From 08d4f7cfe3632778f006280c5fce6dd4c4c4b3b0 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 19 Feb 2015 16:16:13 +0100 Subject: [PATCH] tests: added PAM test suite --- tests/Makefile.am | 6 +- tests/docker-ocserv/Dockerfile-fedora-pam | 35 +++ tests/docker-ocserv/Makefile.am | 2 +- tests/docker-ocserv/ocserv-pam.conf | 301 ++++++++++++++++++++++ tests/docker-ocserv/pam-ocserv | 18 ++ tests/pam-test | 175 +++++++++++++ tests/test-pam | 55 ---- tests/test-pam.config | 190 -------------- 8 files changed, 533 insertions(+), 249 deletions(-) create mode 100644 tests/docker-ocserv/Dockerfile-fedora-pam create mode 100644 tests/docker-ocserv/ocserv-pam.conf create mode 100644 tests/docker-ocserv/pam-ocserv create mode 100755 tests/pam-test delete mode 100755 tests/test-pam delete mode 100644 tests/test-pam.config diff --git a/tests/Makefile.am b/tests/Makefile.am index 7b573c10..e68b625b 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -11,16 +11,16 @@ EXTRA_DIST = ca-key.pem ca.pem common.sh server-cert.pem server-key.pem test1.co SUBDIRS = docker-ocserv docker-kerberos dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \ - test-multi-cookie test-pam test-stress full-test test-group-pass test-pass-group-cert \ + test-multi-cookie test-stress full-test test-group-pass test-pass-group-cert \ ocpasswd-test test-pass-group-cert-no-pass unix-test test-pass-opt-cert \ test-cookie-timeout test-cookie-timeout-2 radius-test test-explicit-ip \ - radius-test test-gssapi kerberos-test + radius-test test-gssapi kerberos-test pam-test TESTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \ test-multi-cookie full-test test-group-pass test-pass-group-cert \ ocpasswd-test test-pass-group-cert-no-pass unix-test test-pass-opt-cert \ test-cookie-timeout test-cookie-timeout-2 test-explicit-ip radius-test \ - test-gssapi kerberos-test + test-gssapi kerberos-test pam-test TESTS_ENVIRONMENT = srcdir="$(srcdir)" \ top_builddir="$(top_builddir)" diff --git a/tests/docker-ocserv/Dockerfile-fedora-pam b/tests/docker-ocserv/Dockerfile-fedora-pam new file mode 100644 index 00000000..7141e4d4 --- /dev/null +++ b/tests/docker-ocserv/Dockerfile-fedora-pam @@ -0,0 +1,35 @@ +FROM fedora:21 + +RUN yum install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp +RUN yum install -y bash openssh-server nuttcp +RUN yum install -y libnl3 libtalloc +RUN yum install -y lz4 +RUN yum install -y pam +RUN yum install -y freeradius-client +RUN systemctl enable sshd +RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config + +RUN echo 'root:root' |chpasswd +RUN useradd -m -d /home/admin -s /bin/bash admin +RUN echo 'admin:admin' |chpasswd +EXPOSE 5551 +EXPOSE 5551/udp +EXPOSE 22 + +RUN mkdir /etc/ocserv +RUN useradd testuser +RUN echo 'testuser:testuser123' |chpasswd + +ADD key.pem /etc/ocserv/ +ADD cert.pem /etc/ocserv/ +ADD ocserv-pam.conf /etc/ocserv/ocserv.conf +ADD pam-ocserv /etc/pam.d/ocserv +ADD ocserv /usr/sbin/ +ADD ocpasswd /usr/bin/ +ADD occtl /usr/bin/ +ADD myscript /usr/bin/ +# It's not possible to use mknod inside a container with the default LXC +# template, so we untar it from this archive. +ADD dev-tun.tgz /dev/ + +CMD nuttcp -S;sshd-keygen;/usr/sbin/sshd;mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600 diff --git a/tests/docker-ocserv/Makefile.am b/tests/docker-ocserv/Makefile.am index 2d48c205..958547f3 100644 --- a/tests/docker-ocserv/Makefile.am +++ b/tests/docker-ocserv/Makefile.am @@ -2,7 +2,7 @@ EXTRA_DIST = passwd ocserv.conf Dockerfile-debian-tcp dev-tun.tgz myscript key.p Dockerfile-debian-unix ocserv-unix.conf haproxy.cfg combo.pem Dockerfile-fedora-unix \ Dockerfile-fedora-tcp freeradius-users Dockerfile-debian-radius Dockerfile-fedora-radius \ freeradius-users ocserv-radius.conf radiusclient.conf radius-clients.conf \ - radiusclient-servers + radiusclient-servers pam-ocserv ocserv-pam.conf TESTS_ENVIRONMENT = srcdir="$(srcdir)" \ top_builddir="$(top_builddir)" diff --git a/tests/docker-ocserv/ocserv-pam.conf b/tests/docker-ocserv/ocserv-pam.conf new file mode 100644 index 00000000..ef2c5390 --- /dev/null +++ b/tests/docker-ocserv/ocserv-pam.conf @@ -0,0 +1,301 @@ +# User authentication method. Could be set multiple times and in that case +# all should succeed. +# Options: certificate, pam. +#auth = "certificate" +#auth = "plain[/etc/ocserv/passwd]" +auth = "pam" + +# Whether to enable support for the occtl tool (i.e., either through D-BUS, +# or via a unix socket). +use-occtl = true + +# socket file used for IPC with occtl. You only need to set that, +# if you use more than a single servers. +#occtl-socket-file = /var/run/occtl.socket + +# The plain option requires specifying a password file which contains +# entries of the following format. +# "username:groupname:encoded-password" +# One entry must be listed per line, and 'ocpasswd' can be used +# to generate password entries. +#auth = "plain[/etc/ocserv/ocpasswd]" + +# A banner to be displayed on clients +#banner = "Welcome" + +# Use listen-host to limit to specific IPs or to the IPs of a provided +# hostname. +#listen-host = [IP|HOSTNAME] + +# Limit the number of clients. Unset or set to zero for unlimited. +#max-clients = 1024 +max-clients = 16 + +# Limit the number of client connections to one every X milliseconds +# (X is the provided value). Set to zero for no limit. +#rate-limit-ms = 100 + +# Limit the number of identical clients (i.e., users connecting +# multiple times). Unset or set to zero for unlimited. +max-same-clients = 2 + +# TCP and UDP port number +tcp-port = 5551 +udp-port = 5551 + +# Keepalive in seconds +keepalive = 32400 + +# Dead peer detection in seconds. +dpd = 240 + +# Dead peer detection for mobile clients. The needs to +# be much higher to prevent such clients being awaken too +# often by the DPD messages, and save battery. +# (clients that send the X-AnyConnect-Identifier-DeviceType) +mobile-dpd = 1800 + +# MTU discovery (DPD must be enabled) +try-mtu-discovery = false + +# The key and the certificates of the server +# The key may be a file, or any URL supported by GnuTLS (e.g., +# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user +# or pkcs11:object=my-vpn-key;object-type=private) +# +# There may be multiple certificate and key pairs and each key +# should correspond to the preceding certificate. +server-cert = /etc/ocserv/cert.pem +server-key = /etc/ocserv/key.pem + +# Diffie-Hellman parameters. Only needed if you require support +# for the DHE ciphersuites (by default this server supports ECDHE). +# Can be generated using: +# certtool --generate-dh-params --outfile /path/to/dh.pem +#dh-params = /path/to/dh.pem + +# If you have a certificate from a CA that provides an OCSP +# service you may provide a fresh OCSP status response within +# the TLS handshake. That will prevent the client from connecting +# independently on the OCSP server. +# You can update this response periodically using: +# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response +# Make sure that you replace the following file in an atomic way. +#ocsp-response = /path/to/ocsp.der + +# In case PKCS #11 or TPM keys are used the PINs should be available +# in files. The srk-pin-file is applicable to TPM keys only, and is the +# storage root key. +#pin-file = /path/to/pin.txt +#srk-pin-file = /path/to/srkpin.txt + +# The Certificate Authority that will be used to verify +# client certificates (public keys) if certificate authentication +# is set. +#ca-cert = /path/to/ca.pem + +# The object identifier that will be used to read the user ID in the client +# certificate. The object identifier should be part of the certificate's DN +# Useful OIDs are: +# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 +#cert-user-oid = 0.9.2342.19200300.100.1.1 + +# The object identifier that will be used to read the user group in the +# client certificate. The object identifier should be part of the certificate's +# DN. Useful OIDs are: +# OU (organizational unit) = 2.5.4.11 +#cert-group-oid = 2.5.4.11 + +# The revocation list of the certificates issued by the 'ca-cert' above. +#crl = /path/to/crl.pem + +# GnuTLS priority string +tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT" + +# To enforce perfect forward secrecy (PFS) on the main channel. +#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" + +# The time (in seconds) that a client is allowed to stay connected prior +# to authentication +auth-timeout = 40 + +# The time (in seconds) that a client is allowed to stay idle (no traffic) +# before being disconnected. Unset to disable. +#idle-timeout = 1200 + +# The time (in seconds) that a mobile client is allowed to stay idle (no +# traffic) before being disconnected. Unset to disable. +#mobile-idle-timeout = 2400 + +# The time (in seconds) that a client is not allowed to reconnect after +# a failed authentication attempt. +#min-reauth-time = 2 + +# Cookie validity time (in seconds) +# Once a client is authenticated he's provided a cookie with +# which he can reconnect. This option sets the maximum lifetime +# of that cookie. +cookie-validity = 86400 + +# ReKey time (in seconds) +# ocserv will ask the client to refresh keys periodically once +# this amount of seconds is elapsed. Set to zero to disable. +rekey-time = 172800 + +# ReKey method +# Valid options: ssl, new-tunnel +# ssl: Will perform an efficient rehandshake on the channel allowing +# a seamless connection during rekey. +# new-tunnel: Will instruct the client to discard and re-establish the channel. +# Use this option only if the connecting clients have issues with the ssl +# option. +rekey-method = ssl + +# Script to call when a client connects and obtains an IP +# Parameters are passed on the environment. +# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), +# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP +# in the P-t-P connection), IP_REMOTE (the VPN IP of the client), +# ID (a unique numeric ID); REASON may be "connect" or "disconnect". +#connect-script = /usr/bin/myscript +disconnect-script = /usr/bin/myscript + +# UTMP +use-utmp = true + +# D-BUS usage. If disabled occtl tool cannot be used. If enabled +# then ocserv must have access to register org.infradead.ocserv +# D-BUS service. See doc/dbus/org.infradead.ocserv.conf +use-dbus = false + +# PID file. It can be overriden in the command line. +pid-file = /var/run/ocserv.pid + +# The default server directory. Does not require any devices present. +#chroot-dir = /path/to/chroot + +# socket file used for IPC, will be appended with .PID +# It must be accessible within the chroot environment (if any) +socket-file = /var/run/ocserv-socket + +# The user the worker processes will be run as. It should be +# unique (no other services run as this user). +run-as-user = nobody +run-as-group = daemon + +# Set the protocol-defined priority (SO_PRIORITY) for packets to +# be sent. That is a number from 0 to 6 with 0 being the lowest +# priority. Alternatively this can be used to set the IP Type- +# Of-Service, by setting it to a hexadecimal number (e.g., 0x20). +# This can be set per user/group or globally. +#net-priority = 3 + +# Set the VPN worker process into a specific cgroup. This is Linux +# specific and can be set per user/group or globally. +#cgroup = "cpuset,cpu:test" + +# +# Network settings +# + +# The name of the tun device +device = vpns + +# The default domain to be advertised +default-domain = example.com + +# The pool of addresses that leases will be given from. +ipv4-network = 192.168.1.0 +ipv4-netmask = 255.255.255.0 + +# The advertized DNS server. Use multiple lines for +# multiple servers. +# dns = fc00::4be0 +#dns = 192.168.1.2 + +# The NBNS server (if any) +#nbns = 192.168.1.3 + +# The IPv6 subnet that leases will be given from. +ipv6-network = fd91:6d87:7341:db6a:: +ipv6-prefix = 64 + +# The domains over which the provided DNS should be used. Use +# multiple lines for multiple domains. +#split-dns = example.com + +# Prior to leasing any IP from the pool ping it to verify that +# it is not in use by another (unrelated to this server) host. +ping-leases = false + +# Unset to assign the default MTU of the device +# mtu = + +# Unset to enable bandwidth restrictions (in bytes/sec). The +# setting here is global, but can also be set per user or per group. +#rx-data-per-sec = 40000 +#tx-data-per-sec = 40000 + +# The number of packets (of MTU size) that are available in +# the output buffer. The default is low to improve latency. +# Setting it higher will improve throughput. +#output-buffer = 10 + +# Routes to be forwarded to the client. If you need the +# client to forward routes to the server, you may use the +# config-per-user/group or even connect and disconnect scripts. +# +# To set the server as the default gateway for the client just +# comment out all routes from the server. +route = 192.168.1.0/255.255.255.0 +#route = 192.168.5.0/255.255.255.0 +route = fd91:6d87:7341:db6a::/64 + +# Configuration files that will be applied per user connection or +# per group. Each file name on these directories must match the username +# or the groupname. +# The options allowed in the configuration files are dns, nbns, +# ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route, +# net-priority and cgroup. +# +# Note that the 'iroute' option allows to add routes on the server +# based on a user or group. The syntax depends on the input accepted +# by the commands route-add-cmd and route-del-cmd (see below). + +#config-per-user = /etc/ocserv/config-per-user/ +#config-per-group = /etc/ocserv/config-per-group/ + +# The system command to use to setup a route. %R will be replaced with the +# route/mask and %D with the (tun) device. +# +# The following example is from linux systems. %R should be something +# like 192.168.2.0/24 + +#route-add-cmd = "ip route add %R dev %D" +#route-del-cmd = "ip route delete %R dev %D" + +# +# The following options are for (experimental) AnyConnect client +# compatibility. + +# Client profile xml. A sample file exists in doc/profile.xml. +# This file must be accessible from inside the worker's chroot. +# It is not used by the openconnect client. +#user-profile = profile.xml + +# Binary files that may be downloaded by the CISCO client. Must +# be within any chroot environment. +#binary-files = /path/to/binaries + +# Unless set to false it is required for clients to present their +# certificate even if they are authenticating via a previously granted +# cookie and complete their authentication in the same TCP connection. +# Legacy CISCO clients do not do that, and thus this option should be +# set for them. +#cisco-client-compat = false + +#Advanced options + +# Option to allow sending arbitrary custom headers to the client after +# authentication and prior to VPN tunnel establishment. +#custom-header = "X-My-Header: hi there" diff --git a/tests/docker-ocserv/pam-ocserv b/tests/docker-ocserv/pam-ocserv new file mode 100644 index 00000000..3c039276 --- /dev/null +++ b/tests/docker-ocserv/pam-ocserv @@ -0,0 +1,18 @@ +#%PAM-1.0 +auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so +auth substack system-auth +auth include postlogin +account required pam_nologin.so +account include system-auth +password include system-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session required pam_loginuid.so +session optional pam_console.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open +session required pam_namespace.so +session optional pam_keyinit.so force revoke +session include system-auth +session include postlogin +-session optional pam_ck_connector.so diff --git a/tests/pam-test b/tests/pam-test new file mode 100755 index 00000000..3721e1e8 --- /dev/null +++ b/tests/pam-test @@ -0,0 +1,175 @@ +#!/bin/sh +# +# Copyright (C) 2014 Red Hat +# +# This file is part of ocserv. +# +# ocserv is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at +# your option) any later version. +# +# ocserv is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with ocserv; if not, write to the Free Software Foundation, +# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +srcdir=${srcdir:-.} + +PORT_OCSERV=5551 +#this test can only be run as root +id|grep root >/dev/null 2>&1 +if [ $? != 0 ];then + exit 77 +fi + +CONFIG="pam" +IMAGE=ocserv-pam-test +IMAGE_NAME=test_ocserv_pam +. ./docker-common.sh + +$DOCKER run -P --privileged=true --tty=false -d --name test_ocserv_pam $IMAGE +if test $? != 0;then + echo "Cannot run docker image" + exit 1 +fi + +echo "ocserv image was run" +#wait for ocserv to server +sleep 5 + +IP=`$DOCKER inspect test_ocserv_pam | grep IPAddress | cut -d '"' -f 4` +if test -z "$IP";then + echo "Detected IP is null!" + stop +fi +echo "Detected IP: $IP" + +printf "testuser\n" >pass-pam.tmp +openconnect $IP:$PORT_OCSERV -u testuser --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp +if test $? = 0;then + echo "Authentication with wrong password succeeded!" + stop +fi + +printf "testuser123\n" >pass-pam.tmp +openconnect $IP:$PORT_OCSERV -u test --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp +if test $? = 0;then + echo "Authentication with wrong username succeeded!" + stop +fi + +printf "testuser123\n" >pass-pam.tmp +openconnect $IP:$PORT_OCSERV -u testuser --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass-pam.tmp & +PID=$! + +rm -f pass-pam.tmp + +#wait for openconnect +sleep 5 + +# The client IP depends on the username so it shouldn't change. +ping -w 5 192.168.1.1 +if test $? != 0;then + kill $PID + echo "Cannot ping ocserv" + stop +fi + +ping -w 5 192.168.1.1 -s 1500 +if test $? != 0;then + kill $PID + echo "Cannot ping ocserv" + stop +fi + +ping6 -w 5 fd91:6d87:7341:db6a::1 +if test $? != 0;then + kill $PID + echo "Cannot ping the IPv6 of ocserv" + stop +fi + +echo "UserKnownHostsFile ./known-hosts.tmp" >config.tmp +printf "#\!/bin/sh\n" >echo-admin.tmp +printf "echo yes" >>echo-admin.tmp +printf "echo root" >>echo-admin.tmp +printf "\n" >>echo-admin.tmp +chmod 755 echo-admin.tmp +export SSH_ASKPASS="./echo-admin.tmp" +setsid ssh -T -F config.tmp root@192.168.1.1 occtl show user testuser >out.tmp 2>&1 +cat out.tmp + +printf "#\!/bin/sh\n" >echo-admin.tmp +printf "echo root" >>echo-admin.tmp +printf "\n" >>echo-admin.tmp +chmod 755 echo-admin.tmp +setsid ssh -T -F config.tmp root@192.168.1.1 occtl show user testuser >out.tmp 2>&1 +cat out.tmp +rm -f echo-admin.tmp +rm -f config.tmp +rm -f known-hosts.tmp + +grep "Username" out.tmp +if test $? != 0;then + kill $PID + echo "could not find user information" + stop +fi + +rm -f out.tmp + +# There is an issue in nuttcp that makes it crash under docker if +# /proc/sys/net/ipv4/tcp_adv_win_scale does not exist. +if test "$FEDORA" = 1;then +nuttcp -T 10 -t 192.168.1.1 +if test $? != 0;then + kill $PID + echo "Cannot send to ocserv" + stop +fi + +nuttcp -T 10 -r 192.168.1.1 +if test $? != 0;then + kill $PID + echo "Cannot recv from ocserv" + stop +fi +fi + +sleep 2 + +kill $PID + +sleep 4 + +#check whether /tmp/disconnect/ok was created +rm -f ./not-ok +$DOCKER cp test_ocserv_pam:/tmp/disconnect/not-ok ./ +if test -f ./not-ok;then + echo "There was an issue getting stats" + stop +fi +rm -f ./not-ok + +ret=0 + +rm -f ./tmp-full/ok +$DOCKER cp test_ocserv_pam:/tmp/disconnect/ok ./tmp-full/ +if ! test -f ./tmp-full/ok;then + echo "Don't know if stats were received" + ret=77 +else + echo -n "stats: " + echo `cat ./tmp-full/ok` + rm -rf ./tmp-full/ +fi + +$DOCKER stop test_ocserv_pam +$DOCKER rm test_ocserv_pam + +exit $ret diff --git a/tests/test-pam b/tests/test-pam deleted file mode 100755 index b4cdcca6..00000000 --- a/tests/test-pam +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/sh -# -# Copyright (C) 2013 Nikos Mavrogiannopoulos -# -# This file is part of ocserv. -# -# ocserv is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at -# your option) any later version. -# -# ocserv is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with GnuTLS; if not, write to the Free Software Foundation, -# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -SERV="${SERV:-../src/ocserv}" -srcdir=${srcdir:-.} -PORT=4444 - -. `dirname $0`/common.sh - -echo "Testing PAM backend with username-password... " - -launch_server -d 1 -f -c test-pam.config & PID=$! -wait_server $PID - -echo "Connecting to obtain cookie... " -( echo "test" | openconnect --authgroup test -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - -echo "Connecting to obtain cookie with default group... " -( echo "test" | openconnect --authgroup DEFAULT -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) || - fail $PID "Could not receive cookie from server" - -echo "Connecting to obtain cookie with wrong group... " -( echo "test" | openconnect --authgroup daemon -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - -echo "Connecting to obtain cookie with wrong password... " -( echo "tost" | openconnect --authgroup test -q localhost:$PORT -u test --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - -echo "Connecting to obtain cookie with wrong username... " -( echo "tost" | openconnect --authgroup DEFAULT -q localhost:$PORT -u tost --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly >/dev/null 2>&1 ) && - fail $PID "Received cookie when we shouldn't" - -kill $PID -wait - -exit 0 diff --git a/tests/test-pam.config b/tests/test-pam.config deleted file mode 100644 index 7078caf4..00000000 --- a/tests/test-pam.config +++ /dev/null @@ -1,190 +0,0 @@ -# User authentication method. Could be set multiple times and in that case -# all should succeed. -# Options: certificate, pam. -#auth = "certificate" -auth = "pam" - -select-group = test -select-group = daemon - -# The name of the group that if selected it would allow to use -# the assigned by default group. -default-select-group = DEFAULT - -# A banner to be displayed on clients -#banner = "Welcome" - -# Use listen-host to limit to specific IPs or to the IPs of a provided hostname. -#listen-host = [IP|HOSTNAME] - -use-dbus = no - -# Limit the number of clients. Unset or set to zero for unlimited. -#max-clients = 1024 -max-clients = 16 - -# Limit the number of client connections to one every X milliseconds -# (X is the provided value). Set to zero for no limit. -#rate-limit-ms = 100 - -# Limit the number of identical clients (i.e., users connecting multiple times) -# Unset or set to zero for unlimited. -max-same-clients = 2 - -# TCP and UDP port number -tcp-port = 4444 -udp-port = 4444 - -# Keepalive in seconds -keepalive = 32400 - -# Dead peer detection in seconds -dpd = 440 - -# MTU discovery (DPD must be enabled) -try-mtu-discovery = false - -# The key and the certificates of the server -# The key may be a file, or any URL supported by GnuTLS (e.g., -# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user -# or pkcs11:object=my-vpn-key;object-type=private) -# -# There may be multiple certificate and key pairs and each key -# should correspond to the preceding certificate. -server-cert = ./server-cert.pem -server-key = ./server-key.pem - -# Diffie-Hellman parameters. Only needed if you require support -# for the DHE ciphersuites (by default this server supports ECDHE). -# Can be generated using: -# certtool --generate-dh-params --outfile /path/to/dh.pem -#dh-params = /path/to/dh.pem - -# If you have a certificate from a CA that provides an OCSP -# service you may provide a fresh OCSP status response within -# the TLS handshake. That will prevent the client from connecting -# independently on the OCSP server. -# You can update this response periodically using: -# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response -# Make sure that you replace the following file in an atomic way. -#ocsp-response = /path/to/ocsp.der - -# In case PKCS #11 or TPM keys are used the PINs should be available -# in files. The srk-pin-file is applicable to TPM keys only (It's the storage -# root key). -#pin-file = /path/to/pin.txt -#srk-pin-file = /path/to/srkpin.txt - -# The Certificate Authority that will be used -# to verify clients if certificate authentication -# is set. -#ca-cert = /path/to/ca.pem - -# The object identifier that will be used to read the user ID in the client certificate. -# The object identifier should be part of the certificate's DN -# Useful OIDs are: -# CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1 -#cert-user-oid = 0.9.2342.19200300.100.1.1 - -# The object identifier that will be used to read the user group in the client -# certificate. The object identifier should be part of the certificate's DN -# Useful OIDs are: -# OU (organizational unit) = 2.5.4.11 -#cert-group-oid = 2.5.4.11 - -# A revocation list of ca-cert is set -#crl = /path/to/crl.pem - -# GnuTLS priority string -tls-priorities = "PERFORMANCE:%SERVER_PRECEDENCE:%COMPAT" - -# To enforce perfect forward secrecy (PFS) on the main channel. -#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA" - -# The time (in seconds) that a client is allowed to stay connected prior -# to authentication -auth-timeout = 40 - -# The time (in seconds) that a client is not allowed to reconnect after -# a failed authentication attempt. -#min-reauth-time = 2 - -# Cookie validity time (in seconds) -# Once a client is authenticated he's provided a cookie with -# which he can reconnect. This option sets the maximum lifetime -# of that cookie. -cookie-validity = 172800 - -# Script to call when a client connects and obtains an IP -# Parameters are passed on the environment. -# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), -# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP -# in the P-t-P connection), IP_REMOTE (the VPN IP of the client). REASON -# may be "connect" or "disconnect". -#connect-script = /usr/bin/myscript -#disconnect-script = /usr/bin/myscript - -# UTMP -use-utmp = true - -# PID file -pid-file = /var/run/ocserv.pid - -# The default server directory. Does not require any devices present. -#chroot-dir = /path/to/chroot - -# socket file used for IPC, will be appended with .PID -# It must be accessible within the chroot environment (if any) -socket-file = /var/run/ocserv-socket - -# The user the worker processes will be run as. It should be -# unique (no other services run as this user). -run-as-user = nobody -run-as-group = daemon - -# Network settings - -device = vpns - -# The default domain to be advertised -default-domain = example.com - -ipv4-network = 192.168.1.0 -ipv4-netmask = 255.255.255.0 -# Use the keywork local to advertize the local P-t-P address as DNS server -ipv4-dns = 192.168.1.1 - -# The NBNS server (if any) -#ipv4-nbns = 192.168.2.3 - -#ipv6-address = -#ipv6-mask = -#ipv6-dns = - -# Prior to leasing any IP from the pool ping it to verify that -# it is not in use by another (unrelated to this server) host. -ping-leases = false - -# Leave empty to assign the default MTU of the device -# mtu = - -route = 192.168.1.0/255.255.255.0 -#route = 192.168.5.0/255.255.255.0 - -# -# The following options are for (experimental) AnyConnect client -# compatibility. They are only available if the server is built -# with --enable-anyconnect -# - -# Client profile xml. A sample file exists in doc/profile.xml. -# This file must be accessible from inside the worker's chroot. -# The profile is ignored by the openconnect client. -#user-profile = profile.xml - -# Unless set to false it is required for clients to present their -# certificate even if they are authenticating via a previously granted -# cookie. Legacy CISCO clients do not do that, and thus this option -# should be set for them. -#always-require-cert = false -