tests: added kerberos test suite

tests/Makefile.am

@@ -8,7 +8,7 @@ EXTRA_DIST = ca-key.pem ca.pem common.sh server-cert.pem server-key.pem test1.co
 	test-explicit-ip user-config-explicit/test2 user-config-explicit/test3 \
 	user-config-explicit/test4 test-pass-opt-cert.config test-gssapi.config
 
-SUBDIRS = docker-ocserv
+SUBDIRS = docker-ocserv docker-kerberos
 
 dist_check_SCRIPTS = test-pass test-pass-cert test-cert test-iroute test-pass-script \
 	test-multi-cookie test-pam test-stress full-test test-group-pass test-pass-group-cert \

tests/docker-common.sh

@@ -12,6 +12,10 @@ LOCKFILE="lockfile docker.lock"
 UNLOCKFILE="rm -f docker.lock"
 fi
 
+if test -z "$DOCKER_DIR";then
+	DOCKER_DIR=docker-ocserv
+fi
+
 if ! test -x $DOCKER;then
 	echo "The docker program is needed to perform this test"
 	exit 77
@@ -42,6 +46,7 @@ $LOCKFILE
 $DOCKER stop $IMAGE_NAME >/dev/null 2>&1
 $DOCKER rm $IMAGE_NAME >/dev/null 2>&1
 
+rm -f $DOCKER_DIR/Dockerfile
 if test "$FEDORA" = 1;then
 	echo "Using the fedora image"
 	$DOCKER pull fedora:21
@@ -50,7 +55,7 @@ if test "$FEDORA" = 1;then
 		$UNLOCKFILE
 		exit 1
 	fi
-	cp docker-ocserv/Dockerfile-fedora-$CONFIG docker-ocserv/Dockerfile
+	cp $DOCKER_DIR/Dockerfile-fedora-$CONFIG $DOCKER_DIR/Dockerfile
 else #DEBIAN
 	echo "Using the Debian image"
 	$DOCKER pull debian:jessie
@@ -59,14 +64,14 @@ else #DEBIAN
 		$UNLOCKFILE
 		exit 1
 	fi
-	cp docker-ocserv/Dockerfile-debian-$CONFIG docker-ocserv/Dockerfile
+	cp $DOCKER_DIR/Dockerfile-debian-$CONFIG $DOCKER_DIR/Dockerfile
 fi
 
-rm -f docker-ocserv/ocserv docker-ocserv/ocpasswd docker-ocserv/occtl
-cp ../src/ocserv ../src/ocpasswd ../src/occtl docker-ocserv/
+rm -f $DOCKER_DIR/ocserv $DOCKER_DIR/ocpasswd $DOCKER_DIR/occtl
+cp ../src/ocserv ../src/ocpasswd ../src/occtl $DOCKER_DIR/
 
 echo "Creating image $IMAGE"
-$DOCKER build -t $IMAGE docker-ocserv/
+$DOCKER build -t $IMAGE $DOCKER_DIR/
 if test $? != 0;then
 	echo "Cannot build docker image"
 	$UNLOCKFILE

tests/docker-kerberos/Dockerfile-fedora-client

@@ -0,0 +1,30 @@
+# Clone from the Fedora 21 image
+FROM fedora:21
+
+RUN yum install -y krb5-libs krb5-workstation 
+RUN yum install -y gnutls gnutls-utils iproute systemd
+RUN yum install -y bash net-tools nuttcp iputils openssh-clients passwd
+RUN yum install -y lz4 openconnect
+
+# To be able to debug
+RUN yum install -y openssh-server strace lsof && yum clean all
+RUN echo 'root:root' | chpasswd
+RUN echo set -o vi >> /etc/bashrc
+
+EXPOSE  80 443 443/udp 88 88/udp
+
+ADD krb5.conf /etc/
+
+RUN useradd -m -p "$6$ZzoUpzPP$PaQoBzfpVCSO23OXB523mgcHaXeVkW/zqYFr84GiItggqo9NK.MAkqMXKuDLybuscuEwxtpAMSNaxTftyaQjT." testuser
+
+ADD ca.pem /etc/
+
+# It's not possible to use mknod inside a container with the default LXC
+# template, so we untar it from this archive.
+ADD dev-tun.tgz /dev/
+
+ADD openconnect /usr/sbin/
+ADD libopenconnect.so.5.1.0 /usr/lib64/
+RUN ldconfig
+
+CMD sshd-keygen;/usr/sbin/sshd;echo testuser123|kinit testuser@KERBEROS.TEST && /usr/sbin/openconnect kerberos.test --cafile /etc/ca.pem -b && sleep 5 && ping -w 5 192.168.1.1 && ping6 -w 5 fd91:6d87:7341:db6a::1 && kdestroy && ( /usr/sbin/openconnect kerberos.test --cafile /etc/ca.pem --cookieonly --non-inter || touch /tmp/ok ) ;sleep 3600

tests/docker-kerberos/Dockerfile-fedora-kerberos

@@ -0,0 +1,47 @@
+# Clone from the Fedora 21 image
+FROM fedora:21
+
+RUN yum install -y krb5-libs krb5-server krb5-workstation 
+RUN yum install -y gnutls gnutls-utils protobuf-c iproute pcllib http-parser tcp_wrappers pam systemd libseccomp
+RUN yum install -y bash net-tools nuttcp iputils openssh-clients
+RUN yum install -y libnl3 libtalloc
+RUN yum install -y lz4
+RUN yum install -y freeradius-client
+RUN yum install -y pam_krb5
+
+# To be able to debug
+RUN yum install -y openssh-server strace lsof && yum clean all
+RUN echo 'root:root' | chpasswd
+RUN echo set -o vi >> /etc/bashrc
+
+EXPOSE  80 443 443/udp 88 88/udp
+
+RUN mkdir -p /etc/ocserv
+RUN mkdir -p /tmp/disconnect/
+
+ADD krb5.conf /etc/
+ADD kdc.conf /var/kerberos/krb5kdc/
+ADD k5.KERBEROS.TEST /var/kerberos/krb5kdc/
+ADD kadm5.acl /var/kerberos/krb5kdc/
+
+RUN echo -e "secret123\nsecret123"|/usr/sbin/kdb5_util create -s
+RUN echo -e "testuser123\ntestuser123" | /usr/sbin/kadmin.local -q "addprinc testuser"
+RUN echo -e "test123\ntest123" | /usr/sbin/kadmin.local -q "addprinc HTTP/kerberos.test"
+RUN /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/krb5-keytab HTTP/kerberos.test@KERBEROS.TEST"
+RUN useradd testuser
+
+ADD key.pem /etc/ocserv/
+ADD cert.pem /etc/ocserv/
+ADD ocserv.conf /etc/ocserv/
+ADD passwd /etc/ocserv/
+ADD myscript /usr/bin/
+# It's not possible to use mknod inside a container with the default LXC
+# template, so we untar it from this archive.
+ADD dev-tun.tgz /dev/
+ADD pam-ocserv /etc/pam.d/ocserv
+
+ADD ocserv /usr/sbin/
+ADD ocpasswd /usr/bin/
+ADD occtl /usr/bin/
+
+CMD nuttcp -S;/usr/sbin/krb5kdc;sshd-keygen;/usr/sbin/sshd;/usr/sbin/ocserv -d 1 -f;sleep 3600

tests/docker-kerberos/Makefile.am

@@ -0,0 +1,7 @@
+EXTRA_DIST = Dockerfile-fedora-kerberos krb5.conf kdc.conf \
+	Dockerfile-fedora-client \
+	ocserv.conf cert.pem key.pem myscript passwd dev-tun.tgz \
+	k5.KERBEROS.TEST kadm5.acl pam-ocserv ca.pem
+
+TESTS_ENVIRONMENT = srcdir="$(srcdir)" \
+	top_builddir="$(top_builddir)"

tests/docker-kerberos/ca.pem

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDPzCCAfegAwIBAgIEUdguzDANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDEwJD
+QTAiGA8yMDEzMDcwNjE0NTA1MloYDzIwMjMwNTE1MTQ1MDUyWjANMQswCQYDVQQD
+EwJDQTCCAVIwDQYJKoZIhvcNAQEBBQADggE/ADCCAToCggExALRrJ5glr8H/Hsqw
+fvTYvO1DhmdUXdq0HsKQX4M8AhH8E3KFsoikZUELdl8jvoqf/nlLczsux0s8vxbJ
+l1U1F/OhckswwuAnlBLzVgDmzoJLEV2kHpv6+rkbKk0Ytbql5gzHqKihbaqIhNyW
+DrJsHDWq58eUPfnVx8KiDUuzbnr3CF/FCc0Vkxr3mN8qTGaJJO0f0BZjgWWlWDuh
+zSVim5mBVAgXGOx8LwiiOyhXMp0XRwqG+2KxQZnm+96o6iB+8xvuuuqaIWQpkvKt
+c+UZBZ03U+IRnxhfIrriiw0AjJ4vp4c9QL5KoqWSCAwuYcBYfJqZ4dasgzklzz4b
+7eujbZ3LxTjewcdumzQUvjA+gpAeuUqaduTvMwxGojFy9sNhC/iqZ4n0peV2N6Ep
+n4B5qnUCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwQA
+MB0GA1UdDgQWBBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC
+ATEAa1kdd8E1PkM06Isw0S/thEll0rAYsNHwSX17IDUWocTTQlmVXBXcvLqM04QT
+z7WNG4eushLhRpSn8LJQkf4RgvAxOMIjHM9troDbPVoec6k8fZrJ8jfXurOgoOVP
+g+hScT3VDvxgiOVwgXSe2XBryGDaviRuSOHlfy5GPVirLJLZwpcX6RpsHMX9rrZX
+ghvf8dwm4To9H5wT0Le2FnZRoLOTMmpr49bfKJqy/U7AUHaf4saSdkdEIaGOxkPk
+x+SFlr9TjavnJvL0TApkvfNZ1aOVHRHINgaFYHQJ4U0jQ/g7lPmD+UtZWnvSMNXH
+yct5cKOyP4j7Kla1sKPs+oamOQ7pR1Z/GwBxe48FvO7VDi7EkugLwlzoXC2G+4Jg
+fJbi9Ui2FmXEeKkX34f1ONNj9Q==
+-----END CERTIFICATE-----

tests/docker-kerberos/cert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDnzCCAlegAwIBAgIIVOSF2gcNB+swDQYJKoZIhvcNAQELBQAwDTELMAkGA1UE
+AxMCQ0EwIhgPMjAxNTAyMTgxMjMwMTlaGA85OTk5MTIzMTIzNTk1OVowGjEYMBYG
+A1UEAxMPS2VyYmVyb3Mgc2VydmVyMIIBUjANBgkqhkiG9w0BAQEFAAOCAT8AMIIB
+OgKCATEApzor7D8UsCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leAWOGW/O7Q
+vQQVfl9/pTP4/LuR7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6zJlm4RYJ
+FZTeX06qGNJZ3WCcdl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kapfe2AGUV3
+DKEF1Y20Zs1S2SFbpkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+ROhb62gH
+MvniNIF0xpO+fSjT2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjpV3Ymf8ox
+4OfkSkOXbd3ZOe5QCFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0uxLQdDQiD
+O4b4ct9kKyeWVMjZ3E0n+qjFaHnYHQIDAQABo4GRMIGOMAwGA1UdEwEB/wQCMAAw
+GAYDVR0RBBEwD4INa2VyYmVyb3MudGVzdDATBgNVHSUEDDAKBggrBgEFBQcDATAP
+BgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBSoJUf2j0TWNRvvbKzR17luhPnfozAf
+BgNVHSMEGDAWgBRIIzRTCokxOEpa6sq20qbezh0rGDANBgkqhkiG9w0BAQsFAAOC
+ATEAUp1NcsVZ/kuZ3+GY7PiHOT76LoOtRKjlDdMEGysGbnKwAU8I6BJEHsMfjPMH
+o5lxfIKhJOxXQIe2Ry/oYvEs7UzGNj8jlx1LgZopVyPZ1iPQgwXeEOkCwNDNtTcb
+WRFokYHzjawbmGZsRS/HCA3JvUA41uIsY1apQLTZrEKZpx1jZ1L67nfGIKgItBo/
+0IHipCqrVh4VUOBUNXRsgqSgL8V3fzo+wQ8QHlylZXWEXunofKtiPaEjK+2OUWoD
+GB43yKkydhd0LKTYg/6UY5+lSUOjLw+WIic5viF7myNwtLCxwxK92e1Tok6sMPNO
+MPfAu3IGPvV6fLyYI0JVo7D5FCvpjdXTvkriP6jYNV4KzEGS2/URVJS93xrxEjz5
+8iy8tcXqNhVSDgQrxzRmbtHNaA==
+-----END CERTIFICATE-----

tests/docker-kerberos/dbus.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=D-Bus System Message Bus
+Requires=dbus.socket
+After=syslog.target
+
+[Service]
+PIDFile=/var/run/messagebus.pid
+ExecStartPre=/bin/mkdir -p /var/run/dbus
+ExecStartPre=/bin/chmod g+w /var/run/ /var/run/dbus/
+ExecStart=/bin/dbus-daemon --system --fork
+ExecReload=/bin/dbus-send --print-reply --system --type=method_call --dest=org.freedesktop.DBus / org.freedesktop.DBus.ReloadConfig
+ExecStopPost=/bin/rm -f /var/run/messagebus.pid
+OOMScoreAdjust=-900
+User=dbus
+Group=root
+PermissionsStartOnly=true

tests/docker-kerberos/k5.KERBEROS.TEST

@@ -0,0 +1 @@
+secret123

tests/docker-kerberos/kadm5.acl

@@ -0,0 +1 @@
+*/admin@KERBEROS.TEST	*

tests/docker-kerberos/kdc.conf

@@ -0,0 +1,13 @@
+[kdcdefaults]
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+
+[realms]
+ KERBEROS.TEST = {
+  #master_key_type = aes256-cts
+  acl_file = /var/kerberos/krb5kdc/kadm5.acl
+  dict_file = /usr/share/dict/words
+  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+  key_stash_file = /var/kerberos/krb5kdc/k5.KERBEROS.TEST,
+  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+ }

tests/docker-kerberos/key.pem

@@ -0,0 +1,165 @@
+Public Key Info:
+	Public Key Algorithm: RSA
+	Key Security Level: Normal (2432 bits)
+
+modulus:
+	00:a7:3a:2b:ec:3f:14:b0:2c:19:f6:f1:6e:90:1d:
+	bf:8e:a9:f6:e9:70:84:09:87:f3:50:f3:5f:c3:94:
+	50:fa:2c:64:d6:57:80:58:e1:96:fc:ee:d0:bd:04:
+	15:7e:5f:7f:a5:33:f8:fc:bb:91:ef:37:79:c3:5a:
+	db:f8:19:ed:03:af:22:d6:e9:37:2c:e8:53:c2:b7:
+	8b:2b:11:f0:a4:87:99:79:e0:ba:cc:99:66:e1:16:
+	09:15:94:de:5f:4e:aa:18:d2:59:dd:60:9c:76:5f:
+	c5:96:95:d4:63:78:bf:bc:13:b9:c5:51:c1:52:b5:
+	6a:e0:8b:d0:33:80:c1:6b:8e:c2:f8:a6:a9:7d:ed:
+	80:19:45:77:0c:a1:05:d5:8d:b4:66:cd:52:d9:21:
+	5b:a6:43:2e:dc:fa:d9:7b:12:ac:fc:97:1f:f1:4b:
+	fe:45:c7:db:48:46:e9:ea:35:2e:63:11:4b:3c:36:
+	7e:44:e8:5b:eb:68:07:32:f9:e2:34:81:74:c6:93:
+	be:7d:28:d3:d8:8a:c4:aa:02:e1:40:9a:6b:7f:5c:
+	34:d3:be:f3:a8:e9:da:40:b1:e5:ea:b5:1d:bf:2e:
+	36:49:58:e9:57:76:26:7f:ca:31:e0:e7:e4:4a:43:
+	97:6d:dd:d9:39:ee:50:08:58:44:7d:7a:02:0e:a3:
+	ff:86:02:4c:9e:93:46:49:e4:65:94:e9:5c:53:b0:
+	57:08:97:aa:32:dd:2e:c4:b4:1d:0d:08:83:3b:86:
+	f8:72:df:64:2b:27:96:54:c8:d9:dc:4d:27:fa:a8:
+	c5:68:79:d8:1d:
+
+public exponent:
+	01:00:01:
+
+private exponent:
+	79:2b:86:6d:fd:5b:41:38:03:6c:52:8e:59:70:a4:
+	bf:7b:da:44:55:d9:e6:8a:12:bd:22:4b:ce:8c:66:
+	8c:8f:a4:55:47:3b:e1:ab:3c:5b:73:b3:de:71:da:
+	1d:22:97:7c:1e:07:99:21:54:61:f0:61:93:32:ff:
+	d6:6a:fa:b9:43:aa:cb:ec:5a:a5:78:86:50:bd:eb:
+	e2:3e:72:8e:d5:0e:59:28:84:52:02:09:70:a9:25:
+	d5:f4:73:98:bd:88:34:ca:1e:81:71:22:8e:07:61:
+	45:76:b5:59:8a:41:eb:c6:a3:42:1d:b6:25:f6:fc:
+	45:4e:29:83:58:15:4e:99:38:1f:31:ab:f8:6a:21:
+	fa:ad:c1:d0:6d:d0:ab:67:ad:43:1c:1d:9e:e5:33:
+	e2:68:f9:e2:fa:d8:9a:e7:36:e0:20:8c:25:4d:e9:
+	17:95:4b:71:38:df:18:71:cd:e0:a0:7f:b2:58:fe:
+	8b:c0:1c:d2:96:4a:17:14:bf:1c:3b:e8:b5:54:2b:
+	8d:47:50:a7:77:56:61:a8:e3:79:dd:70:88:5f:89:
+	a1:f8:78:0d:47:ef:32:98:c1:47:88:d8:33:ed:95:
+	10:90:7f:f1:57:cb:2b:18:c9:58:a1:de:ef:1c:70:
+	5a:58:3c:86:3d:96:17:ad:9c:fd:0b:eb:d8:33:a4:
+	5f:7f:db:97:c0:78:b4:94:56:56:0a:83:b3:d3:02:
+	c6:6f:08:dc:0d:22:8f:2a:4b:25:7a:34:97:8e:63:
+	49:8a:39:d1:c1:1e:9b:93:41:c5:9c:b6:50:9e:ff:
+	7a:37:e4:c1:
+
+prime1:
+	00:cb:13:4a:a3:8f:ad:5c:63:89:30:f3:3b:eb:25:
+	85:d9:6c:ad:6d:50:f8:03:00:d3:1e:e3:ae:ad:54:
+	7a:9b:21:1a:72:18:a6:54:e4:32:58:8d:66:37:65:
+	8c:f7:8f:37:65:ec:f8:ef:2e:a9:c1:78:bb:04:90:
+	aa:fe:0a:f2:7c:80:82:32:c7:db:ef:bc:10:c6:ff:
+	e0:d4:2e:b9:3a:0e:cc:29:28:81:b8:41:78:37:80:
+	69:39:5e:97:44:36:d6:cd:39:af:14:c2:df:f3:67:
+	b7:d4:a7:49:da:f4:d3:ee:14:10:e4:5c:3f:4a:62:
+	52:81:34:d0:8e:f3:7e:d4:42:0a:34:e2:f9:a7:bc:
+	03:f9:c0:48:e8:9b:7f:da:08:ec:db:82:fd:a2:aa:
+	0f:5d:71:
+
+prime2:
+	00:d2:cf:2d:81:00:28:43:76:b3:76:10:3f:04:57:
+	63:94:fa:bb:08:6a:a2:7d:99:4b:0f:ad:76:11:da:
+	5c:2a:2b:33:0a:05:0d:f8:51:9a:4d:b3:40:4b:53:
+	63:c8:c1:96:45:c7:42:35:cf:05:cf:8a:e2:aa:bd:
+	dc:96:c0:fd:c8:c4:dc:4c:0b:1f:43:74:04:cf:13:
+	f5:fa:ea:b6:0d:82:92:8c:03:bd:e9:7b:b1:f2:d0:
+	df:fd:c5:1b:6e:66:b7:ce:f6:12:65:34:c8:15:01:
+	da:36:5e:f9:d8:ad:37:86:52:2b:ea:9f:f5:75:6b:
+	91:b3:01:6f:52:e9:e9:07:16:db:ba:65:e2:49:cc:
+	4f:70:11:39:5c:fa:d2:da:d4:0c:24:17:c4:68:6f:
+	d4:7f:6d:
+
+coefficient:
+	3b:96:f2:06:96:22:14:a2:fe:27:09:2f:43:b0:22:
+	a6:f4:ae:33:c2:f8:be:d5:03:96:7d:4a:d1:eb:7b:
+	9d:51:bd:77:1d:3f:79:ef:62:1d:c3:e9:c2:9a:53:
+	df:ec:33:9b:32:36:f6:e7:40:e8:6c:1b:16:3d:4e:
+	94:97:94:02:5d:cc:23:45:6b:53:8d:b8:7c:0e:24:
+	f9:5c:30:e4:e3:76:5b:f6:1f:74:3d:ca:e7:ef:a0:
+	1e:d3:c8:a2:54:d2:db:06:4b:0d:b0:b9:64:ca:dd:
+	68:44:51:d6:07:c5:ac:5b:e7:11:4b:76:b0:78:ba:
+	aa:b1:af:06:64:0d:27:1a:85:2d:a8:5a:c1:d7:c1:
+	2e:f6:ef:fe:f6:0d:d6:f1:18:fc:0b:14:b1:d7:76:
+	51:1b:
+
+exp1:
+	76:ce:d4:8e:18:92:ee:48:75:8d:23:e0:dc:53:d9:
+	99:38:d1:c5:f0:e7:08:aa:c4:d9:7f:8f:44:6c:f6:
+	46:27:f9:d6:e2:c0:fd:4d:7c:7e:fe:4a:dd:02:16:
+	95:07:3e:fb:ec:c6:3e:f8:e7:eb:fe:fc:3b:51:80:
+	18:9c:c2:fd:40:19:ec:27:ad:6e:f6:72:42:5a:95:
+	68:cd:e5:24:28:60:1d:7c:4b:58:47:45:54:03:56:
+	8c:6f:e0:c3:d1:e9:9d:ab:af:d8:cf:a2:42:3f:5d:
+	f7:95:df:c9:b0:0f:05:6c:cb:ed:2e:63:00:db:c1:
+	35:42:76:fa:0b:4f:1a:53:80:b1:2c:51:af:66:7a:
+	54:f5:c0:32:06:37:a8:92:2c:30:c8:d4:27:04:a3:
+	74:a1:
+
+exp2:
+	18:07:41:5a:88:d8:0e:08:83:a0:1b:6d:f3:62:ba:
+	99:0a:93:32:fc:64:95:08:5a:03:e9:73:a1:c9:4f:
+	e4:06:94:84:b9:da:c3:c9:19:5b:6d:e9:10:2c:eb:
+	1c:c0:e4:0e:04:0e:49:ef:d4:eb:b9:1a:e8:f7:47:
+	23:6f:cf:fd:88:62:cb:d0:20:ba:21:89:42:c9:35:
+	aa:6a:02:62:3b:d5:d4:5b:c0:d3:d2:23:90:57:ba:
+	90:44:5d:42:12:37:35:41:db:0a:ea:1f:3c:35:bf:
+	d7:9e:af:bf:c0:ce:a9:62:c8:5a:af:ec:dc:7b:6c:
+	5a:08:f9:d5:6b:90:02:1c:da:e2:be:26:32:df:34:
+	d6:c3:3f:d4:97:4a:5d:62:fa:17:4b:16:3a:09:35:
+	21:69:
+
+
+Public Key ID: A8:25:47:F6:8F:44:D6:35:1B:EF:6C:AC:D1:D7:B9:6E:84:F9:DF:A3
+Public key's random art:
++--[ RSA 2432]----+
+|            +    |
+|         . . =   |
+|      o o . . .  |
+|     o =     =  o|
+|    . + S   . O.o|
+|     = . o   * o.|
+|    .   . . . o. |
+|              .+.|
+|             Eo.=|
++-----------------+
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIFegIBAAKCATEApzor7D8UsCwZ9vFukB2/jqn26XCECYfzUPNfw5RQ+ixk1leA
+WOGW/O7QvQQVfl9/pTP4/LuR7zd5w1rb+BntA68i1uk3LOhTwreLKxHwpIeZeeC6
+zJlm4RYJFZTeX06qGNJZ3WCcdl/FlpXUY3i/vBO5xVHBUrVq4IvQM4DBa47C+Kap
+fe2AGUV3DKEF1Y20Zs1S2SFbpkMu3PrZexKs/Jcf8Uv+RcfbSEbp6jUuYxFLPDZ+
+ROhb62gHMvniNIF0xpO+fSjT2IrEqgLhQJprf1w0077zqOnaQLHl6rUdvy42SVjp
+V3Ymf8ox4OfkSkOXbd3ZOe5QCFhEfXoCDqP/hgJMnpNGSeRllOlcU7BXCJeqMt0u
+xLQdDQiDO4b4ct9kKyeWVMjZ3E0n+qjFaHnYHQIDAQABAoIBMHkrhm39W0E4A2xS
+jllwpL972kRV2eaKEr0iS86MZoyPpFVHO+GrPFtzs95x2h0il3weB5khVGHwYZMy
+/9Zq+rlDqsvsWqV4hlC96+I+co7VDlkohFICCXCpJdX0c5i9iDTKHoFxIo4HYUV2
+tVmKQevGo0IdtiX2/EVOKYNYFU6ZOB8xq/hqIfqtwdBt0KtnrUMcHZ7lM+Jo+eL6
+2JrnNuAgjCVN6ReVS3E43xhxzeCgf7JY/ovAHNKWShcUvxw76LVUK41HUKd3VmGo
+43ndcIhfiaH4eA1H7zKYwUeI2DPtlRCQf/FXyysYyVih3u8ccFpYPIY9lhetnP0L
+69gzpF9/25fAeLSUVlYKg7PTAsZvCNwNIo8qSyV6NJeOY0mKOdHBHpuTQcWctlCe
+/3o35MECgZkAyxNKo4+tXGOJMPM76yWF2WytbVD4AwDTHuOurVR6myEachimVOQy
+WI1mN2WM9483Zez47y6pwXi7BJCq/gryfICCMsfb77wQxv/g1C65Og7MKSiBuEF4
+N4BpOV6XRDbWzTmvFMLf82e31KdJ2vTT7hQQ5Fw/SmJSgTTQjvN+1EIKNOL5p7wD
++cBI6Jt/2gjs24L9oqoPXXECgZkA0s8tgQAoQ3azdhA/BFdjlPq7CGqifZlLD612
+EdpcKiszCgUN+FGaTbNAS1NjyMGWRcdCNc8Fz4riqr3clsD9yMTcTAsfQ3QEzxP1
++uq2DYKSjAO96Xux8tDf/cUbbma3zvYSZTTIFQHaNl752K03hlIr6p/1dWuRswFv
+UunpBxbbumXiScxPcBE5XPrS2tQMJBfEaG/Uf20CgZh2ztSOGJLuSHWNI+DcU9mZ
+ONHF8OcIqsTZf49EbPZGJ/nW4sD9TXx+/krdAhaVBz777MY++Ofr/vw7UYAYnML9
+QBnsJ61u9nJCWpVozeUkKGAdfEtYR0VUA1aMb+DD0emdq6/Yz6JCP133ld/JsA8F
+bMvtLmMA28E1Qnb6C08aU4CxLFGvZnpU9cAyBjeokiwwyNQnBKN0oQKBmBgHQVqI
+2A4Ig6AbbfNiupkKkzL8ZJUIWgPpc6HJT+QGlIS52sPJGVtt6RAs6xzA5A4EDknv
+1Ou5Guj3RyNvz/2IYsvQILohiULJNapqAmI71dRbwNPSI5BXupBEXUISNzVB2wrq
+Hzw1v9eer7/AzqliyFqv7Nx7bFoI+dVrkAIc2uK+JjLfNNbDP9SXSl1i+hdLFjoJ
+NSFpAoGYO5byBpYiFKL+JwkvQ7AipvSuM8L4vtUDln1K0et7nVG9dx0/ee9iHcPp
+wppT3+wzmzI29udA6GwbFj1OlJeUAl3MI0VrU424fA4k+Vww5ON2W/YfdD3K5++g
+HtPIolTS2wZLDbC5ZMrdaERR1gfFrFvnEUt2sHi6qrGvBmQNJxqFLahawdfBLvbv
+/vYN1vEY/AsUsdd2URs=
+-----END RSA PRIVATE KEY-----

tests/docker-kerberos/krb5.conf

@@ -0,0 +1,26 @@
+[logging]
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+
+[libdefaults]
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_realm = KERBEROS.TEST
+ default_keytab_name = /etc/krb5-keytab
+
+ default_ccache_name = FILE:/tmp/krb5_cc%{uid}
+
+[realms]
+KERBEROS.TEST = {
+ kdc = kerberos.test
+ admin_server = kerberos.test
+ auto_to_local = DEFAULT
+}
+
+[domain_realm]
+.kerberos.test = KERBEROS.TEST
+kerberos.test = KERBEROS.TEST

tests/docker-kerberos/myscript

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ "$REASON" != "connect" ];then
+	if test "$STATS_BYTES_IN" != "0";then
+		echo $STATS_BYTES_IN >/tmp/disconnect/ok
+	else
+		echo $STATS_BYTES_IN >/tmp/disconnect/not-ok
+	fi
+fi
+
+exit 0

tests/docker-kerberos/ocserv.conf

@@ -0,0 +1,317 @@
+# User authentication method. Could be set multiple times and in that case
+# all should succeed.
+# Options: certificate, pam. 
+#auth = "certificate"
+#auth = "plain[/etc/ocserv/passwd]"
+auth = "pam"
+enable-auth = gssapi
+
+# Whether to enable support for the occtl tool (i.e., either through D-BUS,
+# or via a unix socket).
+use-occtl = true
+
+# socket file used for IPC with occtl. You only need to set that,
+# if you use more than a single servers.
+#occtl-socket-file = /var/run/occtl.socket
+
+# The plain option requires specifying a password file which contains
+# entries of the following format.
+# "username:groupname:encoded-password"
+# One entry must be listed per line, and 'ocpasswd' can be used
+# to generate password entries.
+#auth = "plain[/etc/ocserv/ocpasswd]"
+
+# A banner to be displayed on clients
+#banner = "Welcome"
+
+# Use listen-host to limit to specific IPs or to the IPs of a provided 
+# hostname.
+#listen-host = [IP|HOSTNAME]
+
+# Limit the number of clients. Unset or set to zero for unlimited.
+#max-clients = 1024
+max-clients = 16
+
+# Limit the number of client connections to one every X milliseconds 
+# (X is the provided value). Set to zero for no limit.
+#rate-limit-ms = 100
+
+# Limit the number of identical clients (i.e., users connecting 
+# multiple times). Unset or set to zero for unlimited.
+max-same-clients = 2
+
+# TCP and UDP port number
+tcp-port = 443
+udp-port = 443
+
+# Keepalive in seconds
+keepalive = 32400
+
+# Dead peer detection in seconds.
+dpd = 240
+
+# Dead peer detection for mobile clients. The needs to
+# be much higher to prevent such clients being awaken too 
+# often by the DPD messages, and save battery.
+# (clients that send the X-AnyConnect-Identifier-DeviceType)
+mobile-dpd = 1800
+
+# MTU discovery (DPD must be enabled)
+try-mtu-discovery = false
+
+# The key and the certificates of the server
+# The key may be a file, or any URL supported by GnuTLS (e.g., 
+# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
+# or pkcs11:object=my-vpn-key;object-type=private)
+#
+# There may be multiple certificate and key pairs and each key
+# should correspond to the preceding certificate.
+server-cert = /etc/ocserv/cert.pem
+server-key = /etc/ocserv/key.pem
+
+# Diffie-Hellman parameters. Only needed if you require support
+# for the DHE ciphersuites (by default this server supports ECDHE).
+# Can be generated using:
+# certtool --generate-dh-params --outfile /path/to/dh.pem
+#dh-params = /path/to/dh.pem
+
+# If you have a certificate from a CA that provides an OCSP
+# service you may provide a fresh OCSP status response within
+# the TLS handshake. That will prevent the client from connecting
+# independently on the OCSP server.
+# You can update this response periodically using:
+# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
+# Make sure that you replace the following file in an atomic way.
+#ocsp-response = /path/to/ocsp.der
+
+# In case PKCS #11 or TPM keys are used the PINs should be available
+# in files. The srk-pin-file is applicable to TPM keys only, and is the 
+# storage root key.
+#pin-file = /path/to/pin.txt
+#srk-pin-file = /path/to/srkpin.txt
+
+# The Certificate Authority that will be used to verify
+# client certificates (public keys) if certificate authentication
+# is set.
+#ca-cert = /path/to/ca.pem
+
+# The object identifier that will be used to read the user ID in the client 
+# certificate. The object identifier should be part of the certificate's DN
+# Useful OIDs are: 
+#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
+#cert-user-oid = 0.9.2342.19200300.100.1.1
+
+# The object identifier that will be used to read the user group in the 
+# client  certificate. The object identifier should be part of the certificate's
+# DN. Useful OIDs are: 
+#  OU (organizational unit) = 2.5.4.11 
+#cert-group-oid = 2.5.4.11
+
+# The revocation list of the certificates issued by the 'ca-cert' above.
+#crl = /path/to/crl.pem
+
+# GnuTLS priority string
+tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT"
+
+# To enforce perfect forward secrecy (PFS) on the main channel.
+#tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA"
+
+# The time (in seconds) that a client is allowed to stay connected prior
+# to authentication
+auth-timeout = 40
+
+# The time (in seconds) that a client is allowed to stay idle (no traffic)
+# before being disconnected. Unset to disable.
+#idle-timeout = 1200
+
+# The time (in seconds) that a mobile client is allowed to stay idle (no
+# traffic) before being disconnected. Unset to disable.
+#mobile-idle-timeout = 2400
+
+# The time (in seconds) that a client is not allowed to reconnect after 
+# a failed authentication attempt.
+#min-reauth-time = 2
+
+# Cookie validity time (in seconds)
+# Once a client is authenticated he's provided a cookie with
+# which he can reconnect. This option sets the maximum lifetime
+# of that cookie.
+cookie-validity = 86400
+
+# ReKey time (in seconds)
+# ocserv will ask the client to refresh keys periodically once
+# this amount of seconds is elapsed. Set to zero to disable.
+rekey-time = 172800
+
+# ReKey method
+# Valid options: ssl, new-tunnel
+#  ssl: Will perform an efficient rehandshake on the channel allowing
+#       a seamless connection during rekey.
+#  new-tunnel: Will instruct the client to discard and re-establish the channel.
+#       Use this option only if the connecting clients have issues with the ssl
+#       option.
+rekey-method = ssl
+
+# Script to call when a client connects and obtains an IP
+# Parameters are passed on the environment.
+# REASON, USERNAME, GROUPNAME, HOSTNAME (the hostname selected by client), 
+# DEVICE, IP_REAL (the real IP of the client), IP_LOCAL (the local IP
+# in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
+# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
+#connect-script = /usr/bin/myscript
+disconnect-script = /usr/bin/myscript
+
+# UTMP
+use-utmp = true
+
+# D-BUS usage. If disabled occtl tool cannot be used. If enabled
+# then ocserv must have access to register org.infradead.ocserv
+# D-BUS service. See doc/dbus/org.infradead.ocserv.conf
+use-dbus = false
+
+# PID file. It can be overriden in the command line.
+pid-file = /var/run/ocserv.pid
+
+# The default server directory. Does not require any devices present.
+#chroot-dir = /path/to/chroot
+
+# socket file used for IPC, will be appended with .PID
+# It must be accessible within the chroot environment (if any)
+socket-file = /var/run/ocserv-socket
+
+# The user the worker processes will be run as. It should be
+# unique (no other services run as this user).
+run-as-user = nobody
+run-as-group = daemon
+
+# Set the protocol-defined priority (SO_PRIORITY) for packets to
+# be sent. That is a number from 0 to 6 with 0 being the lowest
+# priority. Alternatively this can be used to set the IP Type-
+# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
+# This can be set per user/group or globally.
+#net-priority = 3
+
+# Set the VPN worker process into a specific cgroup. This is Linux
+# specific and can be set per user/group or globally.
+#cgroup = "cpuset,cpu:test"
+
+#
+# Network settings
+#
+
+# The name of the tun device
+device = vpns
+
+# The default domain to be advertised
+default-domain = example.com
+
+# The pool of addresses that leases will be given from.
+ipv4-network = 192.168.1.0
+ipv4-netmask = 255.255.255.0
+
+# The advertized DNS server. Use multiple lines for
+# multiple servers.
+# dns = fc00::4be0
+#dns = 192.168.1.2
+
+# The NBNS server (if any)
+#nbns = 192.168.1.3
+
+# The IPv6 subnet that leases will be given from.
+ipv6-network = fd91:6d87:7341:db6a::
+ipv6-prefix = 64
+
+# The domains over which the provided DNS should be used. Use
+# multiple lines for multiple domains.
+#split-dns = example.com
+
+# Prior to leasing any IP from the pool ping it to verify that
+# it is not in use by another (unrelated to this server) host.
+ping-leases = false
+
+# Unset to assign the default MTU of the device
+# mtu = 
+
+# Unset to enable bandwidth restrictions (in bytes/sec). The
+# setting here is global, but can also be set per user or per group.
+#rx-data-per-sec = 40000
+#tx-data-per-sec = 40000
+
+# The number of packets (of MTU size) that are available in
+# the output buffer. The default is low to improve latency.
+# Setting it higher will improve throughput.
+#output-buffer = 10
+
+# Routes to be forwarded to the client. If you need the
+# client to forward routes to the server, you may use the 
+# config-per-user/group or even connect and disconnect scripts.
+#
+# To set the server as the default gateway for the client just
+# comment out all routes from the server.
+route = 192.168.1.0/255.255.255.0
+#route = 192.168.5.0/255.255.255.0
+route = fd91:6d87:7341:db6a::/64
+
+# Configuration files that will be applied per user connection or
+# per group. Each file name on these directories must match the username
+# or the groupname.
+# The options allowed in the configuration files are dns, nbns,
+#  ipv?-network, ipv4-netmask, ipv6-prefix, rx/tx-per-sec, iroute, route,
+#  net-priority and cgroup.
+#
+# Note that the 'iroute' option allows to add routes on the server
+# based on a user or group. The syntax depends on the input accepted
+# by the commands route-add-cmd and route-del-cmd (see below).
+
+#config-per-user = /etc/ocserv/config-per-user/
+#config-per-group = /etc/ocserv/config-per-group/
+
+# The system command to use to setup a route. %R will be replaced with the
+# route/mask and %D with the (tun) device.
+#
+# The following example is from linux systems. %R should be something
+# like 192.168.2.0/24
+
+#route-add-cmd = "ip route add %R dev %D"
+#route-del-cmd = "ip route delete %R dev %D"
+
+# This option allows to forward a proxy. The special keywords '%{U}'
+# and '%{G}', if present will be replaced by the username and group name.
+#proxy-url = http://example.com/
+#proxy-url = http://example.com/%{U}/
+
+# This option allows you to specify a URL location where a client can
+# post using MS-KKDCP, and the message will be forwarded to the provided
+# KDC server. That is a translation URL between HTTP and Kerberos.
+# This option is available if ocserv is compiled with GSSAPI support. 
+#kkdcp = /kerberos udp@127.0.0.1:88 application/kerberos
+kkdcp = /kerberos NONEXISTING.COM tcp@10.100.1.1:88
+kkdcp = /kerberos OTHER.TEST tcp@10.100.2.1:88
+kkdcp = /kerberos KERBEROS.TEST tcp@127.0.0.1:88
+kkdcp = /kerberos KERBEROS.LONGER.TEST tcp@10.100.3.1:88
+
+#
+# The following options are for (experimental) AnyConnect client 
+# compatibility. 
+
+# Client profile xml. A sample file exists in doc/profile.xml.
+# This file must be accessible from inside the worker's chroot. 
+# It is not used by the openconnect client.
+#user-profile = profile.xml
+
+# Binary files that may be downloaded by the CISCO client. Must
+# be within any chroot environment.
+#binary-files = /path/to/binaries
+
+# Unless set to false it is required for clients to present their
+# certificate even if they are authenticating via a previously granted
+# cookie and complete their authentication in the same TCP connection.
+# Legacy CISCO clients do not do that, and thus this option should be 
+# set for them.
+#cisco-client-compat = false
+
+#Advanced options
+
+# Option to allow sending arbitrary custom headers to the client after
+# authentication and prior to VPN tunnel establishment.
+#custom-header = "X-My-Header: hi there"

tests/docker-kerberos/pam-ocserv

@@ -0,0 +1,24 @@
+#%PAM-1.0
+auth	   required	pam_sepermit.so
+#auth       substack     password-auth
+auth required pam_krb5.so
+
+auth       include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-auth      optional     pam_reauthorize.so prepare
+account    required     pam_nologin.so
+account sufficient pam_krb5.so
+
+password sufficient pam_krb5.so
+
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open env_params
+session    optional     pam_keyinit.so force revoke
+session optional pam_krb5.so
+
+session    include      postlogin
+# Used with polkit to reauthorize users in remote sessions
+-session   optional     pam_reauthorize.so prepare

tests/docker-kerberos/passwd

@@ -0,0 +1,2 @@
+test:tost:$5$i6SNmLDCgBNjyJ7q$SZ4bVJb7I/DLgXo3txHBVohRFBjOtdbxGQZp.DOnrA.
+tost:*:$5$qc1CKWjcmlrFREe2$h9zQJcD3AeuQmwMncdIqqls47TDOUvu2r2nXQ7aDfcD

tests/kerberos-test

@@ -0,0 +1,106 @@
+#!/bin/sh
+#
+# Copyright (C) 2014 Red Hat
+#
+# This file is part of ocserv.
+#
+# ocserv is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at
+# your option) any later version.
+#
+# ocserv is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with ocserv; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+
+srcdir=${srcdir:-.}
+
+PORT=10500
+PORT2=10501
+PORT_OCSERV=443
+#this test can only be run as root
+id|grep root >/dev/null 2>&1
+if [ $? != 0 ];then
+	exit 77
+fi
+
+stop_all() {
+        $DOCKER stop test_ocserv_client_kerberos
+        $DOCKER rm test_ocserv_client_kerberos
+        $DOCKER stop test_ocserv_kerberos
+        $DOCKER rm test_ocserv_kerberos
+        exit 1
+}
+
+CONFIG="kerberos"
+DOCKER_DIR=docker-kerberos
+IMAGE=ocserv-kerberos-test
+IMAGE_NAME=test_ocserv_kerberos
+. ./docker-common.sh
+
+#-p $PORT:$PORT/udp -p $PORT2:$PORT2/udp -p 22 -p $PORT_OCSERV:$PORT_OCSERV/udp
+$DOCKER run -P --privileged=true --add-host='kerberos.test:127.0.0.1' --tty=false -d --name test_ocserv_kerberos $IMAGE
+if test $? != 0;then
+	echo "Cannot run docker image"
+	exit 1
+fi
+
+echo "ocserv image was run"
+#wait for ocserv to server
+sleep 5
+
+IP=`$DOCKER inspect test_ocserv_kerberos | grep IPAddress | cut -d '"' -f 4`
+if test -z "$IP";then
+	echo "Detected IP is null!"
+	$DOCKER inspect test_ocserv_kerberos
+	stop
+fi
+echo "Detected KDC IP: $IP"
+
+# run the client
+CONFIG="client"
+DOCKER_DIR=docker-kerberos
+IMAGE=ocserv-kerberos-client-test
+IMAGE_NAME=test_ocserv_client_kerberos
+. ./docker-common.sh
+
+$DOCKER run -P --privileged=true --add-host="kerberos.test:$IP" --tty=false -d --name test_ocserv_client_kerberos $IMAGE
+if test $? != 0;then
+	echo "Could not run client docker image"
+	stop_all
+fi
+
+CIP=`$DOCKER inspect test_ocserv_client_kerberos | grep IPAddress | cut -d '"' -f 4`
+if test -z "$CIP";then
+	echo "Detected client IP is null!"
+	$DOCKER inspect test_ocserv_kerberos
+	stop
+fi
+echo "Detected client IP: $CIP"
+
+echo "Waiting for client tests"
+sleep 20
+
+mkdir -p tmp-kerb
+rm -f ./tmp-kerb/ok
+$DOCKER cp test_ocserv_client_kerberos:/tmp/ok ./tmp-kerb/
+
+if ! test -f ./tmp-kerb/ok;then
+	echo "Kerberos client tests failed"
+	ret=1
+else
+	echo "Kerberos client tests completed"
+	ret=0
+fi
+
+$DOCKER stop test_ocserv_kerberos
+$DOCKER rm test_ocserv_kerberos
+$DOCKER stop test_ocserv_client_kerberos
+$DOCKER rm test_ocserv_client_kerberos
+
+exit $ret