diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2025-04-17 02:13:41 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2025-05-27 16:20:06 +0000 |
| commit | 24f0b4ca2d565cdbb4fe7839ff28320706bf2386 (patch) | |
| tree | bc9ce87edb73f767f5580887d0fc8c643b9d7a49 /tests/data/scripts | |
Diffstat (limited to 'tests/data/scripts')
109 files changed, 2635 insertions, 0 deletions
diff --git a/tests/data/scripts/alt-auth/basic b/tests/data/scripts/alt-auth/basic new file mode 100644 index 000000000000..92628e98cd8f --- /dev/null +++ b/tests/data/scripts/alt-auth/basic @@ -0,0 +1,19 @@ +# Test simplest case of alternative authentication principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%1 force_first_pass no_ccache + account = alt_auth_map=%1 no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + +[output] + INFO user %u authenticated as %1 diff --git a/tests/data/scripts/alt-auth/basic-debug b/tests/data/scripts/alt-auth/basic-debug new file mode 100644 index 000000000000..325a8117284c --- /dev/null +++ b/tests/data/scripts/alt-auth/basic-debug @@ -0,0 +1,25 @@ +# Test simplest case of alternative authentication principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%1 force_first_pass no_ccache debug + account = alt_auth_map=%1 no_ccache debug + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) mapping bogus-nonexistent-account to %1 + DEBUG (user %u) alternate authentication successful + INFO user %u authenticated as %1 + DEBUG pam_sm_authenticate: exit (success) + DEBUG pam_sm_acct_mgmt: entry + DEBUG pam_sm_acct_mgmt: exit (success) diff --git a/tests/data/scripts/alt-auth/fail b/tests/data/scripts/alt-auth/fail new file mode 100644 index 000000000000..ec2145f3098f --- /dev/null +++ b/tests/data/scripts/alt-auth/fail @@ -0,0 +1,19 @@ +# Test failure of alternative authentication principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=bogus force_first_pass no_ccache + account = alt_auth_map=bogus no_ccache + +[run] + authenticate = PAM_AUTHINFO_UNAVAIL + acct_mgmt = PAM_IGNORE + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/alt-auth/fail-debug b/tests/data/scripts/alt-auth/fail-debug new file mode 100644 index 000000000000..ae96bb148e6a --- /dev/null +++ b/tests/data/scripts/alt-auth/fail-debug @@ -0,0 +1,28 @@ +# Test failure of alternative authentication principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=bogus force_first_pass no_ccache debug + account = alt_auth_map=bogus no_ccache debug + +[run] + authenticate = PAM_AUTHINFO_UNAVAIL + acct_mgmt = PAM_IGNORE + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) mapping bogus-nonexistent-account to bogus@%2 + DEBUG /^\(user %u\) alternate authentication failed: / + DEBUG (user %u) attempting authentication as %u@%2 + DEBUG /^\(user %u\) krb5_get_init_creds_password: / + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) + DEBUG pam_sm_acct_mgmt: entry + DEBUG skipping non-Kerberos login + DEBUG pam_sm_acct_mgmt: exit (ignore) diff --git a/tests/data/scripts/alt-auth/fallback b/tests/data/scripts/alt-auth/fallback new file mode 100644 index 000000000000..a0ee7a3d4292 --- /dev/null +++ b/tests/data/scripts/alt-auth/fallback @@ -0,0 +1,25 @@ +# Test alternative authentication principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%%s/unknown-user no_ccache + account = alt_auth_map=%%s/unknown-user no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/alt-auth/fallback-debug b/tests/data/scripts/alt-auth/fallback-debug new file mode 100644 index 000000000000..f63741a60a16 --- /dev/null +++ b/tests/data/scripts/alt-auth/fallback-debug @@ -0,0 +1,38 @@ +# Test alternative authentication principal with debug logging. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%%s/unknown-user no_ccache debug + account = alt_auth_map=%%s/unknown-user no_ccache debug + session = no_ccache debug + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) mapping %u to %0/unknown-user@%2 + DEBUG /^\(user %u\) alternate authentication failed: / + DEBUG (user %u) attempting authentication as %u + DEBUG (user %u) mapped user %0/unknown-user@%2 does not match principal %u + INFO user %u authenticated as %u + DEBUG pam_sm_authenticate: exit (success) + DEBUG pam_sm_acct_mgmt: entry + DEBUG (user %u) mapped user %0/unknown-user@%2 does not match principal %u + DEBUG pam_sm_acct_mgmt: exit (success) + DEBUG pam_sm_open_session: entry + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/alt-auth/fallback-realm b/tests/data/scripts/alt-auth/fallback-realm new file mode 100644 index 000000000000..0eef10fd5056 --- /dev/null +++ b/tests/data/scripts/alt-auth/fallback-realm @@ -0,0 +1,25 @@ +# Test alternative authentication principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%%s@BOGUS.EXAMPLE.COM no_ccache + account = alt_auth_map=%%s@BOGUS.EXAMPLE.COM no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/alt-auth/force b/tests/data/scripts/alt-auth/force new file mode 100644 index 000000000000..4ad34f6f1fe4 --- /dev/null +++ b/tests/data/scripts/alt-auth/force @@ -0,0 +1,19 @@ +# Test forced alternative authentication principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%1 force_alt_auth force_first_pass no_ccache + account = alt_auth_map=%1 no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + +[output] + INFO user %u authenticated as %1 diff --git a/tests/data/scripts/alt-auth/force-fail-debug b/tests/data/scripts/alt-auth/force-fail-debug new file mode 100644 index 000000000000..cc077b1a4743 --- /dev/null +++ b/tests/data/scripts/alt-auth/force-fail-debug @@ -0,0 +1,26 @@ +# Test failure of forced authentication principal (no fallback). -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%1 force_alt_auth force_first_pass no_ccache debug + account = alt_auth_map=%1 no_ccache debug + +[run] + authenticate = PAM_AUTH_ERR + acct_mgmt = PAM_IGNORE + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) mapping bogus-nonexistent-account to %1 + DEBUG /^\(user %u\) alternate authentication failed: / + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) + DEBUG pam_sm_acct_mgmt: entry + DEBUG skipping non-Kerberos login + DEBUG pam_sm_acct_mgmt: exit (ignore) diff --git a/tests/data/scripts/alt-auth/force-fallback b/tests/data/scripts/alt-auth/force-fallback new file mode 100644 index 000000000000..b93b04175ed5 --- /dev/null +++ b/tests/data/scripts/alt-auth/force-fallback @@ -0,0 +1,25 @@ +# Test forced alternative authentication with fallback. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%%s/unknown-user force_alt_auth no_ccache + account = alt_auth_map=%%s/unknown-user no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/alt-auth/only b/tests/data/scripts/alt-auth/only new file mode 100644 index 000000000000..7761fc7fd0ce --- /dev/null +++ b/tests/data/scripts/alt-auth/only @@ -0,0 +1,19 @@ +# Test required alternative authentication principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%1 only_alt_auth force_first_pass no_ccache + account = alt_auth_map=%1 no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + +[output] + INFO user %u authenticated as %1 diff --git a/tests/data/scripts/alt-auth/only-fail b/tests/data/scripts/alt-auth/only-fail new file mode 100644 index 000000000000..5c2831614928 --- /dev/null +++ b/tests/data/scripts/alt-auth/only-fail @@ -0,0 +1,22 @@ +# Test failure of required alternative authentication. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=bogus only_alt_auth no_ccache + account = alt_auth_map=bogus no_ccache + +[run] + authenticate = PAM_USER_UNKNOWN + acct_mgmt = PAM_IGNORE + +[prompts] + echo_off = Password: |%p + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/alt-auth/username-map b/tests/data/scripts/alt-auth/username-map new file mode 100644 index 000000000000..7f28a670344b --- /dev/null +++ b/tests/data/scripts/alt-auth/username-map @@ -0,0 +1,19 @@ +# Test username mapping of alternative authentication principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%%s@%2 force_first_pass no_ccache + account = alt_auth_map=%%s@%2 no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + +[output] + INFO user %u authenticated as %1 diff --git a/tests/data/scripts/alt-auth/username-map-prefix b/tests/data/scripts/alt-auth/username-map-prefix new file mode 100644 index 000000000000..5e83fc888d77 --- /dev/null +++ b/tests/data/scripts/alt-auth/username-map-prefix @@ -0,0 +1,19 @@ +# Test username mapping of alternative authentication principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = alt_auth_map=%3%%s@%2 force_first_pass no_ccache + account = alt_auth_map=%3%%s@%2 no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + +[output] + INFO user %u authenticated as %1 diff --git a/tests/data/scripts/bad-authtok/no-prompt b/tests/data/scripts/bad-authtok/no-prompt new file mode 100644 index 000000000000..e0c10cc69804 --- /dev/null +++ b/tests/data/scripts/bad-authtok/no-prompt @@ -0,0 +1,25 @@ +# Defer prompting to the Kerberos library after bad authtok. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache no_prompt try_first_pass + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = /^(%u's Password|Password for %u): $/|%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/bad-authtok/try-first b/tests/data/scripts/bad-authtok/try-first new file mode 100644 index 000000000000..cde6153efaeb --- /dev/null +++ b/tests/data/scripts/bad-authtok/try-first @@ -0,0 +1,25 @@ +# Test try_first_pass with a bad initial AUTHTOK. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = try_first_pass no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/bad-authtok/try-first-debug b/tests/data/scripts/bad-authtok/try-first-debug new file mode 100644 index 000000000000..c76ce7ac89dd --- /dev/null +++ b/tests/data/scripts/bad-authtok/try-first-debug @@ -0,0 +1,36 @@ +# Test try_first_pass with a bad initial AUTHTOK and debug. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = try_first_pass no_ccache debug + account = no_ccache debug + session = no_ccache debug + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %u + DEBUG /^\(user %u\) krb5_get_init_creds_password: / + DEBUG (user %u) attempting authentication as %u + INFO user %u authenticated as %u + DEBUG pam_sm_authenticate: exit (success) + DEBUG pam_sm_acct_mgmt: entry + DEBUG pam_sm_acct_mgmt: exit (success) + DEBUG pam_sm_open_session: entry + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/bad-authtok/use-first b/tests/data/scripts/bad-authtok/use-first new file mode 100644 index 000000000000..62d55ca2146f --- /dev/null +++ b/tests/data/scripts/bad-authtok/use-first @@ -0,0 +1,22 @@ +# Test use_first_pass with a bad initial AUTHTOK. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = use_first_pass no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_AUTH_ERR + acct_mgmt = PAM_IGNORE + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/bad-authtok/use-first-debug b/tests/data/scripts/bad-authtok/use-first-debug new file mode 100644 index 000000000000..4346d2395cb0 --- /dev/null +++ b/tests/data/scripts/bad-authtok/use-first-debug @@ -0,0 +1,33 @@ +# Test use_first_pass with a bad initial AUTHTOK and debug. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = use_first_pass no_ccache debug + account = no_ccache debug + session = no_ccache debug + +[run] + authenticate = PAM_AUTH_ERR + acct_mgmt = PAM_IGNORE + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %u + DEBUG /^\(user %u\) krb5_get_init_creds_password: / + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) + DEBUG pam_sm_acct_mgmt: entry + DEBUG skipping non-Kerberos login + DEBUG pam_sm_acct_mgmt: exit (ignore) + DEBUG pam_sm_open_session: entry + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/basic/force-first b/tests/data/scripts/basic/force-first new file mode 100644 index 000000000000..792d737ba7c3 --- /dev/null +++ b/tests/data/scripts/basic/force-first @@ -0,0 +1,22 @@ +# Test force_first_pass without an authtok. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_AUTH_ERR + acct_mgmt = PAM_IGNORE + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/basic/force-first-debug b/tests/data/scripts/basic/force-first-debug new file mode 100644 index 000000000000..539345316183 --- /dev/null +++ b/tests/data/scripts/basic/force-first-debug @@ -0,0 +1,32 @@ +# Test force_first_pass without an authtok. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache debug + account = no_ccache debug + session = no_ccache debug + +[run] + authenticate = PAM_AUTH_ERR + acct_mgmt = PAM_IGNORE + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) no stored password + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) + DEBUG pam_sm_acct_mgmt: entry + DEBUG skipping non-Kerberos login + DEBUG pam_sm_acct_mgmt: exit (ignore) + DEBUG pam_sm_open_session: entry + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/basic/ignore-root b/tests/data/scripts/basic/ignore-root new file mode 100644 index 000000000000..bfbfee5c86df --- /dev/null +++ b/tests/data/scripts/basic/ignore-root @@ -0,0 +1,16 @@ +# Test account and session behavior for ignored root user. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_root + password = ignore_root + +[run] + authenticate = PAM_USER_UNKNOWN + chauthtok(PRELIM_CHECK) = PAM_IGNORE diff --git a/tests/data/scripts/basic/ignore-root-debug b/tests/data/scripts/basic/ignore-root-debug new file mode 100644 index 000000000000..2ffd33c16229 --- /dev/null +++ b/tests/data/scripts/basic/ignore-root-debug @@ -0,0 +1,24 @@ +# Test account and session behavior for ignored root user. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_root debug + password = ignore_root debug + +[run] + authenticate = PAM_USER_UNKNOWN + chauthtok(PRELIM_CHECK) = PAM_IGNORE + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user root) ignoring root user + DEBUG pam_sm_authenticate: exit (failure) + DEBUG pam_sm_chauthtok: entry (prelim) + DEBUG ignoring root user + DEBUG pam_sm_chauthtok: exit (ignore) diff --git a/tests/data/scripts/basic/minimum-uid b/tests/data/scripts/basic/minimum-uid new file mode 100644 index 000000000000..e56161041306 --- /dev/null +++ b/tests/data/scripts/basic/minimum-uid @@ -0,0 +1,13 @@ +# Test account and session behavior for minimum UID. -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = minimum_uid=%1 + password = minimum_uid=%1 + +[run] + authenticate = PAM_USER_UNKNOWN + chauthtok(PRELIM_CHECK) = PAM_IGNORE diff --git a/tests/data/scripts/basic/minimum-uid-debug b/tests/data/scripts/basic/minimum-uid-debug new file mode 100644 index 000000000000..c20e43d55ac8 --- /dev/null +++ b/tests/data/scripts/basic/minimum-uid-debug @@ -0,0 +1,21 @@ +# Test account and session behavior for minimum UID (debug). -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = minimum_uid=%1 debug + password = minimum_uid=%1 debug + +[run] + authenticate = PAM_USER_UNKNOWN + chauthtok(PRELIM_CHECK) = PAM_IGNORE + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) ignoring low-UID user (%0 < %1) + DEBUG pam_sm_authenticate: exit (failure) + DEBUG pam_sm_chauthtok: entry (prelim) + DEBUG ignoring low-UID user (%0 < %1) + DEBUG pam_sm_chauthtok: exit (ignore) diff --git a/tests/data/scripts/basic/no-context b/tests/data/scripts/basic/no-context new file mode 100644 index 000000000000..5629422e23d9 --- /dev/null +++ b/tests/data/scripts/basic/no-context @@ -0,0 +1,17 @@ +# Test account and session behavior with no context. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[run] + acct_mgmt = PAM_IGNORE + setcred(DELETE_CRED) = PAM_SUCCESS + setcred(ESTABLISH_CRED) = PAM_SUCCESS + setcred(REFRESH_CRED) = PAM_SUCCESS + setcred(REINITIALIZE_CRED) = PAM_SUCCESS + open_session = PAM_IGNORE + close_session = PAM_SUCCESS diff --git a/tests/data/scripts/basic/no-context-debug b/tests/data/scripts/basic/no-context-debug new file mode 100644 index 000000000000..4bdeee727ed7 --- /dev/null +++ b/tests/data/scripts/basic/no-context-debug @@ -0,0 +1,47 @@ +# Test account and session behavior with no context. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = debug + account = debug + session = debug + +[run] + acct_mgmt = PAM_IGNORE + setcred(DELETE_CRED) = PAM_SUCCESS + setcred(ESTABLISH_CRED) = PAM_SUCCESS + setcred(REFRESH_CRED) = PAM_SUCCESS + setcred(REINITIALIZE_CRED) = PAM_SUCCESS + open_session = PAM_IGNORE + close_session = PAM_SUCCESS + +[output] + DEBUG pam_sm_acct_mgmt: entry + DEBUG skipping non-Kerberos login + DEBUG pam_sm_acct_mgmt: exit (ignore) + DEBUG pam_sm_setcred: entry (delete) + DEBUG pam_sm_setcred: exit (success) + DEBUG pam_sm_setcred: entry (establish) + DEBUG no context found, creating one + DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login + DEBUG pam_sm_setcred: exit (success) + DEBUG pam_sm_setcred: entry (refresh) + DEBUG no context found, creating one + DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login + DEBUG pam_sm_setcred: exit (success) + DEBUG pam_sm_setcred: entry (reinit) + DEBUG no context found, creating one + DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login + DEBUG pam_sm_setcred: exit (success) + DEBUG pam_sm_open_session: entry + DEBUG no context found, creating one + DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login + DEBUG pam_sm_open_session: exit (ignore) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/cache-cleanup/auth-only b/tests/data/scripts/cache-cleanup/auth-only new file mode 100644 index 000000000000..c29608f3c8da --- /dev/null +++ b/tests/data/scripts/cache-cleanup/auth-only @@ -0,0 +1,17 @@ +# Test authentication only with ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass ignore_k5login ccache_dir=FILE:%1 + +[run] + authenticate = PAM_SUCCESS + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/cache/basic b/tests/data/scripts/cache/basic new file mode 100644 index 000000000000..6b1042f3084b --- /dev/null +++ b/tests/data/scripts/cache/basic @@ -0,0 +1,21 @@ +# Test basic authentication with ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass ignore_k5login + account = ignore_k5login + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/cache/end-data-silent b/tests/data/scripts/cache/end-data-silent new file mode 100644 index 000000000000..f172008bc574 --- /dev/null +++ b/tests/data/scripts/cache/end-data-silent @@ -0,0 +1,27 @@ +# Test pam_end with PAM_DATA_SILENT. -*- conf -*- +# +# Passing PAM_DATA_SILENT to pam_end should cause the credential cache to not +# be deleted (under the assumption that pam_end is being called in a forked +# process and will be called again in the parent to clean up resources). +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020-2021 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass ignore_k5login + account = ignore_k5login + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + +[end] + flags = PAM_DATA_SILENT + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/cache/open-session b/tests/data/scripts/cache/open-session new file mode 100644 index 000000000000..83e48c36511e --- /dev/null +++ b/tests/data/scripts/cache/open-session @@ -0,0 +1,20 @@ +# Test authentication with ticket cache, open session. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass ignore_k5login + account = ignore_k5login + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/cache/search-k5login b/tests/data/scripts/cache/search-k5login new file mode 100644 index 000000000000..b87c28147edb --- /dev/null +++ b/tests/data/scripts/cache/search-k5login @@ -0,0 +1,20 @@ +# Test authentication with search_k5login, open session. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass search_k5login + account = search_k5login + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/cache/search-k5login-debug b/tests/data/scripts/cache/search-k5login-debug new file mode 100644 index 000000000000..eb50b9e47eaf --- /dev/null +++ b/tests/data/scripts/cache/search-k5login-debug @@ -0,0 +1,34 @@ +# Test authentication with search_k5login and debug. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass search_k5login debug + account = search_k5login debug + session = debug + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %0 + INFO user %u authenticated as %0 + DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/ + DEBUG pam_sm_authenticate: exit (success) + DEBUG pam_sm_acct_mgmt: entry + DEBUG (user %u) retrieving principal from cache + DEBUG pam_sm_acct_mgmt: exit (success) + DEBUG pam_sm_open_session: entry + DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/ + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/expired/basic-heimdal b/tests/data/scripts/expired/basic-heimdal new file mode 100644 index 000000000000..2b4f471cf247 --- /dev/null +++ b/tests/data/scripts/expired/basic-heimdal @@ -0,0 +1,31 @@ +# Test default handling of expired passwords. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2017, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login + account = ignore_k5login + password = ignore_k5login + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + info = Password has expired + info = Your password will expire at %1 + info = Changing password + echo_off = New password: |%n + echo_off = Repeat new password: |%n + info = Success: Password changed + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/expired/basic-heimdal-debug b/tests/data/scripts/expired/basic-heimdal-debug new file mode 100644 index 000000000000..a18cc00c71a9 --- /dev/null +++ b/tests/data/scripts/expired/basic-heimdal-debug @@ -0,0 +1,44 @@ +# Test default handling of expired passwords. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2017, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login debug + account = ignore_k5login debug + password = ignore_k5login debug + session = debug + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + info = Password has expired + info = Your password will expire at %1 + info = Changing password + echo_off = New password: |%n + echo_off = Repeat new password: |%n + info = Success: Password changed + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %0 + INFO user %u authenticated as %0 + DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/ + DEBUG pam_sm_authenticate: exit (success) + DEBUG pam_sm_acct_mgmt: entry + DEBUG (user %u) retrieving principal from cache + DEBUG pam_sm_acct_mgmt: exit (success) + DEBUG pam_sm_open_session: entry + DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/ + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/expired/basic-heimdal-flag-silent b/tests/data/scripts/expired/basic-heimdal-flag-silent new file mode 100644 index 000000000000..58e065b485bb --- /dev/null +++ b/tests/data/scripts/expired/basic-heimdal-flag-silent @@ -0,0 +1,27 @@ +# Test default handling of expired passwords with PAM_SILENT. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login + account = ignore_k5login + password = ignore_k5login + +[run] + authenticate(SILENT) = PAM_SUCCESS + acct_mgmt(SILENT) = PAM_SUCCESS + open_session(SILENT) = PAM_SUCCESS + close_session(SILENT) = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + echo_off = New password: |%n + echo_off = Repeat new password: |%n + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/expired/basic-heimdal-old b/tests/data/scripts/expired/basic-heimdal-old new file mode 100644 index 000000000000..dd67ec44df7c --- /dev/null +++ b/tests/data/scripts/expired/basic-heimdal-old @@ -0,0 +1,30 @@ +# Test default handling of expired passwords. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login + account = ignore_k5login + password = ignore_k5login + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + info = Your password will expire at %1 + info = Changing password + echo_off = New password: |%n + echo_off = Repeat new password: |%n + info = Success: Password changed + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/expired/basic-heimdal-old-debug b/tests/data/scripts/expired/basic-heimdal-old-debug new file mode 100644 index 000000000000..53267f5fac62 --- /dev/null +++ b/tests/data/scripts/expired/basic-heimdal-old-debug @@ -0,0 +1,43 @@ +# Test default handling of expired passwords. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login debug + account = ignore_k5login debug + password = ignore_k5login debug + session = debug + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + info = Your password will expire at %1 + info = Changing password + echo_off = New password: |%n + echo_off = Repeat new password: |%n + info = Success: Password changed + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %0 + INFO user %u authenticated as %0 + DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/ + DEBUG pam_sm_authenticate: exit (success) + DEBUG pam_sm_acct_mgmt: entry + DEBUG (user %u) retrieving principal from cache + DEBUG pam_sm_acct_mgmt: exit (success) + DEBUG pam_sm_open_session: entry + DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/ + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/expired/basic-heimdal-silent b/tests/data/scripts/expired/basic-heimdal-silent new file mode 100644 index 000000000000..028d5fe382f6 --- /dev/null +++ b/tests/data/scripts/expired/basic-heimdal-silent @@ -0,0 +1,27 @@ +# Test default handling of expired passwords with silent. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login silent + account = ignore_k5login silent + password = ignore_k5login silent + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + echo_off = New password: |%n + echo_off = Repeat new password: |%n + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/expired/basic-mit b/tests/data/scripts/expired/basic-mit new file mode 100644 index 000000000000..9611381b4ce9 --- /dev/null +++ b/tests/data/scripts/expired/basic-mit @@ -0,0 +1,28 @@ +# Test default handling of expired passwords. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login + account = ignore_k5login + password = ignore_k5login + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + info = Password expired. You must change it now. + echo_off = Enter new password: |%n + echo_off = Enter it again: |%n + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/expired/basic-mit-debug b/tests/data/scripts/expired/basic-mit-debug new file mode 100644 index 000000000000..5b58b25b8ec2 --- /dev/null +++ b/tests/data/scripts/expired/basic-mit-debug @@ -0,0 +1,41 @@ +# Test default handling of expired passwords. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login debug + account = ignore_k5login debug + password = ignore_k5login debug + session = debug + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + info = Password expired. You must change it now. + echo_off = Enter new password: |%n + echo_off = Enter it again: |%n + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %0 + INFO user %u authenticated as %0 + DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/ + DEBUG pam_sm_authenticate: exit (success) + DEBUG pam_sm_acct_mgmt: entry + DEBUG (user %u) retrieving principal from cache + DEBUG pam_sm_acct_mgmt: exit (success) + DEBUG pam_sm_open_session: entry + DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/ + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/expired/basic-mit-flag-silent b/tests/data/scripts/expired/basic-mit-flag-silent new file mode 100644 index 000000000000..a13bffdeea44 --- /dev/null +++ b/tests/data/scripts/expired/basic-mit-flag-silent @@ -0,0 +1,27 @@ +# Test default handling of expired passwords with PAM_SILENT. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login + account = ignore_k5login + password = ignore_k5login + +[run] + authenticate(SILENT) = PAM_SUCCESS + acct_mgmt(SILENT) = PAM_SUCCESS + open_session(SILENT) = PAM_SUCCESS + close_session(SILENT) = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + echo_off = Enter new password: |%n + echo_off = Enter it again: |%n + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/expired/basic-mit-silent b/tests/data/scripts/expired/basic-mit-silent new file mode 100644 index 000000000000..7dea2b7bdd4e --- /dev/null +++ b/tests/data/scripts/expired/basic-mit-silent @@ -0,0 +1,27 @@ +# Test default handling of expired passwords with silent. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login silent + account = ignore_k5login silent + password = ignore_k5login silent + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + echo_off = Enter new password: |%n + echo_off = Enter it again: |%n + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/expired/defer-mit b/tests/data/scripts/expired/defer-mit new file mode 100644 index 000000000000..7403edbfdbbf --- /dev/null +++ b/tests/data/scripts/expired/defer-mit @@ -0,0 +1,33 @@ +# Test deferring handling of expired passwords. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = defer_pwchange use_first_pass + account = ignore_k5login + password = ignore_k5login use_first_pass + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_NEW_AUTHTOK_REQD + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Current Kerberos password: |%p + echo_off = Enter new Kerberos password: |%n + echo_off = Retype new Kerberos password: |%n + +[output] + INFO user %u authenticated as %0 (expired) + INFO user %u account password is expired + INFO user %u changed Kerberos password + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/expired/defer-mit-debug b/tests/data/scripts/expired/defer-mit-debug new file mode 100644 index 000000000000..c637f39402f7 --- /dev/null +++ b/tests/data/scripts/expired/defer-mit-debug @@ -0,0 +1,57 @@ +# Test deferring handling of expired passwords. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = defer_pwchange use_first_pass debug + account = ignore_k5login debug + password = ignore_k5login use_first_pass debug + session = debug + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_NEW_AUTHTOK_REQD + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Current Kerberos password: |%p + echo_off = Enter new Kerberos password: |%n + echo_off = Retype new Kerberos password: |%n + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %0 + DEBUG (user %u) krb5_get_init_creds_password: Password has expired + DEBUG (user %u) expired account, deferring failure + INFO user %u authenticated as %0 (expired) + DEBUG pam_sm_authenticate: exit (success) + DEBUG pam_sm_acct_mgmt: entry + INFO user %u account password is expired + DEBUG pam_sm_acct_mgmt: exit (failure) + DEBUG pam_sm_chauthtok: entry (prelim) + DEBUG (user %u) attempting authentication as %0 for kadmin/changepw + DEBUG pam_sm_chauthtok: exit (success) + DEBUG pam_sm_chauthtok: entry (update) + INFO user %u changed Kerberos password + DEBUG (user %u) obtaining credentials with new password + DEBUG (user %u) attempting authentication as %0 + INFO user %u authenticated as %0 + DEBUG /^\(user %u\) temporarily storing credentials in /tmp/krb5cc_pam_/ + DEBUG pam_sm_chauthtok: exit (success) + DEBUG pam_sm_acct_mgmt: entry + DEBUG (user %u) retrieving principal from cache + DEBUG pam_sm_acct_mgmt: exit (success) + DEBUG pam_sm_open_session: entry + DEBUG /^\(user %u\) initializing ticket cache FILE:/tmp/krb5cc_/ + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/expired/fail b/tests/data/scripts/expired/fail new file mode 100644 index 000000000000..566b4b9c73dc --- /dev/null +++ b/tests/data/scripts/expired/fail @@ -0,0 +1,20 @@ +# Test default handling of expired passwords. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login fail_pwchange + +[run] + authenticate = PAM_AUTH_ERR + +[prompts] + echo_off = Password: |%p + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/expired/fail-debug b/tests/data/scripts/expired/fail-debug new file mode 100644 index 000000000000..7f464b4ed89f --- /dev/null +++ b/tests/data/scripts/expired/fail-debug @@ -0,0 +1,24 @@ +# Test default handling of expired passwords. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = ignore_k5login fail_pwchange debug + +[run] + authenticate = PAM_AUTH_ERR + +[prompts] + echo_off = Password: |%p + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %0 + DEBUG /^\(user %u\) krb5_get_init_creds_password: / + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) diff --git a/tests/data/scripts/fast/anonymous b/tests/data/scripts/fast/anonymous new file mode 100644 index 000000000000..5f725ae63dcf --- /dev/null +++ b/tests/data/scripts/fast/anonymous @@ -0,0 +1,17 @@ +# Test anonymous FAST. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache anon_fast + +[run] + authenticate = PAM_SUCCESS + +[output] + INFO user %u authenticated as %0 diff --git a/tests/data/scripts/fast/anonymous-debug b/tests/data/scripts/fast/anonymous-debug new file mode 100644 index 000000000000..48fd1eadd581 --- /dev/null +++ b/tests/data/scripts/fast/anonymous-debug @@ -0,0 +1,22 @@ +# Test FAST with an existing ticket cache, with debug. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache anon_fast debug + +[run] + authenticate = PAM_SUCCESS + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) anonymous authentication for FAST succeeded + DEBUG /^\(user %u\) setting FAST credential cache to MEMORY:/ + DEBUG (user %u) attempting authentication as %0 + INFO user %u authenticated as %0 + DEBUG pam_sm_authenticate: exit (success) diff --git a/tests/data/scripts/fast/ccache b/tests/data/scripts/fast/ccache new file mode 100644 index 000000000000..32e5eaa92465 --- /dev/null +++ b/tests/data/scripts/fast/ccache @@ -0,0 +1,17 @@ +# Test FAST with an existing ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache fast_ccache=%0 + +[run] + authenticate = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/fast/ccache-debug b/tests/data/scripts/fast/ccache-debug new file mode 100644 index 000000000000..f3788f2fc1c7 --- /dev/null +++ b/tests/data/scripts/fast/ccache-debug @@ -0,0 +1,21 @@ +# Test FAST with an existing ticket cache, with debug. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache fast_ccache=%0 debug + +[run] + authenticate = PAM_SUCCESS + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) setting FAST credential cache to %0 + DEBUG (user %u) attempting authentication as %u + INFO user %u authenticated as %u + DEBUG pam_sm_authenticate: exit (success) diff --git a/tests/data/scripts/fast/no-ccache b/tests/data/scripts/fast/no-ccache new file mode 100644 index 000000000000..71d4e2d494cf --- /dev/null +++ b/tests/data/scripts/fast/no-ccache @@ -0,0 +1,17 @@ +# Test FAST with an existing ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache fast_ccache=%0BAD + +[run] + authenticate = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/fast/no-ccache-debug b/tests/data/scripts/fast/no-ccache-debug new file mode 100644 index 000000000000..743ad5559538 --- /dev/null +++ b/tests/data/scripts/fast/no-ccache-debug @@ -0,0 +1,21 @@ +# Test FAST with an existing ticket cache, with debug. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache fast_ccache=%0BAD debug + +[run] + authenticate = PAM_SUCCESS + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG /^\(user %u\) failed to get principal from FAST ccache %0BAD: / + DEBUG (user %u) attempting authentication as %u + INFO user %u authenticated as %u + DEBUG pam_sm_authenticate: exit (success) diff --git a/tests/data/scripts/long/password b/tests/data/scripts/long/password new file mode 100644 index 000000000000..e8183976c004 --- /dev/null +++ b/tests/data/scripts/long/password @@ -0,0 +1,14 @@ +# Test authentication with an excessively long password. -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[run] + authenticate = PAM_AUTH_ERR + +[prompts] + echo_off = Password: |%p + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/long/password-debug b/tests/data/scripts/long/password-debug new file mode 100644 index 000000000000..832c19340485 --- /dev/null +++ b/tests/data/scripts/long/password-debug @@ -0,0 +1,20 @@ +# Test excessively long password handling with debug logging. -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = debug + +[run] + authenticate = PAM_AUTH_ERR + +[prompts] + echo_off = Password: |%p + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG /^\(user %u\) rejecting password longer than [0-9]+$/ + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) diff --git a/tests/data/scripts/long/use-first b/tests/data/scripts/long/use-first new file mode 100644 index 000000000000..b68800485d04 --- /dev/null +++ b/tests/data/scripts/long/use-first @@ -0,0 +1,14 @@ +# Test use_first_pass with an excessively long password. -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = use_first_pass + +[run] + authenticate = PAM_AUTH_ERR + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/long/use-first-debug b/tests/data/scripts/long/use-first-debug new file mode 100644 index 000000000000..72747e81f40c --- /dev/null +++ b/tests/data/scripts/long/use-first-debug @@ -0,0 +1,17 @@ +# Test use_first_pass with a long password and debug. -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = use_first_pass debug + +[run] + authenticate = PAM_AUTH_ERR + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG /^\(user %u\) rejecting password longer than [0-9]+$/ + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) diff --git a/tests/data/scripts/no-cache/no-prompt b/tests/data/scripts/no-cache/no-prompt new file mode 100644 index 000000000000..1eef2f26b4ee --- /dev/null +++ b/tests/data/scripts/no-cache/no-prompt @@ -0,0 +1,25 @@ +# Defer prompting to the Kerberos library. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache no_prompt + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = /^(%u's Password|Password for %u): $/|%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/no-cache/no-prompt-try b/tests/data/scripts/no-cache/no-prompt-try new file mode 100644 index 000000000000..1d632a96f9e6 --- /dev/null +++ b/tests/data/scripts/no-cache/no-prompt-try @@ -0,0 +1,25 @@ +# Defer prompting to the Kerberos library w/try_first_pass. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache no_prompt try_first_pass + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = /^(%u's Password|Password for %u): $/|%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/no-cache/no-prompt-use b/tests/data/scripts/no-cache/no-prompt-use new file mode 100644 index 000000000000..76ef388465d2 --- /dev/null +++ b/tests/data/scripts/no-cache/no-prompt-use @@ -0,0 +1,25 @@ +# Defer prompting to the Kerberos library w/use_first_pass. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache no_prompt + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = /^(%u's Password|Password for %u): $/|%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/no-cache/prompt b/tests/data/scripts/no-cache/prompt new file mode 100644 index 000000000000..b0eb0d9ca57b --- /dev/null +++ b/tests/data/scripts/no-cache/prompt @@ -0,0 +1,25 @@ +# Test basic auth w/prompting without saving a ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/no-cache/prompt-expose b/tests/data/scripts/no-cache/prompt-expose new file mode 100644 index 000000000000..a3365cc69754 --- /dev/null +++ b/tests/data/scripts/no-cache/prompt-expose @@ -0,0 +1,25 @@ +# Test basic auth w/prompting without saving a ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = expose_account no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password for %u: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/no-cache/prompt-fail b/tests/data/scripts/no-cache/prompt-fail new file mode 100644 index 000000000000..376b0f911997 --- /dev/null +++ b/tests/data/scripts/no-cache/prompt-fail @@ -0,0 +1,25 @@ +# Test failed password authentication. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_AUTH_ERR + acct_mgmt = PAM_IGNORE + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |BAD%p + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/no-cache/prompt-fail-debug b/tests/data/scripts/no-cache/prompt-fail-debug new file mode 100644 index 000000000000..9c9a7a406b4b --- /dev/null +++ b/tests/data/scripts/no-cache/prompt-fail-debug @@ -0,0 +1,36 @@ +# Test failed password authentication with debug logging. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache debug + account = no_ccache debug + session = no_ccache debug + +[run] + authenticate = PAM_AUTH_ERR + acct_mgmt = PAM_IGNORE + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |BAD%p + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %u + DEBUG /^\(user %u\) krb5_get_init_creds_password: / + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) + DEBUG pam_sm_acct_mgmt: entry + DEBUG skipping non-Kerberos login + DEBUG pam_sm_acct_mgmt: exit (ignore) + DEBUG pam_sm_open_session: entry + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/no-cache/prompt-principal b/tests/data/scripts/no-cache/prompt-principal new file mode 100644 index 000000000000..5e7278f1e92d --- /dev/null +++ b/tests/data/scripts/no-cache/prompt-principal @@ -0,0 +1,26 @@ +# Test prompting for principal without saving a ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = prompt_principal no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_on = Principal: |%u + echo_off = Password: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/no-cache/try-first b/tests/data/scripts/no-cache/try-first new file mode 100644 index 000000000000..366801e9a078 --- /dev/null +++ b/tests/data/scripts/no-cache/try-first @@ -0,0 +1,25 @@ +# Test basic auth w/no AUTHTOK and try_first_pass. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = try_first_pass no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/no-cache/use-first b/tests/data/scripts/no-cache/use-first new file mode 100644 index 000000000000..028009fd7ba7 --- /dev/null +++ b/tests/data/scripts/no-cache/use-first @@ -0,0 +1,25 @@ +# Test basic auth w/no AUTHTOK and use_first_pass. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = use_first_pass no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/pam-user/no-update b/tests/data/scripts/pam-user/no-update new file mode 100644 index 000000000000..36520bb4f332 --- /dev/null +++ b/tests/data/scripts/pam-user/no-update @@ -0,0 +1,20 @@ +# PAM_USER updates disabled. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache no_update_user + +[run] + authenticate = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/pam-user/update b/tests/data/scripts/pam-user/update new file mode 100644 index 000000000000..11d404a02144 --- /dev/null +++ b/tests/data/scripts/pam-user/update @@ -0,0 +1,20 @@ +# PAM_USER updates. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache + +[run] + authenticate = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + INFO user %0 authenticated as %1 diff --git a/tests/data/scripts/password/authtok b/tests/data/scripts/password/authtok new file mode 100644 index 000000000000..9f6a39935b2d --- /dev/null +++ b/tests/data/scripts/password/authtok @@ -0,0 +1,21 @@ +# Test password change with new authtok set but not old. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = use_authtok + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + +[prompts] + echo_off = Current Kerberos password: |%p + +[output] + INFO user %u changed Kerberos password diff --git a/tests/data/scripts/password/authtok-force b/tests/data/scripts/password/authtok-force new file mode 100644 index 000000000000..3bc0b598521b --- /dev/null +++ b/tests/data/scripts/password/authtok-force @@ -0,0 +1,18 @@ +# Test password change with new authtok set but not old. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = use_authtok force_first_pass + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + +[output] + INFO user %u changed Kerberos password diff --git a/tests/data/scripts/password/authtok-too-long b/tests/data/scripts/password/authtok-too-long new file mode 100644 index 000000000000..df81e24977b3 --- /dev/null +++ b/tests/data/scripts/password/authtok-too-long @@ -0,0 +1,17 @@ +# Test use_authtok with an excessively long password. -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = use_authtok + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR + +[prompts] + echo_off = Current Kerberos password: |%p + +[output] diff --git a/tests/data/scripts/password/authtok-too-long-debug b/tests/data/scripts/password/authtok-too-long-debug new file mode 100644 index 000000000000..cb38e8861102 --- /dev/null +++ b/tests/data/scripts/password/authtok-too-long-debug @@ -0,0 +1,23 @@ +# Test use_authtok with an excessively long password. -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = use_authtok debug + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR + +[prompts] + echo_off = Current Kerberos password: |%p + +[output] + DEBUG pam_sm_chauthtok: entry (prelim) + DEBUG (user %u) attempting authentication as %0 for kadmin/changepw + DEBUG pam_sm_chauthtok: exit (success) + DEBUG pam_sm_chauthtok: entry (update) + DEBUG /^\(user %u\) rejecting password longer than [0-9]+$/ + DEBUG pam_sm_chauthtok: exit (failure) diff --git a/tests/data/scripts/password/banner b/tests/data/scripts/password/banner new file mode 100644 index 000000000000..98c899c26af5 --- /dev/null +++ b/tests/data/scripts/password/banner @@ -0,0 +1,23 @@ +# Test password change with a modified banner. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = banner=realm + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + +[prompts] + echo_off = Current realm password: |%p + echo_off = Enter new realm password: |%n + echo_off = Retype new realm password: |%n + +[output] + INFO user %u changed Kerberos password diff --git a/tests/data/scripts/password/banner-expose b/tests/data/scripts/password/banner-expose new file mode 100644 index 000000000000..595fa0380b22 --- /dev/null +++ b/tests/data/scripts/password/banner-expose @@ -0,0 +1,23 @@ +# Test password change with banner and expose_account. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = expose_account banner=realm + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + +[prompts] + echo_off = Current realm password for %0: |%p + echo_off = Enter new realm password for %0: |%n + echo_off = Retype new realm password for %0: |%n + +[output] + INFO user %u changed Kerberos password diff --git a/tests/data/scripts/password/basic b/tests/data/scripts/password/basic new file mode 100644 index 000000000000..5cb68267ce26 --- /dev/null +++ b/tests/data/scripts/password/basic @@ -0,0 +1,20 @@ +# Test password change with prompting. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + +[prompts] + echo_off = Current Kerberos password: |%p + echo_off = Enter new Kerberos password: |%n + echo_off = Retype new Kerberos password: |%n + +[output] + INFO user %u changed Kerberos password diff --git a/tests/data/scripts/password/basic-debug b/tests/data/scripts/password/basic-debug new file mode 100644 index 000000000000..ca1c86b9c2c9 --- /dev/null +++ b/tests/data/scripts/password/basic-debug @@ -0,0 +1,28 @@ +# Test password change with prompting and debug. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = debug + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + +[prompts] + echo_off = Current Kerberos password: |%p + echo_off = Enter new Kerberos password: |%n + echo_off = Retype new Kerberos password: |%n + +[output] + DEBUG pam_sm_chauthtok: entry (prelim) + DEBUG (user %u) attempting authentication as %0 for kadmin/changepw + DEBUG pam_sm_chauthtok: exit (success) + DEBUG pam_sm_chauthtok: entry (update) + INFO user %u changed Kerberos password + DEBUG pam_sm_chauthtok: exit (success) diff --git a/tests/data/scripts/password/expose b/tests/data/scripts/password/expose new file mode 100644 index 000000000000..a82c1bd0b78d --- /dev/null +++ b/tests/data/scripts/password/expose @@ -0,0 +1,23 @@ +# Test password change with prompting and expose_account. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = expose_account + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + +[prompts] + echo_off = Current Kerberos password for %0: |%p + echo_off = Enter new Kerberos password for %0: |%n + echo_off = Retype new Kerberos password for %0: |%n + +[output] + INFO user %u changed Kerberos password diff --git a/tests/data/scripts/password/ignore b/tests/data/scripts/password/ignore new file mode 100644 index 000000000000..023cf5656f67 --- /dev/null +++ b/tests/data/scripts/password/ignore @@ -0,0 +1,18 @@ +# Test password prompt saving for ignored users. -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = ignore_root + +[run] + chauthtok(PRELIM_CHECK) = PAM_IGNORE + chauthtok(UPDATE_AUTHTOK) = PAM_IGNORE + +[prompts] + echo_off = Enter new password: |%n + echo_off = Retype new password: |%n + +[output] diff --git a/tests/data/scripts/password/no-banner b/tests/data/scripts/password/no-banner new file mode 100644 index 000000000000..9cabbd8ec5f9 --- /dev/null +++ b/tests/data/scripts/password/no-banner @@ -0,0 +1,23 @@ +# Test password change with no identifying banner. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = banner= + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + +[prompts] + echo_off = Current password: |%p + echo_off = Enter new password: |%n + echo_off = Retype new password: |%n + +[output] + INFO user %u changed Kerberos password diff --git a/tests/data/scripts/password/no-banner-expose b/tests/data/scripts/password/no-banner-expose new file mode 100644 index 000000000000..3a5b944887bd --- /dev/null +++ b/tests/data/scripts/password/no-banner-expose @@ -0,0 +1,23 @@ +# Test password change with no banner and expose_account. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = expose_account banner= + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + +[prompts] + echo_off = Current password for %0: |%p + echo_off = Enter new password for %0: |%n + echo_off = Retype new password for %0: |%n + +[output] + INFO user %u changed Kerberos password diff --git a/tests/data/scripts/password/prompt-principal b/tests/data/scripts/password/prompt-principal new file mode 100644 index 000000000000..1e7274eb058e --- /dev/null +++ b/tests/data/scripts/password/prompt-principal @@ -0,0 +1,24 @@ +# Test password change with prompting and prompt_principal. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = prompt_principal + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_SUCCESS + +[prompts] + echo_on = Principal: |%u + echo_off = Current Kerberos password: |%p + echo_off = Enter new Kerberos password: |%n + echo_off = Retype new Kerberos password: |%n + +[output] + INFO user %u changed Kerberos password diff --git a/tests/data/scripts/password/too-long b/tests/data/scripts/password/too-long new file mode 100644 index 000000000000..4dbabd5db11e --- /dev/null +++ b/tests/data/scripts/password/too-long @@ -0,0 +1,15 @@ +# Test password change to an excessively long password. -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR + +[prompts] + echo_off = Current Kerberos password: |%p + echo_off = Enter new Kerberos password: |%n + +[output] diff --git a/tests/data/scripts/password/too-long-debug b/tests/data/scripts/password/too-long-debug new file mode 100644 index 000000000000..18b4ed608612 --- /dev/null +++ b/tests/data/scripts/password/too-long-debug @@ -0,0 +1,24 @@ +# Test password change to an excessively long password. -*- conf -*- +# +# Copyright 2020 Russ Allbery <eagle@eyrie.org> +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + password = debug + +[run] + chauthtok(PRELIM_CHECK) = PAM_SUCCESS + chauthtok(UPDATE_AUTHTOK) = PAM_AUTHTOK_ERR + +[prompts] + echo_off = Current Kerberos password: |%p + echo_off = Enter new Kerberos password: |%n + +[output] + DEBUG pam_sm_chauthtok: entry (prelim) + DEBUG (user %u) attempting authentication as %0 for kadmin/changepw + DEBUG pam_sm_chauthtok: exit (success) + DEBUG pam_sm_chauthtok: entry (update) + DEBUG /^\(user %u\) rejecting password longer than [0-9]+$/ + DEBUG pam_sm_chauthtok: exit (failure) diff --git a/tests/data/scripts/pkinit/basic b/tests/data/scripts/pkinit/basic new file mode 100644 index 000000000000..713bf0af1ce1 --- /dev/null +++ b/tests/data/scripts/pkinit/basic @@ -0,0 +1,22 @@ +# Test PKINIT auth without saving a ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache use_pkinit pkinit_user=FILE:%0 + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/pkinit/basic-debug b/tests/data/scripts/pkinit/basic-debug new file mode 100644 index 000000000000..92a3fcf934d6 --- /dev/null +++ b/tests/data/scripts/pkinit/basic-debug @@ -0,0 +1,30 @@ +# Test PKINIT auth without saving a ticket cache w/debug. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = debug no_ccache use_pkinit pkinit_user=FILE:%0 + account = debug no_ccache + session = debug no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + DEBUG pam_sm_authenticate: entry + INFO user %u authenticated as %u + DEBUG pam_sm_authenticate: exit (success) + DEBUG pam_sm_acct_mgmt: entry + DEBUG pam_sm_acct_mgmt: exit (success) + DEBUG pam_sm_open_session: entry + DEBUG pam_sm_open_session: exit (success) + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/pkinit/no-use-pkinit b/tests/data/scripts/pkinit/no-use-pkinit new file mode 100644 index 000000000000..ead640bcc4a0 --- /dev/null +++ b/tests/data/scripts/pkinit/no-use-pkinit @@ -0,0 +1,18 @@ +# Test for unsupported use_pkinit. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache use_pkinit + +[run] + authenticate = PAM_AUTHINFO_UNAVAIL + +[output] + ERR use_pkinit requested but PKINIT not available or cannot be enforced + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/pkinit/pin-mit b/tests/data/scripts/pkinit/pin-mit new file mode 100644 index 000000000000..9791ebc2ace6 --- /dev/null +++ b/tests/data/scripts/pkinit/pin-mit @@ -0,0 +1,20 @@ +# Test PKINIT auth with a PIN prompt. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache use_pkinit pkinit_user=PKCS12:%0 + +[run] + authenticate = PAM_SUCCESS + +[prompts] + echo_off = Pass phrase for %0: |%1 + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/pkinit/preauth-opt-mit b/tests/data/scripts/pkinit/preauth-opt-mit new file mode 100644 index 000000000000..4602d18c7556 --- /dev/null +++ b/tests/data/scripts/pkinit/preauth-opt-mit @@ -0,0 +1,17 @@ +# Test PKINIT auth with MIT preauth options. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache try_pkinit preauth_opt=X509_user_identity=FILE:%0 + +[run] + authenticate = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/pkinit/prompt-try b/tests/data/scripts/pkinit/prompt-try new file mode 100644 index 000000000000..723a228847e3 --- /dev/null +++ b/tests/data/scripts/pkinit/prompt-try @@ -0,0 +1,20 @@ +# Test try_pkinit with an initial prompt. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache try_pkinit pkinit_user=FILE:%0 pkinit_prompt + +[run] + authenticate = PAM_SUCCESS + +[prompts] + echo_off = Insert smart card if desired, then press Enter: | + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/pkinit/prompt-use b/tests/data/scripts/pkinit/prompt-use new file mode 100644 index 000000000000..0b341d5d73ce --- /dev/null +++ b/tests/data/scripts/pkinit/prompt-use @@ -0,0 +1,20 @@ +# Test use_pkinit with an initial prompt. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache use_pkinit pkinit_user=FILE:%0 pkinit_prompt + +[run] + authenticate = PAM_SUCCESS + +[prompts] + echo_off = Insert smart card and press Enter: | + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/pkinit/try-pkinit b/tests/data/scripts/pkinit/try-pkinit new file mode 100644 index 000000000000..13b7bcf76653 --- /dev/null +++ b/tests/data/scripts/pkinit/try-pkinit @@ -0,0 +1,17 @@ +# Test optional PKINIT auth without saving a ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache try_pkinit pkinit_user=FILE:%0 + +[run] + authenticate = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/pkinit/try-pkinit-debug b/tests/data/scripts/pkinit/try-pkinit-debug new file mode 100644 index 000000000000..c721395abd07 --- /dev/null +++ b/tests/data/scripts/pkinit/try-pkinit-debug @@ -0,0 +1,19 @@ +# Test optional PKINIT auth w/debug. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = debug no_ccache try_pkinit pkinit_user=FILE:%0 + +[run] + authenticate = PAM_SUCCESS + +[output] + DEBUG pam_sm_authenticate: entry + INFO user %u authenticated as %u + DEBUG pam_sm_authenticate: exit (success) diff --git a/tests/data/scripts/pkinit/try-pkinit-debug-mit b/tests/data/scripts/pkinit/try-pkinit-debug-mit new file mode 100644 index 000000000000..2c8c966bdc03 --- /dev/null +++ b/tests/data/scripts/pkinit/try-pkinit-debug-mit @@ -0,0 +1,20 @@ +# Test optional PKINIT auth w/debug. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = debug no_ccache try_pkinit pkinit_user=FILE:%0 + +[run] + authenticate = PAM_SUCCESS + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %u + INFO user %u authenticated as %u + DEBUG pam_sm_authenticate: exit (success) diff --git a/tests/data/scripts/realm/fail-bad-user-realm b/tests/data/scripts/realm/fail-bad-user-realm new file mode 100644 index 000000000000..d30bec6f1f33 --- /dev/null +++ b/tests/data/scripts/realm/fail-bad-user-realm @@ -0,0 +1,17 @@ +# Test authentication failure with different user_realm. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache user_realm=%0 + +[run] + authenticate = PAM_AUTHINFO_UNAVAIL + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/realm/fail-no-realm b/tests/data/scripts/realm/fail-no-realm new file mode 100644 index 000000000000..87b59aab49f2 --- /dev/null +++ b/tests/data/scripts/realm/fail-no-realm @@ -0,0 +1,17 @@ +# Test authentication failure due to wrong realm. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache + +[run] + authenticate = PAM_AUTHINFO_UNAVAIL + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/realm/fail-no-realm-debug b/tests/data/scripts/realm/fail-no-realm-debug new file mode 100644 index 000000000000..5ef2ce588177 --- /dev/null +++ b/tests/data/scripts/realm/fail-no-realm-debug @@ -0,0 +1,21 @@ +# Test authentication failure due to wrong realm. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache debug + +[run] + authenticate = PAM_AUTHINFO_UNAVAIL + +[output] + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) attempting authentication as %u@%0 + DEBUG /^\(user %u\) krb5_get_init_creds_password: / + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) diff --git a/tests/data/scripts/realm/fail-realm b/tests/data/scripts/realm/fail-realm new file mode 100644 index 000000000000..6dfe6a044354 --- /dev/null +++ b/tests/data/scripts/realm/fail-realm @@ -0,0 +1,17 @@ +# Test authentication failure with different realm. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache realm=%0 + +[run] + authenticate = PAM_AUTHINFO_UNAVAIL + +[output] + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/realm/fail-user-realm b/tests/data/scripts/realm/fail-user-realm new file mode 100644 index 000000000000..c97324c2d028 --- /dev/null +++ b/tests/data/scripts/realm/fail-user-realm @@ -0,0 +1,18 @@ +# Test authentication failure with different user_realm. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache user_realm=%0 + +[run] + authenticate = PAM_AUTH_ERR + +[output] + ERR /^\(user %u\) cannot convert principal to user: / + NOTICE failed authorization check; logname=%u uid=%i euid=%i tty= ruser= rhost= diff --git a/tests/data/scripts/realm/pass-realm b/tests/data/scripts/realm/pass-realm new file mode 100644 index 000000000000..91136c9bfc1c --- /dev/null +++ b/tests/data/scripts/realm/pass-realm @@ -0,0 +1,17 @@ +# Test authentication success with different realm. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache realm=%0 + +[run] + authenticate = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u@%0 diff --git a/tests/data/scripts/realm/pass-user-realm b/tests/data/scripts/realm/pass-user-realm new file mode 100644 index 000000000000..86007c2d4d26 --- /dev/null +++ b/tests/data/scripts/realm/pass-user-realm @@ -0,0 +1,17 @@ +# Test authentication success with different user_realm. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache user_realm=%0 + +[run] + authenticate = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u@%0 diff --git a/tests/data/scripts/stacked/auth-only b/tests/data/scripts/stacked/auth-only new file mode 100644 index 000000000000..46d3308ac0e4 --- /dev/null +++ b/tests/data/scripts/stacked/auth-only @@ -0,0 +1,18 @@ +# Test basic authentication without setcred. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/stacked/basic b/tests/data/scripts/stacked/basic new file mode 100644 index 000000000000..a05640d278bf --- /dev/null +++ b/tests/data/scripts/stacked/basic @@ -0,0 +1,22 @@ +# Test basic authentication without saving a ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/stacked/prompt b/tests/data/scripts/stacked/prompt new file mode 100644 index 000000000000..b0eb0d9ca57b --- /dev/null +++ b/tests/data/scripts/stacked/prompt @@ -0,0 +1,25 @@ +# Test basic auth w/prompting without saving a ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_off = Password: |%p + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/stacked/prompt-principal b/tests/data/scripts/stacked/prompt-principal new file mode 100644 index 000000000000..b416671875c7 --- /dev/null +++ b/tests/data/scripts/stacked/prompt-principal @@ -0,0 +1,25 @@ +# Test prompting for principal without saving a ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = prompt_principal force_first_pass no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[prompts] + echo_on = Principal: |%u + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/stacked/try-first b/tests/data/scripts/stacked/try-first new file mode 100644 index 000000000000..3a14b7584bc1 --- /dev/null +++ b/tests/data/scripts/stacked/try-first @@ -0,0 +1,22 @@ +# Test try_first_pass without saving a ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = try_first_pass no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/stacked/use-first b/tests/data/scripts/stacked/use-first new file mode 100644 index 000000000000..29c5c5c4188d --- /dev/null +++ b/tests/data/scripts/stacked/use-first @@ -0,0 +1,22 @@ +# Test use_first_pass without saving a ticket cache. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = use_first_pass no_ccache + account = no_ccache + session = no_ccache + +[run] + authenticate = PAM_SUCCESS + acct_mgmt = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + INFO user %u authenticated as %u diff --git a/tests/data/scripts/trace/supported b/tests/data/scripts/trace/supported new file mode 100644 index 000000000000..f67c389735ff --- /dev/null +++ b/tests/data/scripts/trace/supported @@ -0,0 +1,58 @@ +# Basic test of enabling trace logging. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache trace=%0 debug + account = no_ccache trace=%0 debug + session = no_ccache trace=%0 debug + +[run] + authenticate = PAM_AUTH_ERR + acct_mgmt = PAM_IGNORE + setcred(DELETE_CRED) = PAM_SUCCESS + setcred(ESTABLISH_CRED) = PAM_SUCCESS + setcred(REFRESH_CRED) = PAM_SUCCESS + setcred(REINITIALIZE_CRED) = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + DEBUG enabled trace logging to %0 + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) no stored password + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) + DEBUG enabled trace logging to %0 + DEBUG pam_sm_acct_mgmt: entry + DEBUG skipping non-Kerberos login + DEBUG pam_sm_acct_mgmt: exit (ignore) + DEBUG enabled trace logging to %0 + DEBUG pam_sm_setcred: entry (delete) + DEBUG pam_sm_setcred: exit (success) + DEBUG enabled trace logging to %0 + DEBUG pam_sm_setcred: entry (establish) + DEBUG no context found, creating one + DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login + DEBUG pam_sm_setcred: exit (success) + DEBUG enabled trace logging to %0 + DEBUG pam_sm_setcred: entry (refresh) + DEBUG no context found, creating one + DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login + DEBUG pam_sm_setcred: exit (success) + DEBUG enabled trace logging to %0 + DEBUG pam_sm_setcred: entry (reinit) + DEBUG no context found, creating one + DEBUG (user root) unable to get PAM_KRB5CCNAME, assuming non-Kerberos login + DEBUG pam_sm_setcred: exit (success) + DEBUG enabled trace logging to %0 + DEBUG pam_sm_open_session: entry + DEBUG pam_sm_open_session: exit (success) + DEBUG enabled trace logging to %0 + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) diff --git a/tests/data/scripts/trace/unsupported b/tests/data/scripts/trace/unsupported new file mode 100644 index 000000000000..2100c34fc2f5 --- /dev/null +++ b/tests/data/scripts/trace/unsupported @@ -0,0 +1,52 @@ +# Basic test of attempting trace logging when not supported. -*- conf -*- +# +# Written by Russ Allbery <eagle@eyrie.org> +# Copyright 2014, 2020 Russ Allbery <eagle@eyrie.org> +# Copyright 2010-2011 +# The Board of Trustees of the Leland Stanford Junior University +# +# SPDX-License-Identifier: BSD-3-clause or GPL-1+ + +[options] + auth = force_first_pass no_ccache trace=%0 debug + account = no_ccache trace=%0 debug + session = no_ccache trace=%0 debug + +[run] + authenticate = PAM_AUTH_ERR + acct_mgmt = PAM_IGNORE + setcred(DELETE_CRED) = PAM_SUCCESS + setcred(ESTABLISH_CRED) = PAM_SUCCESS + setcred(REFRESH_CRED) = PAM_SUCCESS + setcred(REINITIALIZE_CRED) = PAM_SUCCESS + open_session = PAM_SUCCESS + close_session = PAM_SUCCESS + +[output] + ERR trace logging requested but not supported + DEBUG pam_sm_authenticate: entry + DEBUG (user %u) no stored password + NOTICE authentication failure; logname=%u uid=%i euid=%i tty= ruser= rhost= + DEBUG pam_sm_authenticate: exit (failure) + ERR trace logging requested but not supported + DEBUG pam_sm_acct_mgmt: entry + DEBUG skipping non-Kerberos login + DEBUG pam_sm_acct_mgmt: exit (ignore) + ERR trace logging requested but not supported + DEBUG pam_sm_setcred: entry (delete) + DEBUG pam_sm_setcred: exit (success) + ERR trace logging requested but not supported + DEBUG pam_sm_setcred: entry (establish) + DEBUG pam_sm_setcred: exit (success) + ERR trace logging requested but not supported + DEBUG pam_sm_setcred: entry (refresh) + DEBUG pam_sm_setcred: exit (success) + ERR trace logging requested but not supported + DEBUG pam_sm_setcred: entry (reinit) + DEBUG pam_sm_setcred: exit (success) + ERR trace logging requested but not supported + DEBUG pam_sm_open_session: entry + DEBUG pam_sm_open_session: exit (success) + ERR trace logging requested but not supported + DEBUG pam_sm_close_session: entry + DEBUG pam_sm_close_session: exit (success) |