#!/bin/bash source "$TESTLIBPATH/user.lib" source "$TESTLIBPATH/base.lib" #if ! current_ucs_version_greater_equal 2.4; then # exit 132 #fi INFO_LINE="Test faillog via ssh" TEST_SERVER_ROLE="domaincontroller_master" TEST_BASIC=true TEST_PACKAGES="univention-config univention-directory-manager-tools" RETURNCODE=100 NAME=$(getusername) # it takes some time before all ssh connections complete SSH_SLEEP=15 eval "$(ucr shell)" old_auth_faillog="$auth_faillog" old_auth_faillog_limit="$auth_faillog_limit" old_auth_faillog_root="$auth_faillog_root" old_auth_faillog_unlock_time="$auth_faillog_unlock_time" old_auth_faillog_lock_global="$auth_faillog_lock_global" ucr set auth/faillog=no auth/faillog/lock_global=no ssh_test () { local passwd="${1}" univention-ssh -timeout 3 "$passwd" "$NAME@$hostname.$domainname" /usr/sbin/ucr get hostname } fake_passwd=$(mktemp) echo "foobar1234" >"$fake_passwd" passwd=$(mktemp) echo "univention" >"$passwd" info "Create user $NAME" univention-directory-manager users/user create --position "cn=users,$ldap_base" --set username="$NAME" --set lastname="$NAME" --set password="univention" # univention-ssh tries it 3 times info "Login with wrong password via ssh" ssh_test "$fake_passwd" ssh_test "$fake_passwd" ssh_test "$fake_passwd" sleep $SSH_SLEEP ssh_hostname="$(ssh_test "$passwd")" if [ "$ssh_hostname" != "$hostname" ]; then error "The login wasn't successful, but faillog is disabled" RETURNCODE=110 fi #activate ucr set auth/faillog=yes auth/faillog/lock_global=no pam_tally --user "$NAME" --reset info "Login via ssh" ssh_hostname="$(ssh_test "$passwd")" if [ "$ssh_hostname" != "$hostname" ]; then error "The login wasn't successful" error "$ssh_hostname" error "$hostname" RETURNCODE=110 fi # univention-ssh tries it 3 times info "Login with wrong password via ssh" ssh_test "$fake_passwd" ssh_test "$fake_passwd" sleep $SSH_SLEEP # by default the user should be disabled failCount=$(pam_tally --user="$NAME" | awk '{print $NF}') if [ "$failCount" != "6" ]; then error "failCount is $failCount and should be 6" RETURNCODE=110 fi ssh_hostname="$(ssh_test "$passwd")" if [ "$ssh_hostname" = "$hostname" ]; then error "The login was successful, but the user should be locked" RETURNCODE=110 fi info "Reset counter for $NAME" pam_tally --user="$NAME" --reset info "Normal ssh login" ssh_hostname="$(ssh_test "$passwd")" if [ "$ssh_hostname" != "$hostname" ]; then error "The login wasn't successful, but the user faillog is resetted" error "$ssh_hostname" error "$hostname" RETURNCODE=110 fi info "Login with wrong password" ssh_test "$fake_passwd" sleep $SSH_SLEEP failCount=$(pam_tally --user="$NAME" | awk '{print $NF}') if [ "$failCount" != "3" ]; then error "failCount is $failCount and should be 3" RETURNCODE=110 fi pam_tally --user="$NAME" # reset failCount info "Reset counter with a success login" ssh_hostname="$(ssh_test "$passwd")" if [ "$ssh_hostname" != "$hostname" ]; then error "The login wasn't successful, but the user faillog is lower than the maximum" RETURNCODE=110 fi failCount=$(pam_tally --user="$NAME" | awk '{print $NF}') if [ "$failCount" != "0" ]; then error "failCount should be empty" RETURNCODE=110 fi info "Activate global lock and a diffrent limit" ucr set auth/faillog/limit=6 auth/faillog/lock_global=yes ssh_test "$fake_passwd" sleep $SSH_SLEEP ssh_hostname="$(ssh_test "$passwd")" if [ "$ssh_hostname" != "$hostname" ]; then error "The login wasn't successful, but the users faillog is lower than the maximum" RETURNCODE=110 fi ssh_test "$fake_passwd" ssh_test "$fake_passwd" sleep $SSH_SLEEP ssh_hostname="$(ssh_test "$passwd")" if [ "$ssh_hostname" = "$hostname" ]; then error "The login was successful, but the user should be locked" RETURNCODE=110 fi sleep $SSH_SLEEP udm_locked=$(univention-directory-manager users/user list --filter "uid=$NAME" | grep "^ locked: all") if [ "$udm_locked" != " locked: all" ]; then error "user was not locked in UDM" univention-directory-manager users/user list --filter "uid=$NAME" RETURNCODE=110 fi univention-directory-manager users/user modify --dn "uid=$NAME,cn=users,$ldap_base" --set locked=none sleep 5 #wait for the replication ssh_hostname="$(ssh_test "$passwd")" if [ "$ssh_hostname" != "$hostname" ]; then error "The login wasn't successful, but the fail counter should be resetted" RETURNCODE=110 fi info "Remove user" removeuser "$NAME" function ucr_reset () { declare -a reset unset while [ $# -ge 1 ] do local var="old_${1//[^a-zA-Z0-9]/_}" if [ "${!var}" ] then reset+=("$1"="${!var}") else unset+=("$1") fi shift done [ -n "${reset}" ] && ucr set "${reset[@]}" [ -n "${unset}" ] && ucr unset "${unset[@]}" } ucr_reset auth/faillog auth/faillog/lock_global auth/faillog/limit rm -f "$fake_passwd" "$passwd" exit $RETURNCODE