tests: enhanced PAM test with a second (OTP) password

tests/docker-ocserv/Dockerfile-fedora-pam

@@ -7,14 +7,15 @@ RUN yum install -y lz4
 RUN yum install -y pam
 RUN yum install -y freeradius-client
 RUN yum install -y krb5-libs
+RUN yum install -y pam_oath oathtool
 RUN systemctl enable sshd
 RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
 
 RUN echo 'root:root' |chpasswd
 RUN useradd -m -d /home/admin -s /bin/bash admin
 RUN echo 'admin:admin' |chpasswd
-EXPOSE 5551
-EXPOSE 5551/udp
+EXPOSE 443
+EXPOSE 443/udp
 EXPOSE 22
 
 RUN mkdir /etc/ocserv
@@ -25,6 +26,7 @@ ADD key.pem /etc/ocserv/
 ADD cert.pem /etc/ocserv/
 ADD ocserv-pam.conf /etc/ocserv/ocserv.conf
 ADD pam-ocserv /etc/pam.d/ocserv
+ADD users.oath /etc/users.oath
 ADD ocserv /usr/sbin/
 ADD ocpasswd /usr/bin/
 ADD occtl /usr/bin/

tests/docker-ocserv/ocserv-pam.conf

@@ -42,8 +42,8 @@ max-clients = 16
 max-same-clients = 2
 
 # TCP and UDP port number
-tcp-port = 5551
-udp-port = 5551
+tcp-port = 443
+udp-port = 443
 
 # Keepalive in seconds
 keepalive = 32400
@@ -133,6 +133,9 @@ auth-timeout = 40
 # a failed authentication attempt.
 #min-reauth-time = 2
 
+# Set to zero to disable.
+max-ban-score = 0
+
 # Cookie validity time (in seconds)
 # Once a client is authenticated he's provided a cookie with
 # which he can reconnect. This option sets the maximum lifetime

tests/docker-ocserv/pam-ocserv

@@ -2,6 +2,7 @@
 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
 auth       substack     system-auth
 auth       include      postlogin
+auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
 account    required     pam_nologin.so
 account    include      system-auth
 password   include      system-auth

tests/docker-ocserv/users.oath

@@ -0,0 +1 @@
+HOTP testuser - 00

tests/pam-test

@@ -20,7 +20,7 @@
 
 srcdir=${srcdir:-.}
 
-PORT_OCSERV=5551
+PORT_OCSERV=443
 #this test can only be run as root
 id|grep root >/dev/null 2>&1
 if [ $? != 0 ];then
@@ -53,22 +53,39 @@ if test ! -z "$QUIT_ON_INIT";then
 	exit 0
 fi
 
-printf "testuser\n" >pass-pam.tmp
-$OPENCONNECT $IP:$PORT_OCSERV -u testuser --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp
+echo ""
+echo "Trying with wrong password and OTP"
+printf "testuser\n999999\n" >pass-pam.tmp
+$OPENCONNECT $IP:$PORT_OCSERV -q -u testuser --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp
 if test $? = 0;then
 	echo "Authentication with wrong password succeeded!"
 	stop
 fi
 
-printf "testuser123\n" >pass-pam.tmp
-$OPENCONNECT $IP:$PORT_OCSERV -u test --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp
+echo ""
+echo "Trying with wrong username"
+printf "testuser123\n328482\n" >pass-pam.tmp
+$OPENCONNECT $IP:$PORT_OCSERV -u test --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp
 if test $? = 0;then
 	echo "Authentication with wrong username succeeded!"
 	stop
 fi
 
-printf "testuser123\n" >pass-pam.tmp
-$OPENCONNECT $IP:$PORT_OCSERV -u testuser --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass-pam.tmp &
+echo ""
+echo "Trying with wrong OTP"
+printf "testuser123\n99999\n" >pass-pam.tmp
+$OPENCONNECT $IP:$PORT_OCSERV -q -u testuser --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 --cookieonly < pass-pam.tmp
+if test $? = 0;then
+	echo "Authentication with wrong OTP succeeded!"
+	stop
+fi
+
+echo ""
+echo "Trying with correct password"
+#oathtool -w 0 00
+printf "testuser123\n328482\n" >pass-pam.tmp
+cat pass-pam.tmp
+$OPENCONNECT $IP:$PORT_OCSERV -u testuser --passwd-on-stdin --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass-pam.tmp &
 PID=$!
 
 rm -f pass-pam.tmp