tests: enhanced PAM test with a second (OTP) password

tests/docker-ocserv/Dockerfile-fedora-pam

@@ -7,14 +7,15 @@ RUN yum install -y lz4
 RUN yum install -y pam
 RUN yum install -y freeradius-client
 RUN yum install -y krb5-libs
+RUN yum install -y pam_oath oathtool
 RUN systemctl enable sshd
 RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
 
 RUN echo 'root:root' |chpasswd
 RUN useradd -m -d /home/admin -s /bin/bash admin
 RUN echo 'admin:admin' |chpasswd
-EXPOSE 5551
-EXPOSE 5551/udp
+EXPOSE 443
+EXPOSE 443/udp
 EXPOSE 22
 
 RUN mkdir /etc/ocserv
@@ -25,6 +26,7 @@ ADD key.pem /etc/ocserv/
 ADD cert.pem /etc/ocserv/
 ADD ocserv-pam.conf /etc/ocserv/ocserv.conf
 ADD pam-ocserv /etc/pam.d/ocserv
+ADD users.oath /etc/users.oath
 ADD ocserv /usr/sbin/
 ADD ocpasswd /usr/bin/
 ADD occtl /usr/bin/

tests/docker-ocserv/ocserv-pam.conf

@@ -42,8 +42,8 @@ max-clients = 16
 max-same-clients = 2
 
 # TCP and UDP port number
-tcp-port = 5551
-udp-port = 5551
+tcp-port = 443
+udp-port = 443
 
 # Keepalive in seconds
 keepalive = 32400
@@ -133,6 +133,9 @@ auth-timeout = 40
 # a failed authentication attempt.
 #min-reauth-time = 2
 
+# Set to zero to disable.
+max-ban-score = 0
+
 # Cookie validity time (in seconds)
 # Once a client is authenticated he's provided a cookie with
 # which he can reconnect. This option sets the maximum lifetime

tests/docker-ocserv/pam-ocserv

@@ -2,6 +2,7 @@
 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
 auth       substack     system-auth
 auth       include      postlogin
+auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
 account    required     pam_nologin.so
 account    include      system-auth
 password   include      system-auth

tests/docker-ocserv/users.oath

@@ -0,0 +1 @@
+HOTP testuser - 00