1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
import ./make-test.nix ({ ... }:
let
oathSnakeoilSecret = "cdd4083ef8ff1fa9178c6d46bfb1a3";
# With HOTP mode the password is calculated based on a counter of
# how many passwords have been made. In this env, we'll always be on
# the 0th counter, so the password is static.
#
# Generated in nix-shell -p oathToolkit
# via: oathtool -v -d6 -w10 cdd4083ef8ff1fa9178c6d46bfb1a3
# and picking a the first 4:
oathSnakeOilPassword1 = "143349";
oathSnakeOilPassword2 = "801753";
alicePassword = "foobar";
# Generated via: mkpasswd -m sha-512 and passing in "foobar"
hashedAlicePassword = "$6$MsMrE1q.1HrCgTS$Vq2e/uILzYjSN836TobAyN9xh9oi7EmCmucnZID25qgPoibkw8qTCugiAPnn4eCGvn1A.7oEBFJaaGUaJsQQY.";
in
{
name = "pam-oath-login";
machine =
{ ... }:
{
security.pam.oath = {
enable = true;
};
users.users.alice = {
isNormalUser = true;
name = "alice";
uid = 1000;
hashedPassword = hashedAlicePassword;
extraGroups = [ "wheel" ];
createHome = true;
home = "/home/alice";
};
systemd.services.setupOathSnakeoilFile = {
wantedBy = [ "default.target" ];
before = [ "default.target" ];
unitConfig = {
type = "oneshot";
RemainAfterExit = true;
};
script = ''
touch /etc/users.oath
chmod 600 /etc/users.oath
chown root /etc/users.oath
echo "HOTP/E/6 alice - ${oathSnakeoilSecret}" > /etc/users.oath
'';
};
};
testScript =
''
$machine->waitForUnit('multi-user.target');
$machine->waitUntilSucceeds("pgrep -f 'agetty.*tty1'");
$machine->screenshot("postboot");
subtest "Invalid password", sub {
$machine->fail("pgrep -f 'agetty.*tty2'");
$machine->sendKeys("alt-f2");
$machine->waitUntilSucceeds("[ \$(fgconsole) = 2 ]");
$machine->waitForUnit('getty@tty2.service');
$machine->waitUntilSucceeds("pgrep -f 'agetty.*tty2'");
$machine->waitUntilTTYMatches(2, "login: ");
$machine->sendChars("alice\n");
$machine->waitUntilTTYMatches(2, "login: alice");
$machine->waitUntilSucceeds("pgrep login");
$machine->waitUntilTTYMatches(2, "One-time password");
$machine->sendChars("${oathSnakeOilPassword1}\n");
$machine->waitUntilTTYMatches(2, "Password: ");
$machine->sendChars("blorg\n");
$machine->waitUntilTTYMatches(2, "Login incorrect");
};
subtest "Invalid oath token", sub {
$machine->fail("pgrep -f 'agetty.*tty3'");
$machine->sendKeys("alt-f3");
$machine->waitUntilSucceeds("[ \$(fgconsole) = 3 ]");
$machine->waitForUnit('getty@tty3.service');
$machine->waitUntilSucceeds("pgrep -f 'agetty.*tty3'");
$machine->waitUntilTTYMatches(3, "login: ");
$machine->sendChars("alice\n");
$machine->waitUntilTTYMatches(3, "login: alice");
$machine->waitUntilSucceeds("pgrep login");
$machine->waitUntilTTYMatches(3, "One-time password");
$machine->sendChars("000000\n");
$machine->waitUntilTTYMatches(3, "Login incorrect");
$machine->waitUntilTTYMatches(3, "login:");
};
subtest "Happy path (both passwords are mandatory to get us in)", sub {
$machine->fail("pgrep -f 'agetty.*tty4'");
$machine->sendKeys("alt-f4");
$machine->waitUntilSucceeds("[ \$(fgconsole) = 4 ]");
$machine->waitForUnit('getty@tty4.service');
$machine->waitUntilSucceeds("pgrep -f 'agetty.*tty4'");
$machine->waitUntilTTYMatches(4, "login: ");
$machine->sendChars("alice\n");
$machine->waitUntilTTYMatches(4, "login: alice");
$machine->waitUntilSucceeds("pgrep login");
$machine->waitUntilTTYMatches(4, "One-time password");
$machine->sendChars("${oathSnakeOilPassword2}\n");
$machine->waitUntilTTYMatches(4, "Password: ");
$machine->sendChars("${alicePassword}\n");
$machine->waitUntilSucceeds("pgrep -u alice bash");
$machine->sendChars("touch done4\n");
$machine->waitForFile("/home/alice/done4");
};
'';
})
|