bsd-auth: Add mention of challenge/response functions, fix wording

1 files changed, 18 insertions, 14 deletions

diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index de3b6ac..c7576a1 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -18,20 +18,20 @@
   :END:
 
   The way OpenBSD authenticates users is quite different from other
-  Unix-like operating systems. Most systems from AIX to Solaris,
-  including Linux, the other BSDs, and MacOS, use a framework called
-  [[https://en.wikipedia.org/wiki/Pluggable_authentication_module][Pluggable Authentication Module]] (PAM). The two main implementations
-  are [[http://www.linux-pam.org/][Linux PAM]] and [[https://www.openpam.org/][OpenPAM]]. PAM modules are created as dynamically
-  loaded shared objects, which communicate using a combination of
-  common and implementation specific interfaces ([[https://linux.die.net/man/3/pam][Linux-PAM]] and
-  [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). It's configured using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]]
-  file. While it can be flexible, it's highly complex and very easy to
-  mis-configure, leaving you open to strange and hard to track down
-  authentication bugs. On top of that, the fact that it's a shared
-  library means that any vulnerability in a poorly vetted
-  authentication module gives attackers direct access to the internals
-  of your application. Author Michael W. Lucas said it best when he
-  described PAM as [[https://www.youtube.com/watch?v=-CXp3byvI1g][unstandardized black magic]].
+  Unix-like operating systems. Most other systems like AIX, Solaris,
+  Linux, the other BSDs, and MacOS, use a framework called [[https://en.wikipedia.org/wiki/Pluggable_authentication_module][Pluggable
+  Authentication Module]] (PAM). The two main implementations are [[http://www.linux-pam.org/][Linux
+  PAM]] and [[https://www.openpam.org/][OpenPAM]]. PAM modules are created as dynamically loaded
+  shared objects, which communicate using a combination of common and
+  implementation specific interfaces ([[https://linux.die.net/man/3/pam][Linux-PAM]] and [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). It's
+  configured using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]] file. While it can
+  be flexible, it's highly complex and very easy to mis-configure,
+  leaving you open to strange and hard to track down authentication
+  bugs. On top of that, the fact that it's a shared library means that
+  any vulnerability in a poorly vetted authentication module gives
+  attackers direct access to the internals of your application. Author
+  Michael W. Lucas said it best when he described PAM as
+  [[https://www.youtube.com/watch?v=-CXp3byvI1g][unstandardized black magic]].
 
   OpenBSD on the other hand uses a mechanism called BSD
   Authentication. It was originally developed for a now-defunct
@@ -143,6 +143,10 @@
   The simplest way to authenticate a user with BSD Auth is by using
   [[#auth_userokay][=auth_userokay=]].
 
+  For cases where challenge / response authentication is required and
+  the user can't interacting through =stdin= and =stdout=,
+  [[#auth_userchallenge][=auth_userchallenge=]] and [[#auth_userresponse][=auth_userresponse=]] can be used.
+
 * Approval Scripts
   :PROPERTIES:
   :CUSTOM_ID: approval