diff options
author | Attila Fülöp <attila@fueloep.org> | 2021-11-14 18:08:45 +0100 |
---|---|---|
committer | Brian Behlendorf <behlendorf1@llnl.gov> | 2021-11-30 11:52:21 -0800 |
commit | 4234812d1a202e3463400f495e84f63d806ec953 (patch) | |
tree | 4297afa643795d195a2c517f88a78b8e4cb0ac20 | |
parent | 307db9282309ed202f7346637d1113eb8fabbbd7 (diff) |
pam_zfs_key: tests: check if zfs load-key works on short passphrases
The pam_zfs_key pam module does not enforce a minimum password
length while changing the user password and thus the users home
dataset passphrase. To not end up with a dateset `zfs load-key`
can't load the key for, `zfs load-key` should not enforce a minimum
passphrase length. This adds a test for that.
Reviewed-by: Felix Dörre <felix@dogcraft.de>
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Attila Fülöp <attila@fueloep.org>
Closes #12765
Closes #12651
Closes #12656
-rw-r--r-- | tests/runfiles/linux.run | 2 | ||||
-rw-r--r-- | tests/zfs-tests/tests/functional/pam/Makefile.am | 1 | ||||
-rwxr-xr-x | tests/zfs-tests/tests/functional/pam/pam_short_password.ksh | 84 |
3 files changed, 86 insertions, 1 deletions
diff --git a/tests/runfiles/linux.run b/tests/runfiles/linux.run index eab9c5dc7..58eefec31 100644 --- a/tests/runfiles/linux.run +++ b/tests/runfiles/linux.run @@ -125,7 +125,7 @@ tests = ['umount_unlinked_drain'] tags = ['functional', 'mount'] [tests/functional/pam:Linux] -tests = ['pam_basic', 'pam_nounmount'] +tests = ['pam_basic', 'pam_nounmount', 'pam_short_password'] tags = ['functional', 'pam'] [tests/functional/procfs:Linux] diff --git a/tests/zfs-tests/tests/functional/pam/Makefile.am b/tests/zfs-tests/tests/functional/pam/Makefile.am index 4d9ae1708..be881facc 100644 --- a/tests/zfs-tests/tests/functional/pam/Makefile.am +++ b/tests/zfs-tests/tests/functional/pam/Makefile.am @@ -4,4 +4,5 @@ dist_pkgdata_SCRIPTS = \ cleanup.ksh \ pam_basic.ksh \ pam_nounmount.ksh \ + pam_short_password.ksh \ utilities.kshlib diff --git a/tests/zfs-tests/tests/functional/pam/pam_short_password.ksh b/tests/zfs-tests/tests/functional/pam/pam_short_password.ksh new file mode 100755 index 000000000..1f72c9468 --- /dev/null +++ b/tests/zfs-tests/tests/functional/pam/pam_short_password.ksh @@ -0,0 +1,84 @@ +#!/bin/ksh -p +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright 2021 Attila Fülöp <attila@fueloep.org> +# + + +. $STF_SUITE/tests/functional/pam/utilities.kshlib + +if [[ -z pamservice ]]; then + pamservice=pam_zfs_key_test +fi + +# DESCRIPTION: +# If we set the encryption passphrase for a dataset via pam_zfs_key, a minimal +# passphrase length isn't enforced. This leads to a non-loadable key if +# `zfs load-key` enforces a minimal length. Make sure this isn't the case. + +log_mustnot ismounted "$TESTPOOL/pam/${username}" +keystatus unavailable + +genconfig "homes=$TESTPOOL/pam runstatedir=${runstatedir}" + +# Load keys and mount userdir. +echo "testpass" | pamtester ${pamservice} ${username} open_session +references 1 +log_must ismounted "$TESTPOOL/pam/${username}" +keystatus available + +# Change user and dataset password to short one. +printf "short\nshort\n" | pamtester ${pamservice} ${username} chauthtok + +# Unmount and unload key. +log_must pamtester ${pamservice} ${username} close_session +references 0 +log_mustnot ismounted "$TESTPOOL/pam/${username}" +keystatus unavailable + +# Check if password change succeeded. +echo "testpass" | pamtester ${pamservice} ${username} open_session +references 1 +log_mustnot ismounted "$TESTPOOL/pam/${username}" +keystatus unavailable +log_must pamtester ${pamservice} ${username} close_session +references 0 + +echo "short" | pamtester ${pamservice} ${username} open_session +references 1 +log_must ismounted "$TESTPOOL/pam/${username}" +keystatus available + + +# Finally check if `zfs load-key` succeeds with the short password. +log_must pamtester ${pamservice} ${username} close_session +references 0 +log_mustnot ismounted "$TESTPOOL/pam/${username}" +keystatus unavailable + +echo "short" | zfs load-key "$TESTPOOL/pam/${username}" +keystatus available +zfs unload-key "$TESTPOOL/pam/${username}" +keystatus unavailable + +log_pass "done." |