#!/bin/bash # # Copyright (C) 2019 Nikos Mavrogiannopoulos # # This file is part of ocserv. # # ocserv is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the # Free Software Foundation; either version 2 of the License, or (at # your option) any later version. # # ocserv is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # # This tests operation/traffic under compression (lzs or lz4). OCCTL="${OCCTL:-../src/occtl/occtl}" SERV="${SERV:-../src/ocserv}" srcdir=${srcdir:-.} PIDFILE=ocserv-pid.$$.tmp KRB5PIDFILE=krb5-pid.$$.tmp CLIPID=oc-pid.$$.tmp PATH=${PATH}:/usr/sbin IP=$(which ip) OUTFILE=traffic.$$.tmp # This port needs to be fixed to 443 due to KKDCP PORT=443 USERNAME=krb5user USERPASS=krb5user123 export KRB5_TRACE=/dev/stderr . `dirname $0`/common.sh if test -z "${IP}";then echo "no IP tool is present" exit 1 fi if test "$(id -u)" != "0";then echo "This test must be run as root, and is a destructive one" exit 1 fi if ! test -x /usr/sbin/kadmin.local;then echo "This test must be run on a KDC-running system" exit 1 fi echo "Testing ocserv with kerberos... " function finish { set +e echo " * Cleaning up..." test -n "${PID}" && kill ${PID} >/dev/null 2>&1 test -e "${KRB5PIDFILE}" && kill $(cat ${KRB5PIDFILE}) >/dev/null 2>&1 test -e "${KRB5PIDFILE}" && rm -f ${KRB5PIDFILE} >/dev/null 2>&1 test -n "${PIDFILE}" && rm -f ${PIDFILE} >/dev/null 2>&1 test -e "${CLIPID}" && kill -s INT $(cat ${CLIPID}) >/dev/null 2>&1 test -e "${CLIPID}" && rm -f ${CLIPID} >/dev/null 2>&1 test -n "${CONFIG}" && rm -f ${CONFIG} >/dev/null 2>&1 rm -f ${OUTFILE} 2>&1 #reset kerberos changes echo -e "secret123\nsecret123"|/usr/sbin/kdb5_util destroy -f echo -e "${USERPASS}\n${USERPASS}" | /usr/sbin/kadmin.local -q "delete_principal -force ${USERNAME}" echo -e "${USERPASS}\n${USERPASS}" | /usr/sbin/kadmin.local -q "delete_principal -force HTTP/kerberos.test" rm -f /etc/krb5-keytab grep kerberos.test /etc/hosts && sed '$d' /etc/hosts #undef Fedora33 the krb5kdc doesn't create a PID file killall krb5kdc } trap finish EXIT # server address ADDRESS=10.97.216.1 CLI_ADDRESS=10.97.217.1 VPNNET=192.168.1.0/24 VPNADDR=192.168.1.1 VPNNET6=fd91:6d87:7341:db6a::/112 VPNADDR6=fd91:6d87:7341:db6a::1 OCCTL_SOCKET=./occtl-radius-$$.socket . `dirname $0`/ns.sh ${CMDNS2} ${IP} link set dev lo up # Run KDC # This is destructive at the moment as it changes the system that it is being run. mkdir -p /var/kerberos/krb5kdc/ cp ${srcdir}/data/krb5.conf /etc/ cp ${srcdir}/data/kdc.conf /var/kerberos/krb5kdc/ cp ${srcdir}/data/k5.KERBEROS.TEST /var/kerberos/krb5kdc/ cp ${srcdir}/data/kadm5.acl /var/kerberos/krb5kdc/ chmod 750 /var/kerberos/krb5kdc/ chmod 640 /var/kerberos/krb5kdc/* echo " * creating database" echo -e "secret123\nsecret123"|/usr/sbin/kdb5_util create -s echo " * addprinc ${USERNAME}" echo -e "${USERPASS}\n${USERPASS}" | /usr/sbin/kadmin.local -q "addprinc ${USERNAME}" test $? = 0 || exit 1 echo " * addprinc HTTP" echo -e "test123\ntest123" | /usr/sbin/kadmin.local -q "addprinc HTTP/kerberos.test" test $? = 0 || exit 1 echo " * addprinc keytab" /usr/sbin/kadmin.local -q "xst -norandkey -k /etc/krb5-keytab HTTP/kerberos.test@KERBEROS.TEST" test $? = 0 || exit 1 grep kerberos.test /etc/hosts || echo "${ADDRESS} kerberos.test" >> /etc/hosts mkdir -p /etc/ocserv cp ${srcdir}/certs/ca.pem /etc/ocserv echo " * Starting KDC..." ${CMDNS2} /usr/sbin/krb5kdc -P ${KRB5PIDFILE} test $? = 0 || exit 1 sleep 4 export TEST_PAMDIR=data/pam-kerberos update_config kerberos.config # Run ocserv PRELOAD_CMD=${CMDNS2} echo " * Starting ocserv..." launch_pam_server -d 3 -f -c ${CONFIG} & PID=$! PRELOAD_CMD="" sleep 5 echo "" echo " * Getting cookie via PAM from ${ADDRESS}:${PORT}..." ( echo "${USERPASS}" | ${CMDNS1} ${OPENCONNECT} ${ADDRESS}:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly ) if test $? != 0;then echo "Could not get cookie from server" exit 1 fi echo "" echo " * Running kinit" echo ${USERPASS}|${CMDNS1} kinit -V ${USERNAME}@KERBEROS.TEST if test $? != 0;then echo "Error in kinit" exit 1 fi echo "" echo " * Running klist" ${CMDNS1} klist echo "" echo " * Getting cookie via kerberos from kerberos.test:${PORT}..." ${CMDNS1} ${OPENCONNECT} kerberos.test:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly if test $? != 0;then echo "Could not get cookie from server" exit 1 fi echo "" echo " * Connecting via krb5 to kerberos.test:${PORT}..." ( ${CMDNS1} ${OPENCONNECT} kerberos.test:${PORT} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= -s ${srcdir}/scripts/vpnc-script --pid-file=${CLIPID} --verbose -b ) if test $? != 0;then echo "Could not connect to server" exit 1 fi sleep 3 ${CMDNS1} ping -w 5 ${VPNADDR} if test $? != 0;then echo "Could not ping server IP" exit 1 fi sleep 60 echo "" echo " * Connecting via krb5 and non-fresh ticket to kerberos.test:${PORT}..." ${CMDNS1} ${OPENCONNECT} kerberos.test:${PORT} -u ${USERNAME} --servercert=pin-sha256:xp3scfzy3rOQsv9NcOve/8YVVv+pHr4qNCXEXrNl5s8= --cookieonly if test $? = 0;then echo "Could connect to server although not expected" exit 1 fi exit 0