pam_zfs_key: tests: check if zfs load-key works on short passphrases

The pam_zfs_key pam module does not enforce a minimum password
length while changing the user password and thus the users home
dataset passphrase. To not end up with a dateset `zfs load-key`
can't load the key for, `zfs load-key` should not enforce a minimum
passphrase length. This adds a test for that.

Reviewed-by: Felix Dörre <felix@dogcraft.de>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Attila Fülöp <attila@fueloep.org>
Closes #12765
Closes #12651
Closes #12656
This commit is contained in:
Attila Fülöp 2021-11-14 18:08:45 +01:00 committed by Brian Behlendorf
parent 307db92823
commit 4234812d1a
3 changed files with 86 additions and 1 deletions

View File

@ -125,7 +125,7 @@ tests = ['umount_unlinked_drain']
tags = ['functional', 'mount'] tags = ['functional', 'mount']
[tests/functional/pam:Linux] [tests/functional/pam:Linux]
tests = ['pam_basic', 'pam_nounmount'] tests = ['pam_basic', 'pam_nounmount', 'pam_short_password']
tags = ['functional', 'pam'] tags = ['functional', 'pam']
[tests/functional/procfs:Linux] [tests/functional/procfs:Linux]

View File

@ -4,4 +4,5 @@ dist_pkgdata_SCRIPTS = \
cleanup.ksh \ cleanup.ksh \
pam_basic.ksh \ pam_basic.ksh \
pam_nounmount.ksh \ pam_nounmount.ksh \
pam_short_password.ksh \
utilities.kshlib utilities.kshlib

View File

@ -0,0 +1,84 @@
#!/bin/ksh -p
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
#
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "[]" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
#
#
# Copyright 2021 Attila Fülöp <attila@fueloep.org>
#
. $STF_SUITE/tests/functional/pam/utilities.kshlib
if [[ -z pamservice ]]; then
pamservice=pam_zfs_key_test
fi
# DESCRIPTION:
# If we set the encryption passphrase for a dataset via pam_zfs_key, a minimal
# passphrase length isn't enforced. This leads to a non-loadable key if
# `zfs load-key` enforces a minimal length. Make sure this isn't the case.
log_mustnot ismounted "$TESTPOOL/pam/${username}"
keystatus unavailable
genconfig "homes=$TESTPOOL/pam runstatedir=${runstatedir}"
# Load keys and mount userdir.
echo "testpass" | pamtester ${pamservice} ${username} open_session
references 1
log_must ismounted "$TESTPOOL/pam/${username}"
keystatus available
# Change user and dataset password to short one.
printf "short\nshort\n" | pamtester ${pamservice} ${username} chauthtok
# Unmount and unload key.
log_must pamtester ${pamservice} ${username} close_session
references 0
log_mustnot ismounted "$TESTPOOL/pam/${username}"
keystatus unavailable
# Check if password change succeeded.
echo "testpass" | pamtester ${pamservice} ${username} open_session
references 1
log_mustnot ismounted "$TESTPOOL/pam/${username}"
keystatus unavailable
log_must pamtester ${pamservice} ${username} close_session
references 0
echo "short" | pamtester ${pamservice} ${username} open_session
references 1
log_must ismounted "$TESTPOOL/pam/${username}"
keystatus available
# Finally check if `zfs load-key` succeeds with the short password.
log_must pamtester ${pamservice} ${username} close_session
references 0
log_mustnot ismounted "$TESTPOOL/pam/${username}"
keystatus unavailable
echo "short" | zfs load-key "$TESTPOOL/pam/${username}"
keystatus available
zfs unload-key "$TESTPOOL/pam/${username}"
keystatus unavailable
log_pass "done."