diff options
| author | Dante Catalfamo | 2021-05-30 15:45:17 -0400 |
|---|---|---|
| committer | Dante Catalfamo | 2021-05-30 15:45:17 -0400 |
| commit | 943bfbf933fdc8c9616ce1f5dc28314ec8479918 (patch) | |
| tree | 015c9c6558ca143684a0fe618ea265f986c28e4f | |
| parent | 01ecfbef49a18b501927a8166fc92a6f3903cdf5 (diff) | |
| download | blog-943bfbf933fdc8c9616ce1f5dc28314ec8479918.tar.gz blog-943bfbf933fdc8c9616ce1f5dc28314ec8479918.tar.bz2 blog-943bfbf933fdc8c9616ce1f5dc28314ec8479918.zip | |
bsd-auth: almost finished approval scripts
| -rw-r--r-- | content/posts/WIP-how-bsd-authentication-works/index.org | 37 |
1 files changed, 31 insertions, 6 deletions
diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org index ab65930..9b2db27 100644 --- a/content/posts/WIP-how-bsd-authentication-works/index.org +++ b/content/posts/WIP-how-bsd-authentication-works/index.org @@ -2272,20 +2272,45 @@ #+end_src @@html: </details> @@ - =auth_approval= is used to check a user against approval script for - service =type=. + =auth_approval= is used to check a user against the [[#approval][approval script]] + for service =type=. Approval script types all begin with + =approval-=. If =type= doesn't begin with =approval-= it will be + prepended internally. + + if =as= is =NULL=, an auth session will be created and destroyed + inside the function. + + If =lc= is =NULL=, it will be retrieved internally by looking up + =name=. + + If =type= is =NULL=, the default of =LOGIN_DEFSERVICE= is used. This + is defined in =login_cap.h= as =login=. This should call the default + =approval= script, according to the [[https://man.openbsd.org/login.conf#CAPABILITIES][=CAPABILITIES=]] section of the + =login.conf= man page. It returns either =0= for disapproval, or non-zero for approval. +* Approval Scripts + :PROPERTIES: + :CUSTOM_ID: approval + :END: + Approval scripts can be much simpler than the full login modules used by the other functions. They may run with limited information and instead of explicitly allowing or denying users with specific conditions. They are given the same back-channel as auth modules, - but may also either exit with a zero status for approval, or - non-zero status to signal disapproval. + but do not have to explicitly authenticate or revoke users. They + should exit with a zero status for approval, or non-zero status to + signal disapproval. + + Approval scrips receive arguments in the following form. + #+begin_src shell + approve [-v name=value] username class service + #+end_src - Approval scrips receive arguments in the same format as auth - modules. + It can also receive extra key-value =-v= arguments in the same format as + [[#modules][auth modules]]. More information is available in the [[https://man.openbsd.org/login.conf#APPROVAL][=APPROVAL=]] + section of the =login.conf= man page. <<here>> |