Skip to content

add and document "require_message_authenticator" flag #83

add and document "require_message_authenticator" flag

add and document "require_message_authenticator" flag #83

Workflow file for this run

name: "CI DEB"
on:
push:
branches-ignore:
- coverity_scan
pull_request:
env:
DEBIAN_FRONTEND: noninteractive
CI: 1
CI_TEST_USER: tapioca
CI_TEST_PASS: queijo
GH_ACTIONS: 1
jobs:
pre-ci:
runs-on: ubuntu-latest
# Map a step output to a job output
outputs:
should_skip: ${{ steps.skip_check.outputs.should_skip }}
steps:
- id: skip_check
uses: fkirc/skip-duplicate-actions@master
deb-build:
# If branch protection is in place with status checks enabled, ensure
# names are updated if new matrix entries are added or the name format
# changes.
name: "DEB Build (ubuntu-20.04)"
needs: pre-ci
if: ${{ needs.pre-ci.outputs.should_skip != 'true' }}
runs-on: "ubuntu-20.04"
strategy:
fail-fast: false
steps:
# Checkout, but defer pulling LFS objects until we've restored the cache
- uses: actions/checkout@v2
with:
lfs: false
- name: "Package manager performance improvements"
run: |
sudo sh -c 'echo force-unsafe-io > /etc/dpkg/dpkg.cfg.d/02speedup'
echo 'man-db man-db/auto-update boolean false' | sudo debconf-set-selections
sudo dpkg-reconfigure man-db
sudo sed -i 's/^update_initramfs=.*/update_initramfs=no/' /etc/initramfs-tools/update-initramfs.conf
- name: "Install build dependencies based CI packages"
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends build-essential devscripts equivs quilt libpam0g-dev sshpass
sudo mk-build-deps -irt"apt-get -y --no-install-recommends" scripts/ci/extra-packages.debian.control
- name: "Set compiler to GCC 10"
run: |
sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-10 60 && sudo update-alternatives --set gcc /usr/bin/gcc-10
- name: "Build DEBs"
run: |
make deb
- name: "Install .deb packages"
run: |
sudo dpkg -i ../libpam*deb
- name: "Show infos of the .deb package"
run: |
sudo dpkg -s libpam-radius-auth
- name: "List content of the .deb package"
run: |
sudo dpkg -L libpam-radius-auth
- name: "Create the CI_TEST_USER user in /etc/passwd (no-password)"
run: |
sudo useradd -d /tmp ${CI_TEST_USER}
id ${CI_TEST_USER}
- name: "Setup FreeRADIUS/SSHD/SYSLOG-NG/PAM then run full CI tests"
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
freeradius freeradius-utils freeradius-config \
syslog-ng \
openssh-server sshpass
echo "#######################################################"
echo "## Stop the services syslog-ng/sshd/freeradius"
sudo rm -f /var/log/auth.log # Needed to see the last results
sudo systemctl restart syslog-ng
sudo systemctl stop ssh
sudo systemctl stop freeradius
echo "#######################################################"
echo "## Setup the services"
export CI_TEST_USER="$CI_TEST_USER" CI_TEST_PASS="$CI_TEST_PASS"
for i in setup-pam_radius.sh setup-freeradius.sh setup-sshd.sh; do
script="./scripts/ci/$i"
echo "Calling $i"
sudo -E $script
done
echo "#######################################################"
echo "## Start the services syslog-ng/sshd/freeradius"
sudo systemctl start ssh
sudo systemctl start freeradius
echo "#######################################################"
echo "## Show processes"
ps aux | grep -E "([r]adius|[s]sh|[s]yslog)"
- name: "Content of /etc/ssh/sshd_config"
run: |
sudo cat /etc/ssh/sshd_config
- name: "Content of /etc/pam.d/sshd"
run: |
sudo cat /etc/pam.d/sshd
- name: "Content of /etc/pam_radius_auth.conf"
run: |
sudo cat /etc/pam_radius_auth.conf
- name: "Validate freeradius instance using radtest"
run: |
radtest -x $CI_TEST_USER $CI_TEST_PASS localhost 0 testing123
- name: "Run ssh authorization over pam_radius"
run: |
if ! sshpass -p "${CI_TEST_PASS}" -v \
/usr/bin/ssh -T -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 22 ${CI_TEST_USER}@localhost id; then
echo "ERROR: Something goes wrong with the SSH + PAM_RADIUS authentication!"
echo "############## Show the logs in /var/log/auth.log"
sudo tail -35 /var/log/auth.log
exit 1
fi
- name: "Looking for 'pam_radius_auth: authentication succeeded' in /var/log/auth.log"
run: |
echo "#######################################################"
echo "## Show the logs in /var/log/auth.log"
sudo cat -n /var/log/auth.log
if ! sudo grep -q "pam_radius_auth: authentication succeeded" /var/log/auth.log; then
echo "ERROR: Something goes wrong with the SSH + PAM_RADIUS authentication!"
exit 1
fi
#
# If the CI has failed and the branch is ci-debug then we start a tmate
# session to provide interactive shell access to the session.
#
# The SSH rendezvous point will be emitted continuously in the job output,
# which will look something like:
#
# SSH: ssh [email protected]
#
# For example:
#
# git push origin ci-debug --force
#
# Look at the job output in: https://github.com/FreeRADIUS/freeradius-server/actions
#
# ssh [email protected]
#
# Access requires that you have the private key corresponding to the
# public key of the GitHub user that initiated the job.
#
- name: "Debug: Start tmate"
uses: mxschmitt/action-tmate@v3
with:
limit-access-to-actor: true
if: ${{ github.ref == 'refs/heads/ci-debug' && failure() }}