2026-02-10 00:37:00 +08:00 · 2015-01-25 20:00:56 +01:00
parent 1e718980df
commit 9dc43045c7
13 changed files with 916 additions and 12 deletions
							
							
								
							
							
						
@@ -11,7 +11,7 @@ SUBDIRS = docker-ocserv
dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \
	test-multi-cookie test-pam test-stress full-test test-group-pass test-pass-group-cert \
	ocpasswd-test test-pass-group-cert-no-pass unix-test test-pass-opt-cert \
	test-cookie-timeout test-cookie-timeout-2
	test-cookie-timeout test-cookie-timeout-2 radius-test
TESTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \
	test-multi-cookie full-test test-group-pass test-pass-group-cert \
							
								
							
							
							
						
 
							
							
								
							
							
						
@@ -49,11 +49,7 @@ if test "$FEDORA" = 1;then
		$UNLOCKFILE
		exit 1
	fi
	if test "$UNIX" = 1;then
		cp docker-ocserv/Dockerfile-fedora-unix docker-ocserv/Dockerfile
	else
		cp docker-ocserv/Dockerfile-fedora-tcp docker-ocserv/Dockerfile
	fi
	cp docker-ocserv/Dockerfile-fedora-$CONFIG docker-ocserv/Dockerfile
else #DEBIAN
	echo "Using the Debian image"
	$DOCKER pull debian:jessie
							
							
							
								
							
						
@@ -62,11 +58,7 @@ else #DEBIAN
		$UNLOCKFILE
		exit 1
	fi
	if test "$UNIX" = 1;then
		cp docker-ocserv/Dockerfile-debian-unix docker-ocserv/Dockerfile
	else
		cp docker-ocserv/Dockerfile-debian-tcp docker-ocserv/Dockerfile
	fi
	cp docker-ocserv/Dockerfile-debian-$CONFIG docker-ocserv/Dockerfile
fi
cp ../src/ocserv ../src/ocpasswd ../src/occtl docker-ocserv/
							
								
							
							
							
						
 
							
							
							
						
@@ -0,0 +1,43 @@
FROM debian:jessie
RUN apt-get update;sleep 3
RUN apt-get install -y libgnutls-deb0-28
RUN apt-get install -y libprotobuf-c1
RUN apt-get install -y libwrap0 libpam0g libseccomp2 libdbus-1-3 libreadline5 libnl-route-3-200
RUN apt-get install -y libhttp-parser2.1 libpcl1 libopts25 autogen
RUN apt-get install -y libsystemd-daemon0 valgrind nuttcp openssh-server bash
RUN apt-get install -y libtalloc2
RUN apt-get install -y liblz4-1
RUN apt-get install -y freeradius libfreeradius-client2
RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
RUN echo 'root:root' |chpasswd
RUN useradd -m -d /home/admin -s /bin/bash admin
RUN echo 'admin:admin' |chpasswd
EXPOSE 10500
EXPOSE 10500/udp
EXPOSE 10501
EXPOSE 10501/udp
EXPOSE 10522
EXPOSE 10522/udp
EXPOSE 22
RUN mkdir /etc/ocserv
ADD key.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD ocserv-radius.conf /etc/ocserv/ocserv.conf
ADD radiusclient.conf /etc/radiusclient/
ADD radius-clients.conf /etc/freeradius/clients.conf
ADD radiusclient-servers /etc/freeradius/servers
ADD ocserv /usr/sbin/
ADD ocpasswd /usr/bin/
ADD occtl /usr/bin/
ADD myscript /usr/bin/
ADD freeradius-users /etc/freeradius/users
# It's not possible to use mknod inside a container with the default LXC
# template, so we untar it from this archive.
ADD dev-tun.tgz /dev/
CMD nuttcp -S;/etc/init.d/ssh restart;/usr/sbin/freeradius -X -f >/tmp/freeradius.out 2>&1 & mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600
							
							
							
						
@@ -0,0 +1,40 @@
FROM fedora:21
RUN yum install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp
RUN yum install -y bash openssh-server nuttcp
RUN yum install -y libnl3 libtalloc
RUN yum install -y lz4
RUN yum install -y freeradius freeradius-client
RUN systemctl enable sshd
RUN sed 's/PermitRootLogin without-password/PermitRootLogin yes/g' -i /etc/ssh/sshd_config
RUN echo 'root:root' |chpasswd
RUN useradd -m -d /home/admin -s /bin/bash admin
RUN echo 'admin:admin' |chpasswd
EXPOSE 10500
EXPOSE 10500/udp
EXPOSE 10501
EXPOSE 10501/udp
EXPOSE 10522
EXPOSE 10522/udp
EXPOSE 22
RUN mkdir /etc/ocserv
ADD key.pem /etc/ocserv/
ADD cert.pem /etc/ocserv/
ADD ocserv-radius.conf /etc/ocserv/ocserv.conf
ADD radiusclient.conf /etc/radiusclient/
ADD radius-clients.conf /etc/freeradius/clients.conf
ADD radiusclient-servers /etc/freeradius/servers
ADD ocserv /usr/sbin/
ADD ocpasswd /usr/bin/
ADD occtl /usr/bin/
ADD myscript /usr/bin/
ADD freeradius-users /etc/freeradius/users
# It's not possible to use mknod inside a container with the default LXC
# template, so we untar it from this archive.
ADD dev-tun.tgz /dev/
CMD nuttcp -S;sshd-keygen;/usr/sbin/sshd;mkdir -p /tmp/disconnect/;usr/sbin/ocserv -d 1 -f;sleep 3600
							
							
							
						
@@ -1,6 +1,8 @@
EXTRA_DIST = passwd ocserv.conf Dockerfile-debian-tcp dev-tun.tgz myscript key.pem cert.pem \
	Dockerfile-debian-unix ocserv-unix.conf haproxy.cfg combo.pem Dockerfile-fedora-unix \
	Dockerfile-fedora-tcp
	Dockerfile-fedora-tcp freeradius-users Dockerfile-debian-radius Dockerfile-fedora-radius \
	freeradius-users ocserv-radius.conf radiusclient.conf radius-clients.conf \
	radiusclient-servers
TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
	top_builddir="$(top_builddir)"
							
							
							
						
 
							
							
							
						
@@ -0,0 +1,16 @@
#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
test	Cleartext-Password := "test"
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-Route = 192.168.100.5/24,
	Framed-Route = 192.168.1.0/8,
	Framed-IPv6-Prefix = "2000:0:0:106::/64",
	Framed-IP-Address = 192.168.1.190,
	Framed-IP-Netmask = 255.255.255.0,
	Framed-Routing = Broadcast-Listen,
	Framed-MTU = 1500,
							
							
							
						
@@ -0,0 +1,304 @@
# User authentication method. Could be set multiple times and in that case
# all should succeed.
# Options: certificate, pam. 
#auth = "certificate"
#auth = "plain[/etc/ocserv/passwd]"
#auth = "pam"
auth = "radius[/etc/radiusclient/radiusclient.conf,groupconfig]"
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /var/run/occtl.socket
# The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname:encoded-password"
# One entry must be listed per line, and 'ocpasswd' can be used
# to generate password entries.
#auth = "plain[/etc/ocserv/ocpasswd]"
# A banner to be displayed on clients
#banner = "Welcome"
stats-report-time = 60
# Use listen-host to limit to specific IPs or to the IPs of a provided 
# hostname.
#listen-host = [IP|HOSTNAME]
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 16
# Limit the number of client connections to one every X milliseconds 
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Limit the number of identical clients (i.e., users connecting 
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
# TCP and UDP port number
tcp-port = 10522
udp-port = 10522
# Keepalive in seconds
keepalive = 32400
# Dead peer detection in seconds.
dpd = 240
# Dead peer detection for mobile clients. The needs to
# be much higher to prevent such clients being awaken too 
# often by the DPD messages, and save battery.
# (clients that send the X-AnyConnect-Identifier-DeviceType)
mobile-dpd = 1800
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g., 
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# There may be multiple certificate and key pairs and each key
# should correspond to the preceding certificate.
server-cert = /etc/ocserv/cert.pem
server-key = /etc/ocserv/key.pem
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# In case PKCS #11 or TPM keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the 
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
#ca-cert = /path/to/ca.pem
# The object identifier that will be used to read the user ID in the client 
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are: 
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
#cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the 
# client  certificate. The object identifier should be part of the certificate's
# DN. Useful OIDs are: 
#  OU (organizational unit) = 2.5.4.11 
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
#crl = /path/to/crl.pem
# GnuTLS priority string
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
# To enforce perfect forward secrecy (PFS) on the main channel.
#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 40
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
#idle-timeout = 1200
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
#mobile-idle-timeout = 2400
# The time (in seconds) that a client is not allowed to reconnect after 
# a failed authentication attempt.
#min-reauth-time = 2
# Cookie validity time (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. This option sets the maximum lifetime
# of that cookie.
cookie-validity = 86400
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable.
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
#  ssl: Will perform an efficient rehandshake on the channel allowing
#       a seamless connection during rekey.
#  new-tunnel: Will instruct the client to discard and re-establish the channel.
#       Use this option only if the connecting clients have issues with the ssl
#       option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP
# Parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
#connect-script = /usr/bin/myscript
disconnect-script = /usr/bin/myscript
# UTMP
use-utmp = true
# D-BUS usage. If disabled occtl tool cannot be used. If enabled
# then ocserv must have access to register org.infradead.ocserv
# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
use-dbus = false
# PID file. It can be overriden in the command line.
pid-file = /var/run/ocserv.pid
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# socket file used for IPC, will be appended with .PID
# It must be accessible within the chroot environment (if any)
socket-file = /var/run/ocserv-socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name of the tun device
device = vpns
# The default domain to be advertised
default-domain = example.com
# The pool of addresses that leases will be given from.
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
#dns = 192.168.1.2
# The NBNS server (if any)
#nbns = 192.168.1.3
# The IPv6 subnet that leases will be given from.
ipv6-network = fd91:6d87:7341:db6a::
ipv6-prefix = 64
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
ping-leases = false
# Unset to assign the default MTU of the device
# mtu = 
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the 
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server.
route = 192.168.1.0/255.255.255.0
#route = 192.168.5.0/255.255.255.0
#route = fef4:db8:1000:1001::/64
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
#  net-priority and cgroup.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below).
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# The system command to use to setup a route. %R will be replaced with the
# route/mask and %D with the (tun) device.
#
# The following example is from linux systems. %R should be something
# like 192.168.2.0/24
#route-add-cmd = "ip route add %R dev %D"
#route-del-cmd = "ip route delete %R dev %D"
#
# The following options are for (experimental) AnyConnect client 
# compatibility. 
# Client profile xml. A sample file exists in doc/profile.xml.
# This file must be accessible from inside the worker's chroot. 
# It is not used by the openconnect client.
#user-profile = profile.xml
# Binary files that may be downloaded by the CISCO client. Must
# be within any chroot environment.
#binary-files = /path/to/binaries
# Unless set to false it is required for clients to present their
# certificate even if they are authenticating via a previously granted
# cookie and complete their authentication in the same TCP connection.
# Legacy CISCO clients do not do that, and thus this option should be 
# set for them.
#cisco-client-compat = false
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment.
#custom-header = "X-My-Header: hi there"
							
							
							
						
@@ -0,0 +1,235 @@
# -*- text -*-
##
## clients.conf -- client configuration directives
##
##	$Id: 729c15d3e84c6cdb54a5f3652d93a2d7f8725fd4 $
#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).
#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#
#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client localhost {
	#  Allowed values are:
	#	dotted quad (1.2.3.4)
	#       hostname    (radius.example.com)
	ipaddr = 127.0.0.1
	#  OR, you can use an IPv6 address, but not both
	#  at the same time.
#	ipv6addr = ::	# any.  ::1 == localhost
	#
	#  A note on DNS:  We STRONGLY recommend using IP addresses
	#  rather than host names.  Using host names means that the
	#  server will do DNS lookups when it starts, making it
	#  dependent on DNS.  i.e. If anything goes wrong with DNS,
	#  the server won't start!
	#
	#  The server also looks up the IP address from DNS once, and
	#  only once, when it starts.  If the DNS record is later
	#  updated, the server WILL NOT see that update.
	#
	#  One client definition can be applied to an entire network.
	#  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
	#  "netmask = 8"
	#
	#  If not specified, the default netmask is 32 (i.e. /32)
	#
	#  We do NOT recommend using anything other than 32.  There
	#  are usually other, better ways to achieve the same goal.
	#  Using netmasks of other than 32 can cause security issues.
	#
	#  You can specify overlapping networks (127/8 and 127.0/16)
	#  In that case, the smallest possible network will be used
	#  as the "best match" for the client.
	#
	#  Clients can also be defined dynamically at run time, based
	#  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
	#  etc.
	#  See raddb/sites-available/dynamic-clients for details.
	#
#	netmask = 32
	#
	#  The shared secret use to "encrypt" and "sign" packets between
	#  the NAS and FreeRADIUS.  You MUST change this secret from the
	#  default, otherwise it's not a secret any more!
	#
	#  The secret can be any string, up to 8k characters in length.
	#
	#  Control codes can be entered vi octal encoding,
	#	e.g. "\101\102" == "AB"
	#  Quotation marks can be entered by escaping them,
	#	e.g. "foo\"bar"
	#
	#  A note on security:  The security of the RADIUS protocol
	#  depends COMPLETELY on this secret!  We recommend using a
	#  shared secret that is composed of:
	#
	#	upper case letters
	#	lower case letters
	#	numbers
	#
	#  And is at LEAST 8 characters long, preferably 16 characters in
	#  length.  The secret MUST be random, and should not be words,
	#  phrase, or anything else that is recognizable.
	#
	#  The default secret below is only for testing, and should
	#  not be used in any real environment.
	#
	secret		= testing123
	#
	#  Old-style clients do not send a Message-Authenticator
	#  in an Access-Request.  RFC 5080 suggests that all clients
	#  SHOULD include it in an Access-Request.  The configuration
	#  item below allows the server to require it.  If a client
	#  is required to include a Message-Authenticator and it does
	#  not, then the packet will be silently discarded.
	#
	#  allowed values: yes, no
	require_message_authenticator = no
	#
	#  The short name is used as an alias for the fully qualified
	#  domain name, or the IP address.
	#
	#  It is accepted for compatibility with 1.x, but it is no
	#  longer necessary in 2.0
	#
#	shortname	= localhost
	#
	# the following three fields are optional, but may be used by
	# checkrad.pl for simultaneous use checks
	#
	#
	# The nastype tells 'checkrad.pl' which NAS-specific method to
	#  use to query the NAS for simultaneous use.
	#
	#  Permitted NAS types are:
	#
	#	cisco
	#	computone
	#	livingston
	#	juniper
	#	max40xx
	#	multitech
	#	netserver
	#	pathras
	#	patton
	#	portslave
	#	tc
	#	usrhiper
	#	other		# for all other types
	#
	nastype     = other	# localhost isn't usually a NAS...
	#
	#  The following two configurations are for future use.
	#  The 'naspasswd' file is currently used to store the NAS
	#  login name and password, which is used by checkrad.pl
	#  when querying the NAS for simultaneous use.
	#
#	login       = !root
#	password    = someadminpas
	#
	#  As of 2.0, clients can also be tied to a virtual server.
	#  This is done by setting the "virtual_server" configuration
	#  item, as in the example below.
	#
#	virtual_server = home1
	#
	#  A pointer to the "home_server_pool" OR a "home_server"
	#  section that contains the CoA configuration for this
	#  client.  For an example of a coa home server or pool,
	#  see raddb/sites-available/originate-coa
#	coa_server = coa
}
# IPv6 Client
#client ::1 {
#	secret		= testing123
#	shortname	= localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
#	secret		= testing123
#	shortname	= localhost
#}
#client some.host.org {
#	secret		= testing123
#	shortname	= localhost
#}
#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#	secret		= testing123-1
#	shortname	= private-network-1
#}
#
#client 192.168.0.0/16 {
#	secret		= testing123-2
#	shortname	= private-network-2
#}
#client 10.10.10.10 {
#	# secret and password are mapped through the "secrets" file.
#	secret      = testing123
#	shortname   = liv1
#       # the following three fields are optional, but may be used by
#       # checkrad.pl for simultaneous usage checks
#	nastype     = livingston
#	login       = !root
#	password    = someadminpas
#}
#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
#	client 192.168.3.4 {
#		secret = testing123
#        }
#}
							
							
							
						
@@ -0,0 +1,10 @@
## Server Name or Client/Server pair		Key		
## ----------------				---------------
#
#portmaster.elemental.net			hardlyasecret
#portmaster2.elemental.net			donttellanyone
#
## uncomment the following line for simple testing of radlogin
## with freeradius-server
#
localhost/localhost				testing123
							
							
							
						
@@ -0,0 +1,92 @@
# General settings
# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order	radius,local
# maximum login tries a user has
login_tries	4
# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout	60
# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin
# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue	/etc/radiusclient/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
authserver 	localhost
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too. 
#
acctserver 	localhost
# file holding shared secrets used for the communication
# between the RADIUS client and server
servers		/etc/radiusclient/servers
# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary 	/etc/radiusclient/dictionary
# program to call for a RADIUS authenticated login
login_radius	/usr/sbin/login.radius
# file which holds sequence number for communication with the
# RADIUS server
seqfile		/var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile		/etc/radiusclient/port-id-map
# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout	10
# resend request this many times before trying the next server
radius_retries	3
# The length of time in seconds that we skip a nonresponsive RADIUS
# server for transaction requests.  Server(s) being in the "dead" state
# are tried only after all other non-dead servers have been tried and
# failed or timeouted.  The deadtime interval starts when the server
# does not respond to an authentication/accounting request transmissions. 
# When the interval expires, the "dead" server would be re-tried again,
# and if it's still down then it will be considered "dead" for another
# such interval and so on. This option is no-op if there is only one
# server in the list. Set to 0 in order to disable the feature.
radius_deadtime	0
# local address from which radius packets have to be sent
bindaddr *
# LOCAL settings
# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local	/bin/login
							
							
								
							
							
						
@@ -26,6 +26,7 @@ if [ $? != 0 ];then
	exit 77
fi
CONFIG="tcp"
IMAGE=ocserv-test1
. ./docker-common.sh
							
								
							
							
							
						
 
							
							
							
						
@@ -0,0 +1,168 @@
#!/bin/sh
#
# Copyright (C) 2014 Red Hat
#
# This file is part of ocserv.
#
# ocserv is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# ocserv is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with ocserv; if not, write to the Free Software Foundation,
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
srcdir=${srcdir:-.}
PORT=10500
PORT2=10501
PORT_OCSERV=10522
#this test can only be run as root
id|grep root >/dev/null 2>&1
if [ $? != 0 ];then
	exit 77
fi
CONFIG="radius"
IMAGE=ocserv-radius-test
. ./docker-common.sh
stop() {
	$DOCKER stop test_ocserv_radius
	$DOCKER rm test_ocserv_radius
	exit 1
}
$DOCKER run -P --privileged=true -p $PORT:$PORT/udp -p $PORT2:$PORT2/udp -p 22 -p $PORT_OCSERV:$PORT_OCSERV/udp --tty=false -d --name test_ocserv_radius $IMAGE
if test $? != 0;then
	echo "Cannot run docker image"
	exit 1
fi
echo "ocserv image was run"
#wait for ocserv to server
sleep 5
IP=`$DOCKER inspect test_ocserv_radius | grep IPAddress | cut -d '"' -f 4`
if test -z "$IP";then
	echo "Detected IP is null!"
	stop
fi
echo "Detected IP: $IP"
printf "test\ntest\n" >pass.tmp
openconnect $IP:$PORT_OCSERV -u test --passwd-on-stdin -v --servercert=d66b507ae074d03b02eafca40d35f87dd81049d3 < pass.tmp &
PID=$!
rm -f pass.tmp
#wait for openconnect
sleep 5
# The client IP depends on the username so it shouldn't change.
ping -w 5 192.168.1.190
if test $? != 0;then
	kill $PID
	echo "Cannot ping ocserv"
	stop
fi
ping -w 5 192.168.1.190 -s 1500
if test $? != 0;then
	kill $PID
	echo "Cannot ping ocserv"
	stop
fi
ping6 -w 5 fd91:6d87:7341:db6a:0:52:190c:be00
if test $? != 0;then
	kill $PID
	echo "Cannot ping the IPv6 of ocserv"
	stop
fi
echo "UserKnownHostsFile ./known-hosts.tmp" >config.tmp
printf "#\!/bin/sh\n" >echo-admin.tmp
printf "echo yes" >>echo-admin.tmp
printf "echo root" >>echo-admin.tmp
printf "\n" >>echo-admin.tmp
chmod 755 echo-admin.tmp
export SSH_ASKPASS="./echo-admin.tmp"
setsid ssh -T -F config.tmp root@192.168.1.190 occtl show user test >out.tmp 2>&1
cat out.tmp
printf "#\!/bin/sh\n" >echo-admin.tmp
printf "echo root" >>echo-admin.tmp
printf "\n" >>echo-admin.tmp
chmod 755 echo-admin.tmp
setsid ssh -T -F config.tmp root@192.168.1.190 occtl show user test >out.tmp 2>&1
cat out.tmp
rm -f echo-admin.tmp
rm -f config.tmp
rm -f known-hosts.tmp
grep "Username" out.tmp
if test $? != 0;then
	kill $PID
	echo "could not find user information"
	stop
fi
rm -f out.tmp
# There is an issue in nuttcp that makes it crash under docker if
# /proc/sys/net/ipv4/tcp_adv_win_scale does not exist.
if test "$FEDORA" = 1;then
nuttcp -T 10 -t 192.168.1.190
if test $? != 0;then
	kill $PID
	echo "Cannot send to ocserv"
	stop
fi
nuttcp -T 10 -r 192.168.1.190
if test $? != 0;then
	kill $PID
	echo "Cannot recv from ocserv"
	stop
fi
fi
sleep 2
kill $PID
sleep 4
#check whether /tmp/disconnect/ok was created
rm -f ./not-ok
$DOCKER cp test_ocserv_radius:/tmp/disconnect/not-ok ./
if test -f ./not-ok;then
	echo "There was an issue getting stats"
	stop
fi
rm -f ./not-ok
ret=0
rm -f ./tmp-full/ok
$DOCKER cp test_ocserv_radius:/tmp/disconnect/ok ./tmp-full/
if ! test -f ./tmp-full/ok;then
	echo "Don't know if stats were received"
	ret=77
else
	echo -n "stats: "
	echo `cat ./tmp-full/ok`
	rm -rf ./tmp-full/
fi
$DOCKER stop test_ocserv_radius
$DOCKER rm test_ocserv_radius
exit $ret
							
							
								
							
							
						
@@ -27,6 +27,7 @@ if [ $? != 0 ];then
fi
UNIX=1
CONFIG="unix"
IMAGE=ocserv-test2
. ./docker-common.sh