults alice/admin')
160
+
server.succeed("kadmin -l ext_keytab --keytab=admin.keytab alice/admin")
162
+
server.succeed(f'kadmin -p alice/admin -K admin.keytab add --password="{alice_krb_pw}" --use-defaults alice')
163
+
server.succeed("kadmin -l ext_keytab --keytab=alice.keytab alice")
165
+
server.wait_for_unit("getty@tty1.service")
166
+
server.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
167
+
server.wait_for_unit("default.target")
169
+
with subtest("Server: initialize host principal with keytab"):
170
+
server.send_chars("sudo ktutil get -p alice/admin host/server.foo.bar\n")
171
+
server.wait_until_tty_matches("1", "password for alice:")
172
+
server.send_chars("${nodes.server.config.users.users.alice.password}\n")
173
+
server.wait_until_tty_matches("1", "alice/admin@FOO.BAR's Password:")
174
+
server.send_chars(f'{alice_krb_admin_pw}\n')
175
+
server.wait_for_file("/etc/krb5.keytab")
177
+
ktutil_list = server.succeed("sudo ktutil list")
178
+
if not "host/server.foo.bar" in ktutil_list:
181
+
server.send_chars("clear\n")
183
+
client.systemctl("start network-online.target")
184
+
client.wait_for_unit("network-online.target")
185
+
client.wait_for_unit("getty@tty1.service")
186
+
client.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
187
+
client.wait_for_unit("default.target")
189
+
with subtest("Client: initialize host principal with keytab"):
191
+
f'echo "{alice_krb_admin_pw}" > pw.txt',
192
+
"kinit -p --password-file=pw.txt alice/admin",
195
+
client.send_chars("sudo ktutil get -p alice/admin host/client.foo.bar\n")
196
+
client.wait_until_tty_matches("1", "password for alice:")
197
+
client.send_chars("${nodes.client.config.users.users.alice.password}\n")
198
+
client.wait_until_tty_matches("1", "alice/admin@FOO.BAR's Password:")
199
+
client.send_chars(f"{alice_krb_admin_pw}\n")
200
+
client.wait_for_file("/etc/krb5.keytab")
202
+
ktutil_list = client.succeed("sudo ktutil list")
203
+
if not "host/client.foo.bar" in ktutil_list:
206
+
client.send_chars("clear\n")
208
+
with subtest("Client: kinit alice"):
210
+
f"echo '{alice_krb_pw}' > pw.txt",
211
+
"kinit -p --password-file=pw.txt alice",
213
+
tickets = client.succeed("klist")
214
+
assert "Principal: alice@FOO.BAR" in tickets
215
+
client.send_chars("clear\n")
217
+
with subtest("Client: kpasswd alice"):
218
+
alice_old_krb_pw = alice_krb_pw
219
+
alice_krb_pw = random_password()
220
+
client.send_chars("kpasswd\n")
221
+
client.wait_until_tty_matches("1", "alice@FOO.BAR's Password:")
222
+
client.send_chars(f"{alice_old_krb_pw}\n", 0.1)
223
+
client.wait_until_tty_matches("1", "New password:")
224
+
client.send_chars(f"{alice_krb_pw}\n", 0.1)
225
+
client.wait_until_tty_matches("1", "Verify password - New password:")
226
+
client.send_chars(f"{alice_krb_pw}\n", 0.1)
228
+
client.wait_until_tty_matches("1", "Success : Password changed")
230
+
client.send_chars("clear\n")
232
+
with subtest("Server: kinit alice"):
234
+
"echo 'alice_pw_2' > pw.txt"
235
+
"kinit -p --password-file=pw.txt alice",
237
+
tickets = client.succeed("klist")
238
+
assert "Principal: alice@FOO.BAR" in tickets
239
+
server.send_chars("clear\n")
241
+
with subtest("Server: kpasswd alice"):
242
+
alice_old_krb_pw = alice_krb_pw
243
+
alice_krb_pw = random_password()
244
+
server.send_chars("kpasswd\n")
245
+
server.wait_until_tty_matches("1", "alice@FOO.BAR's Password:")
246
+
server.send_chars(f"{alice_old_krb_pw}\n", 0.1)
247
+
server.wait_until_tty_matches("1", "New password:")
248
+
server.send_chars(f"{alice_krb_pw}\n", 0.1)
249
+
server.wait_until_tty_matches("1", "Verify password - New password:")
250
+
server.send_chars(f"{alice_krb_pw}\n", 0.1)
252
+
server.wait_until_tty_matches("1", "Success : Password changed")
254
+
server.send_chars("clear\n")
meta.maintainers = [ pkgs.lib.maintainers.dblsaiko ];
pyrox.dev