pam_zfs_key: tests: check if zfs load-key works on short passphrases
The pam_zfs_key pam module does not enforce a minimum password length while changing the user password and thus the users home dataset passphrase. To not end up with a dateset `zfs load-key` can't load the key for, `zfs load-key` should not enforce a minimum passphrase length. This adds a test for that. Reviewed-by: Felix Dörre <felix@dogcraft.de> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Attila Fülöp <attila@fueloep.org> Closes #12765 Closes #12651 Closes #12656
This commit is contained in:
parent
307db92823
commit
4234812d1a
|
@ -125,7 +125,7 @@ tests = ['umount_unlinked_drain']
|
||||||
tags = ['functional', 'mount']
|
tags = ['functional', 'mount']
|
||||||
|
|
||||||
[tests/functional/pam:Linux]
|
[tests/functional/pam:Linux]
|
||||||
tests = ['pam_basic', 'pam_nounmount']
|
tests = ['pam_basic', 'pam_nounmount', 'pam_short_password']
|
||||||
tags = ['functional', 'pam']
|
tags = ['functional', 'pam']
|
||||||
|
|
||||||
[tests/functional/procfs:Linux]
|
[tests/functional/procfs:Linux]
|
||||||
|
|
|
@ -4,4 +4,5 @@ dist_pkgdata_SCRIPTS = \
|
||||||
cleanup.ksh \
|
cleanup.ksh \
|
||||||
pam_basic.ksh \
|
pam_basic.ksh \
|
||||||
pam_nounmount.ksh \
|
pam_nounmount.ksh \
|
||||||
|
pam_short_password.ksh \
|
||||||
utilities.kshlib
|
utilities.kshlib
|
||||||
|
|
|
@ -0,0 +1,84 @@
|
||||||
|
#!/bin/ksh -p
|
||||||
|
#
|
||||||
|
# CDDL HEADER START
|
||||||
|
#
|
||||||
|
# The contents of this file are subject to the terms of the
|
||||||
|
# Common Development and Distribution License (the "License").
|
||||||
|
# You may not use this file except in compliance with the License.
|
||||||
|
#
|
||||||
|
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
|
||||||
|
# or http://www.opensolaris.org/os/licensing.
|
||||||
|
# See the License for the specific language governing permissions
|
||||||
|
# and limitations under the License.
|
||||||
|
#
|
||||||
|
# When distributing Covered Code, include this CDDL HEADER in each
|
||||||
|
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
|
||||||
|
# If applicable, add the following below this CDDL HEADER, with the
|
||||||
|
# fields enclosed by brackets "[]" replaced with your own identifying
|
||||||
|
# information: Portions Copyright [yyyy] [name of copyright owner]
|
||||||
|
#
|
||||||
|
# CDDL HEADER END
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Copyright 2021 Attila Fülöp <attila@fueloep.org>
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
. $STF_SUITE/tests/functional/pam/utilities.kshlib
|
||||||
|
|
||||||
|
if [[ -z pamservice ]]; then
|
||||||
|
pamservice=pam_zfs_key_test
|
||||||
|
fi
|
||||||
|
|
||||||
|
# DESCRIPTION:
|
||||||
|
# If we set the encryption passphrase for a dataset via pam_zfs_key, a minimal
|
||||||
|
# passphrase length isn't enforced. This leads to a non-loadable key if
|
||||||
|
# `zfs load-key` enforces a minimal length. Make sure this isn't the case.
|
||||||
|
|
||||||
|
log_mustnot ismounted "$TESTPOOL/pam/${username}"
|
||||||
|
keystatus unavailable
|
||||||
|
|
||||||
|
genconfig "homes=$TESTPOOL/pam runstatedir=${runstatedir}"
|
||||||
|
|
||||||
|
# Load keys and mount userdir.
|
||||||
|
echo "testpass" | pamtester ${pamservice} ${username} open_session
|
||||||
|
references 1
|
||||||
|
log_must ismounted "$TESTPOOL/pam/${username}"
|
||||||
|
keystatus available
|
||||||
|
|
||||||
|
# Change user and dataset password to short one.
|
||||||
|
printf "short\nshort\n" | pamtester ${pamservice} ${username} chauthtok
|
||||||
|
|
||||||
|
# Unmount and unload key.
|
||||||
|
log_must pamtester ${pamservice} ${username} close_session
|
||||||
|
references 0
|
||||||
|
log_mustnot ismounted "$TESTPOOL/pam/${username}"
|
||||||
|
keystatus unavailable
|
||||||
|
|
||||||
|
# Check if password change succeeded.
|
||||||
|
echo "testpass" | pamtester ${pamservice} ${username} open_session
|
||||||
|
references 1
|
||||||
|
log_mustnot ismounted "$TESTPOOL/pam/${username}"
|
||||||
|
keystatus unavailable
|
||||||
|
log_must pamtester ${pamservice} ${username} close_session
|
||||||
|
references 0
|
||||||
|
|
||||||
|
echo "short" | pamtester ${pamservice} ${username} open_session
|
||||||
|
references 1
|
||||||
|
log_must ismounted "$TESTPOOL/pam/${username}"
|
||||||
|
keystatus available
|
||||||
|
|
||||||
|
|
||||||
|
# Finally check if `zfs load-key` succeeds with the short password.
|
||||||
|
log_must pamtester ${pamservice} ${username} close_session
|
||||||
|
references 0
|
||||||
|
log_mustnot ismounted "$TESTPOOL/pam/${username}"
|
||||||
|
keystatus unavailable
|
||||||
|
|
||||||
|
echo "short" | zfs load-key "$TESTPOOL/pam/${username}"
|
||||||
|
keystatus available
|
||||||
|
zfs unload-key "$TESTPOOL/pam/${username}"
|
||||||
|
keystatus unavailable
|
||||||
|
|
||||||
|
log_pass "done."
|
Loading…
Reference in New Issue