diff --git a/tests/docker-ocserv/Dockerfile-fedora-pam b/tests/docker-ocserv/Dockerfile-fedora-pam index cec86947..ff6de0b6 100644 --- a/tests/docker-ocserv/Dockerfile-fedora-pam +++ b/tests/docker-ocserv/Dockerfile-fedora-pam @@ -7,14 +7,15 @@ RUN yum install -y lz4 RUN yum install -y pam RUN yum install -y freeradius-client RUN yum install -y krb5-libs +RUN yum install -y pam_oath oathtool RUN systemctl enable sshd RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config RUN echo 'root:root' |chpasswd RUN useradd -m -d /home/admin -s /bin/bash admin RUN echo 'admin:admin' |chpasswd -EXPOSE 5551 -EXPOSE 5551/udp +EXPOSE 443 +EXPOSE 443/udp EXPOSE 22 RUN mkdir /etc/ocserv @@ -25,6 +26,7 @@ ADD key.pem /etc/ocserv/ ADD cert.pem /etc/ocserv/ ADD ocserv-pam.conf /etc/ocserv/ocserv.conf ADD pam-ocserv /etc/pam.d/ocserv +ADD users.oath /etc/users.oath ADD ocserv /usr/sbin/ ADD ocpasswd /usr/bin/ ADD occtl /usr/bin/ diff --git a/tests/docker-ocserv/ocserv-pam.conf b/tests/docker-ocserv/ocserv-pam.conf index e7cc2b88..9be320b1 100644 --- a/tests/docker-ocserv/ocserv-pam.conf +++ b/tests/docker-ocserv/ocserv-pam.conf @@ -42,8 +42,8 @@ max-clients = 16 max-same-clients = 2 # TCP and UDP port number -tcp-port = 5551 -udp-port = 5551 +tcp-port = 443 +udp-port = 443 # Keepalive in seconds keepalive = 32400 @@ -133,6 +133,9 @@ auth-timeout = 40 # a failed authentication attempt. #min-reauth-time = 2 +# Set to zero to disable. +max-ban-score = 0 + # Cookie validity time (in seconds) # Once a client is authenticated he's provided a cookie with # which he can reconnect. This option sets the maximum lifetime diff --git a/tests/docker-ocserv/pam-ocserv b/tests/docker-ocserv/pam-ocserv index 3c039276..adcfda45 100644 --- a/tests/docker-ocserv/pam-ocserv +++ b/tests/docker-ocserv/pam-ocserv @@ -2,6 +2,7 @@ auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth substack system-auth auth include postlogin +auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20 account required pam_nologin.so account include system-auth password include system-auth diff --git a/tests/docker-ocserv/users.oath b/tests/docker-ocserv/users.oath new file mode 100644 index 00000000..14d93db4 --- /dev/null +++ b/tests/docker-ocserv/users.oath @@ -0,0 +1 @@ +HOTP testuser - 00 diff --git a/tests/pam-test b/tests/pam-test index 96793991..3bc74b21 100755 --- a/tests/pam-test +++ b/tests/pam-test @@ -20,7 +20,7 @@ srcdir=${srcdir:-.} -PORT_OCSERV=5551 +PORT_OCSERV=443 #this test can only be run as root id|grep root >/dev/null 2>&1 if [ $? != 0 ];then @@ -53,22 +53,39 @@ if test ! -z "$QUIT_ON_INIT";then exit 0 fi -printf "testuser\n" >pass-pam.tmp -$OPENCONNECT $IP:$PORT_OCSERV -u testuser --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp +echo "" +echo "Trying with wrong password and OTP" +printf "testuser\n999999\n" >pass-pam.tmp +$OPENCONNECT $IP:$PORT_OCSERV -q -u testuser --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp if test $? = 0;then echo "Authentication with wrong password succeeded!" stop fi -printf "testuser123\n" >pass-pam.tmp -$OPENCONNECT $IP:$PORT_OCSERV -u test --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp +echo "" +echo "Trying with wrong username" +printf "testuser123\n328482\n" >pass-pam.tmp +$OPENCONNECT $IP:$PORT_OCSERV -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp if test $? = 0;then echo "Authentication with wrong username succeeded!" stop fi -printf "testuser123\n" >pass-pam.tmp -$OPENCONNECT $IP:$PORT_OCSERV -u testuser --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass-pam.tmp & +echo "" +echo "Trying with wrong OTP" +printf "testuser123\n99999\n" >pass-pam.tmp +$OPENCONNECT $IP:$PORT_OCSERV -q -u testuser --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp +if test $? = 0;then + echo "Authentication with wrong OTP succeeded!" + stop +fi + +echo "" +echo "Trying with correct password" +#oathtool -w 0 00 +printf "testuser123\n328482\n" >pass-pam.tmp +cat pass-pam.tmp +$OPENCONNECT $IP:$PORT_OCSERV -u testuser --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass-pam.tmp & PID=$! rm -f pass-pam.tmp