List of things that should get checked whenever we bricolage with kerberos5 configs, ssh, PAM etc.
Testname |
Description |
How to test |
Result |
Local tests |
login |
login at the system console |
use username + password, check #klist |
__ |
gdm |
login via GDM display manager |
use username + password, check #klist (in a terminal window)] |
__ |
#kdm |
login via KDM display manager |
use username + password, check #klist (in a terminal window)] |
__ |
defaultkinit |
get fresh credentials in a running session, via password |
destroy existing (kdestroy;unlog ), use kinit and your AFS password, check #klist |
__ |
defaultkinit-r |
get fresh credentials in a running session, via renewal |
while you have a valid TGT, use kinit -R , check that your credentials have a longer validity |
__ |
mitkinit |
use MIT: get fresh credentials in a running session, via password |
destroy existing (kdestroy;unlog ), use /usr/kerberos/bin/kinit and your AFS password, check #klist (will not get AFS token) |
__ |
mitkinit-r |
use MIT: get fresh credentials in a running session, via renewal |
while you have a valid TGT, use /usr/kerberos/bin/kinit -R , check that your credentials have a longer validity (except for AFS token) |
__ |
heimdalkinit |
use Heimdal: get fresh credentials in a running session, via password |
destroy existing (kdestroy;unlog ), use /usr/heimdal/bin/kinit and your AFS password, check #klist |
__ |
heimdalkinit-r |
use Heimdal: get fresh credentials in a running session, via renewal |
while you have a valid TGT, use /usr/heimdal/bin/kinit -R , check that your credentials have a longer validity |
__ |
xscreensaver |
get fresh credentials via GNOME/xscreensaver |
check #klist, note validity, lock screen (via GNOME-lock button or xsreensaver-command --lock ), unlock via password, check #klist again for longer validity |
__ |
kdescreensaver |
get fresh credentials via KDE screensaver |
check #klist, note validity, lock screen (KDE-lock button), unlock via password, check #klist again for longer validity |
__ |
remote tests - from outside into the test machine |
ssh-1 kerberos5 |
use a valid Krb5 credential to log in via ssh protocol 1 |
ssh -1 -v host , look for "Kerberos v5 authentication accepted.", check remote for #klist except that Krb5 TGT will not be forwardable |
__ |
ssh-1 kerberos4 |
use a valid Krb4 credential to log in via ssh protocol 1 |
KRB5CCNAME=/dev/null ssh -1 -v host , look for "Kerberos v4 authentication accepted.", check remote for #klist except that no Krb5 TGT will exist |
__ |
ssh-2 kerberos5/gssapi |
use a valid Krb5 credential to log in via ssh protocol 2 |
ssh -2 -v host , look for "Authentication succeeded (gssapi-with-mic).", check remote for #klist except that Krb5 TGT will not be forwardable |
__ |
remote tests - from test machine to outside |
ssh-1 kerberos5 |
use a valid Krb5 credential to log in via ssh protocol 1 |
ssh -1 -v host , look for "Kerberos v5 authentication accepted.", check remote for #klist except that Krb5 TGT will not be forwardable |
__ |
ssh-1 kerberos4 |
use a valid Krb4 credential to log in via ssh protocol 1 |
KRB5CCNAME=/dev/null ssh -1 -v host , look for "Kerberos v4 authentication accepted.", check remote for #klist except that no Krb5 TGT will exist |
__ |
ssh-2 kerberos5/gssapi |
use a valid Krb5 credential to log in via ssh protocol 2 |
ssh -2 -v host , look for "Authentication succeeded (gssapi-with-mic).", check remote for #klist except that Krb5 TGT will not be forwardable |
__ |