def test_ssh_forward_creds(self, multihost, enable_kcm):
"""
@Title: kcm: Test that SSH can forward credentials with KCM
A regression test for https://pagure.io/SSSD/sssd/issue/3873
"""
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
(_, _, exit_status) = ssh.execute_cmd('kdestroy')
assert exit_status == 0
(_, _, exit_status) = ssh.execute_cmd('kinit foo9',
stdin='Secret123')
assert exit_status == 0
ssh_k_cmd = 'ssh -oStrictHostKeyChecking=no -K -l foo9 ' + \
multihost.master[0].sys_hostname + \
' klist'
(stdout, _, exit_status) = ssh.execute_cmd(ssh_k_cmd)
assert exit_status == 0
has_cache = False
for line in stdout.readlines():
if 'KCM:14583109' in line:
has_cache = True
assert has_cache is True
def test_kcm_debug_level_set(self, multihost, enable_kcm):
"""
@Title: kcm: After kcm section with debug
level set restaring sssd-kcm service enables kcm debugging
@Description: Test that just adding a [kcm] section and restarting
the kcm service enables debugging without having to restart the
whole sssd
"""
# Start from a known-good state where the configuration is refreshed
# by the monitor and logging is completely disabled
multihost.master[0].service_sssd('stop')
self._stop_kcm(multihost)
self._remove_kcm_log_file(multihost)
set_param(multihost, 'kcm', 'debug_level', '0')
multihost.master[0].service_sssd('start')
self._start_kcm(multihost)
log_lines_pre = self._kcm_log_length(multihost)
# Debugging is disabled, kinit and make sure that no debug messages
# were produced
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("Authentication Failed as user %s" % ('foo3'))
else:
ssh.execute_cmd('kdestroy')
ssh.close()
log_lines_nodebug = self._kcm_log_length(multihost)
assert log_lines_nodebug == log_lines_pre
# Enable debugging, restart only the kcm service, make sure some
# debug messages were produced
set_param(multihost, 'kcm', 'debug_level', '9')
self._restart_kcm(multihost)
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("Authentication Failed as user %s" % ('foo3'))
else:
ssh.execute_cmd('kdestroy')
ssh.close()
log_lines_debug = self._kcm_log_length(multihost)
assert log_lines_debug > log_lines_pre + 100
def test_kinit(self, multihost):
""" Run kinit after user login """
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("Authentication Failed as user %s" % ('foo2'))
else:
(_, _, exit_status) = ssh.execute_cmd(args='kinit',
stdin='Secret123')
assert exit_status == 0
(stdout, _, _) = ssh.execute_cmd('klist')
for line in stdout.readlines():
print(line)
assert exit_status == 0
ssh.close()
def test_case_senitivity(self, multihost, case_sensitive_sudorule,
enable_sss_sudo_nsswitch,
set_case_sensitive_false):
"""
@Title: sudo: Verify case sensitivity in sudo responder
"""
# pylint: disable=unused-argument
_pytest_fixtures = [case_sensitive_sudorule, enable_sss_sudo_nsswitch,
set_case_sensitive_false]
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("%s failed to login" % 'capsuser-1')
else:
(stdout, _, exit_status) = ssh.execute_cmd('sudo -l')
result = []
assert exit_status == 0
for line in stdout.readlines():
if 'NOPASSWD' in line:
line.strip()
result.append(line.strip('(root) NOPASSWD: '))
assert '/usr/bin/less\n' in result
assert '/usr/bin/more\n' in result
ssh.close()
def test_refresh_expired_rule(self, multihost,
enable_sss_sudo_nsswitch,
generic_sudorule,
set_entry_cache_sudo_timeout):
"""
@Title: sudo: Verify refreshing expired sudo rules
do not crash sssd_sudo
"""
# pylint: disable=unused-argument
_pytest_fixtures = [enable_sss_sudo_nsswitch, generic_sudorule,
set_entry_cache_sudo_timeout]
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("%s failed to login" % 'foo1')
else:
print("Executing %s command as %s user" % ('sudo -l', 'foo1'))
(_, _, exit_status) = ssh.execute_cmd('sudo -l')
assert exit_status == 0
time.sleep(30)
if exit_status != 0:
journalctl_cmd = 'journalctl -x -n 100 --no-pager'
multihost.master[0].run_command(journalctl_cmd)
pytest.fail("%s cmd failed for user %s" % ('sudo -l', 'foo1'))
ssh.close()
def test_kdestroy_retval(self, multihost, enable_kcm):
"""
@Title: kcm: Test that destroying an empty cache does
not return a non-zero return code
"""
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
(_, _, exit_status) = ssh.execute_cmd('kdestroy')
assert exit_status == 0
# Run the command again in case there was something in the ccache
# previously
(_, _, exit_status) = ssh.execute_cmd('kdestroy')
assert exit_status == 0
ssh.close()
def test_kinit_kcm(self, multihost, enable_kcm):
""" Run kinit with KRB5CCNAME=KCM: """
self._start_kcm(multihost)
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******', password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("Authentication Failed as user %s" % ('foo3'))
else:
(_, _, exit_status) = ssh.execute_cmd('KRB5CCNAME=KCM:; kinit',
stdin='Secret123')
assert exit_status == 0
(stdout, _, _) = ssh.execute_cmd('KRB5CCNAME=KCM:;klist')
for line in stdout.readlines():
if 'Ticket cache: KCM:14583103' in str(line.strip()):
assert True
break
else:
assert False
assert exit_status == 0
ssh.close()
def test_kvno_display(self, multihost, enable_kcm):
"""
:title: kcm: Test kvno correctly displays version numbers of principals
:id: 7c9178e6-fea5-44a1-b473-76667624cee2
:ticket: https://github.com/SSSD/sssd/issues/4763
"""
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******',
password='******')
host_princ = 'host/%s@%s' % (multihost.master[0].sys_hostname,
'EXAMPLE.TEST')
kvno_cmd = 'kvno %s' % (host_princ)
(stdout, _, exit_status) = ssh.execute_cmd(kvno_cmd)
for line in stdout.readlines():
kvno_check = re.search(r'%s: kvno = (\d+)' % host_princ, line)
if kvno_check:
print(kvno_check.group())
else:
pytest.fail("kvno display was improper")
ssh.close()
def test_001_bz1380436(self, multihost):
"""
:title: IDM-SSSD-TC: ad_provider: ad_sudo: ignore case
on case insenstive Domain
:id: 6cc67f37-808a-4b2c-a2cc-e4e4812388f4
:customerscenario: True
:steps:
1. Add sudo rules containing upper and lower case user names
2. Login with lower and upper user case names
:expectedresults:
1. Should succeed
2. Verify the the user when logged in with upper
and lower case can fetch the sudo rules from AD
Note: This test case also cover BZ-1622109 and BZ-bz1519287
Sudo rules used in the fixture contains multiple
sudoUser attributes added.
"""
multihost.client[0].service_sssd('restart')
realm = multihost.ad[0].realm
adusers = [
'sudo_idmuser1', 'SUDO_IDMUSER1', 'sudo_idmuser2',
'sudo_idmuser3@%s' % (realm), 'sudo_idmuser3', 'SUDO_IDMUSER3'
]
for user in adusers:
try:
ssh = SSHClient(multihost.client[0].sys_hostname,
username=user,
password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail('%s failed to login' % user)
else:
(stdout, _, exit_status) = ssh.execute_cmd('sudo -l')
assert exit_status == 0
result = []
assert exit_status == 0
for line in stdout.readlines():
if 'NOPASSWD' in line:
line.strip()
result.append(line.strip('(root) NOPASSWD: '))
assert '/usr/bin/less\n' in result
def test_002_bz1372440(self, multihost):
"""
:title: IDM-SSSD-TC: ad_provider: ad_sudo: AD managed sudo groups
will not work with sssd
:id: 56616411-d56a-4e3f-b732-a39a4fae8bbc
:steps:
1. Add sudo rules with sudoUser attribute set to group names
(%sudo_idmgroup1 which has member sudo_idmuser1)
2. Add users to the group.
3. Verify sudo_idmuser1 can fetch the sudo rule
4. Run the required command as sudo
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
"""
multihost.client[0].service_sssd('restart')
aduser = '******'
try:
ssh = SSHClient(multihost.client[0].sys_hostname,
username=aduser,
password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail('%s failed to login' % aduser)
else:
(stdout, _, exit_status) = ssh.execute_cmd('sudo -l')
assert exit_status == 0
result = []
assert exit_status == 0
for line in stdout.readlines():
if 'NOPASSWD' in line:
line.strip()
result.append(line.strip('(root) NOPASSWD: '))
assert '/usr/bin/less\n' in result
def test_case_senitivity(self, multihost, case_sensitive_sudorule,
enable_sss_sudo_nsswitch,
set_case_sensitive_false):
"""
:title: sudo: Verify case sensitivity in sudo responder
:id: 64ab80be-17fd-4c3b-9d9b-7d07c6279975
"""
try:
ssh = SSHClient(multihost.master[0].sys_hostname,
username='******',
password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail("%s failed to login" % 'capsuser-1')
else:
(stdout, _, exit_status) = ssh.execute_cmd('sudo -l')
result = []
assert exit_status == 0
for line in stdout.readlines():
if 'NOPASSWD' in line:
line.strip()
result.append(line.strip('(root) NOPASSWD: '))
assert '/usr/bin/less\n' in result
assert '/usr/bin/more\n' in result
ssh.close()
def test_pam_sss_gss_handle_large_krb_ticket(self, multihost,
create_aduser_group):
"""
:title: Verify pam_sss_gss.so can handle large kerberos ticket
for sudo
:id: 456ea53b-6702-4b8e-beb1-eee841b85fed
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1948657
:steps:
1. Add sudo rule in IPA-server for AD-users
2. Modify /etc/krb5.conf.d/kcm_default_ccache to specify location
of storing a TGT
3. Enable pam_sss_gss.so for auth in /etc/pam.d/{sudo,sudo-i} files
4. Add a sudo rule for AD-user
5. Log in on ipa-client as AD-user
6. Run kinit and fetch tgt
7. Run sudo command
8. Remove sudo cache
9. Run sudo command again
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
5. Should succeed
6. Should succeed
7. Should not ask password, and should succeed
8. Should succeed
9. Should not ask password, and should succeed
"""
(aduser, adgroup) = create_aduser_group
ad_dmn_name = multihost.ad[0].domainname
fq_aduser = f'{aduser}@{ad_dmn_name}'
client = sssdTools(multihost.client[0], multihost.ad[0])
ipaserver = sssdTools(multihost.master[0])
cmd = 'dnf install -y sssd sssd-kcm'
multihost.client[0].run_command(cmd, raiseonerr=False)
domain_name = ipaserver.get_domain_section_name()
domain_section = 'domain/{}'.format(domain_name)
params = {'pam_gssapi_services': 'sudo, sudo-i'}
client.sssd_conf(domain_section, params)
krbkcm = '/etc/krb5.conf.d/kcm_default_ccache'
bk_krbkcm = '/tmp/kcm_default_ccache'
multihost.client[0].run_command(f'cp {krbkcm} {bk_krbkcm}')
cmd = "echo -e '[libdefaults]\n' \
' default_ccache_name = FILE:/tmp/krb5cc_%{uid}:'"
multihost.client[0].run_command(cmd, raiseonerr=False)
multihost.client[0].service_sssd('restart')
pam_sss_gss = "auth sufficient pam_sss_gss.so debug"
for pam_file in "/etc/pam.d/sudo-i", "/etc/pam.d/sudo":
cmd = f'sed -i "1 i {pam_sss_gss}" {pam_file}'
multihost.client[0].run_command(cmd, raiseonerr=False)
cmd = f'echo "{fq_aduser} ALL=(ALL) ALL" >> /etc/sudoers'
multihost.client[0].run_command(cmd, raiseonerr=False)
log = re.compile('.*System.*error.*Broken.*pipe.*')
try:
ssh = SSHClient(multihost.client[0].ip,
username=f'{fq_aduser}',
password='******')
except paramiko.ssh_exception.AuthenticationException:
pytest.fail(f'{aduser} failed to login')
else:
(_, _, exit_status) = ssh.execute_cmd(f'kinit {fq_aduser}',
stdin='Secret123')
assert exit_status == 0
(stdout, _, exit_status) = ssh.execute_cmd('sudo -l')
assert exit_status == 0
otpt = stdout.readlines()
for line in otpt:
res = log.search(line)
assert res is None
(stdout, _, exit_status) = ssh.execute_cmd('sudo id')
assert exit_status == 0
(stdout, _, exit_status) = ssh.execute_cmd('sudo -k')
assert exit_status == 0
client.sssd_conf(domain_section, params, action='delete')
for pam_file in "/etc/pam.d/sudo-i", "/etc/pam.d/sudo":
cmd = f'sed -i "1d" {pam_file}'
multihost.client[0].run_command(cmd, raiseonerr=False)
cmd = 'sed -i "$ d" /etc/sudoers'
multihost.client[0].run_command(cmd, raiseonerr=False)
cmd = f'mv {bk_krbkcm} {krbkcm}'
multihost.client[0].run_command(cmd, raiseonerr=False)
def test_pass_krb5cname_to_pam(self, multihost, backupsssdconf,
backup_config_pam_gssapi_services):
"""
:title: pass KRB5CCNAME to pam_authenticate environment
if available
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1917379
:id: e3a6accc-781d-11ec-a83c-845cf3eff344
:steps:
1. Take backup of files
2. Configure domain_params
3. Configure /etc/pam.d/sudo
4. Configur /etc/pam.d/sudo-i
5. Create IPA sudo rule of /usr/sbin/sssctl
for user admin
6. Check user admin can use sudo command
7. Restore of files
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
5. Should succeed
6. Should succeed
7. Should succeed
"""
tools = sssdTools(multihost.client[0])
tools.service_ctrl('restart', 'sssd')
domain_name = tools.get_domain_section_name()
user = "******"
test_password = "******"
sys_hostname = multihost.client[0].sys_hostname
ssh1 = SSHClient(multihost.client[0].ip,
username=user,
password=test_password)
(_, _, exit_status) = ssh1.execute_cmd('kinit', stdin=test_password)
assert exit_status == 0
(_, _, _) = ssh1.execute_cmd("ipa sudocmd-add /usr/sbin/sssctl")
(_, _, _) = ssh1.execute_cmd("ipa sudorule-add idm_user_sssctl")
(_, _, _) = ssh1.execute_cmd("ipa sudorule-add-allow-command "
"idm_user_sssctl --sudocmds "
"'/usr/sbin/sssctl'")
(_, _, _) = ssh1.execute_cmd(f"ipa sudorule-add-host "
f"idm_user_sssctl "
f"--hosts {sys_hostname}")
(_, _, _) = ssh1.execute_cmd("ipa sudorule-add-user "
"idm_user_sssctl "
"--users admin")
tools.clear_sssd_cache()
ssh2 = SSHClient(multihost.client[0].ip,
username=user,
password=test_password)
(_, _, _) = ssh2.execute_cmd('kinit', stdin=test_password)
(_, _, _) = ssh2.execute_cmd('sudo -S -l', stdin=test_password)
file_name = 'domain_list_' + str(time.time())
(_, _, _) = ssh2.execute_cmd(
f"sudo -S /usr/sbin/sssctl domain-list > "
f"/tmp/{file_name}",
stdin=test_password)
result = multihost.client[0].run_command(
f"cat /tmp/{file_name}").stdout_text
assert domain_name in result
def test_authentication_indicators(self, multihost):
"""
:title: Add support to verify authentication
indicators in pam_sss_gss
:bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1926622
:id: 4891ed62-7fc8-11eb-98be-002b677efe14
:steps:
1. Add pam_sss_gss configuration to /etc/sssd/sssd.conf
2. Add pam_sss_gss.so to /etc/pam.d/sudo
3. Restart SSSD
4. Enable SSSD debug logs
5. Switch to 'admin' user
6. obtain Kerberos ticket and check that it
was obtained using SPAKE pre-authentication.
7. Create sudo configuration that allows an admin to
run SUDO rules
8. Try 'sudo -l' as admin
9. As root, check content of sssd_pam.log
10. Check if acquired service ticket has req. indicators: 0
11. Add pam_sss_gss configuration to /etc/sssd/sssd.conf
12. Check if acquired service ticket has req.
indicators: 2
:expectedresults:
1. Should succeed
2. Should succeed
3. Should succeed
4. Should succeed
5. Should succeed
6. Should succeed
7. Should succeed
8. Should succeed
9. Should succeed
10. Should succeed
11. Should succeed
12. Should succeed
"""
client = sssdTools(multihost.client[0])
domain_params = {
'pam_gssapi_services': 'sudo, sudo-i',
'pam_gssapi_indicators_map': 'hardened, '
'sudo:pkinit, '
'sudo-i:otp'
}
client.sssd_conf('pam', domain_params)
multihost.client[0].run_command('cp -vf '
'/etc/pam.d/sudo '
'/etc/pam.d/sudo_indicators')
multihost.client[0].run_command("sed -i "
"'2s/^/auth sufficient "
"pam_sss_gss.so debug\\n/' "
"/etc/pam.d/sudo")
multihost.client[0].run_command('cp -vf '
'/etc/pam.d/sudo-i '
'/etc/pam.d/sudo-i_indicators')
multihost.client[0].run_command("sed -i "
"'2s/^/auth sufficient "
"pam_sss_gss.so debug\\n/' "
"/etc/pam.d/sudo-i")
multihost.client[0].run_command('systemctl stop sssd ; '
'rm -rf /var/log/sssd/* ; '
'rm -rf /var/lib/sss/db/* ; '
'systemctl start sssd')
multihost.client[0].run_command("sssctl debug-level 9")
ssh = SSHClient(multihost.client[0].ip,
username='******',
password='******')
(_, _, exit_status) = ssh.execute_cmd('kinit admin', stdin='Secret123')
(result, errors, exit_status) = ssh.exec_command('klist')
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudocmd-add ALL2')
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudorule-add '
'testrule2')
(result, errors, exit_status) = ssh.execute_cmd("ipa sudorule-add"
"-allow-command "
"testrule2 "
"--sudocmds 'ALL2'")
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudorule-mod '
'testrule2 '
'--hostcat=all')
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudorule-add-user '
'testrule2 '
'--users admin')
(result, errors, exit_status) = ssh.execute_cmd('sudo -l')
ssh.close()
search = multihost.client[0].run_command('fgrep '
'gssapi_ '
'/var/log/sssd/sssd_pam.log '
'|tail -10')
assert 'indicators: 0' in search.stdout_text
client = sssdTools(multihost.client[0])
domain_params = {
'pam_gssapi_services': 'sudo, sudo-i',
'pam_gssapi_indicators_map': 'sudo-i:hardened'
}
client.sssd_conf('pam', domain_params)
multihost.client[0].run_command('systemctl stop sssd ; '
'rm -rf /var/log/sssd/* ; '
'rm -rf /var/lib/sss/db/* ; '
'systemctl start sssd')
ssh = SSHClient(multihost.client[0].ip,
username='******',
password='******')
(_, _, exit_status) = ssh.execute_cmd('kinit admin', stdin='Secret123')
multihost.client[0].run_command("sssctl debug-level 9")
(result, errors, exit_status) = ssh.execute_cmd('sudo -l')
(result, errors, exit_status) = ssh.exec_command('klist')
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudocmd-del ALL2')
(result, errors, exit_status) = ssh.execute_cmd('ipa '
'sudorule-del '
'testrule2')
multihost.client[0].run_command('cp -vf /etc/pam.d/sudo_indicators '
'/etc/pam.d/sudo')
multihost.client[0].run_command('cp -vf /etc/pam.d/sudo-i_indicators '
'/etc/pam.d/sudo-i')
search = multihost.client[0].run_command('fgrep gssapi_ '
'/var/log/sssd/sssd_pam.log'
' |tail -10')
ssh.close()
assert 'indicators: 2' in search.stdout_text
