diff options
| -rw-r--r-- | content/posts/how-bsd-authentication-works/index.org | 80 |
1 files changed, 48 insertions, 32 deletions
diff --git a/content/posts/how-bsd-authentication-works/index.org b/content/posts/how-bsd-authentication-works/index.org index 35a3fb4..6eae6a5 100644 --- a/content/posts/how-bsd-authentication-works/index.org +++ b/content/posts/how-bsd-authentication-works/index.org @@ -2,13 +2,14 @@ #+DATE: 2020-06-26T18:31:36-04:00 #+DRAFT: true #+DESCRIPTION: -#+TAGS[]: -#+KEYWORDS[]: +#+TAGS[]: openbsd +#+KEYWORDS[]: openbsd #+SLUG: #+SUMMARY: +#+SHOWTOC: true [[https://web.archive.org/web/20170327150148/http://www.penzin.net/bsdauth/]] - +* History OpenBSD is quite different from many other Unix-like operating systems in many ways, but one way which I find interesting is the authentication system. Most systems from AIX, Solaris, and Linux to @@ -30,32 +31,41 @@ specifically). The program or script has no ability to interfere with the parent and can very easily revoke permissions using =pledge(3)= or =unveil(3)=. +* Why +This one is pretty difficult, since there seems to be very little +information about how BSD Auth works apart from the source code +itself. This is my best attempt to understand the flow of BSD Auth +from what I've read. + + +* BSD Auth Modules These programs or scripts are located in =/usr/libexec/auth/= with the -naming convention =login_<style>=. They typically take arguments in -the form of +naming convention =login_<style>=. They take arguments in the form of #+BEGIN_SRC shell login_<style> [-s service] [-v key=value] user [class] #+END_SRC -<<here2>> - -- =<style>= is the authentication method. This could be =passwd=, = +- =<style>= is the authentication method. This could be =passwd=, + =radius=, =skey=, =yubikey=, etc. + - There's more information about available styles in =login.conf(5)= - =service= is the service type. Typically authentication methods will accept three values here, =login=, =challenge=, or =response=. Some - styles take different service arguments, so read the method's man - page for details. - - =login= is the default method, it's typically - -This one is pretty difficult, since there seems to be very little -information about how BSD Auth works apart from the source code -itself. This is my best attempt to understand the flow of BSD Auth -from what I've read. - + styles take different service arguments, read the style's man page + for details. + - =login= is typically the default method +- =-v key=value= is an optional argument. This is used to pass extra + data to the program under certain circumstances. +- =user= is the name of the user to be authenticated. +- =class= is optional and specifies the class of the user to be + authenticated. + +* Documentation All of the high level authentication functions are described in =authenticate(3)=, with the lower level functions being described in =auth_subr(3)=. +* auth_userokay The highest level function, and easiest to use is =auth_userokay=. It takes four character arrays as arguments, =name=, =style=, =type=, and =password=. It returns either a =0= for failure, of a non-zero value @@ -67,21 +77,6 @@ This function lives inside =/lib/libc/gen/authenticate.c= int auth_userokay(char *name, char *style, char *type, char *password); #+END_SRC -The return codes are defined inside of =login_cap.h= as - -#+BEGIN_SRC c -/* - * bits which can be returned by authenticate()/auth_scan() - */ -#define AUTH_OKAY 0x01 /* user authenticated */ -#define AUTH_ROOTOKAY 0x02 /* authenticated as root */ -#define AUTH_SECURE 0x04 /* secure login */ -#define AUTH_SILENT 0x08 /* silent rejection */ -#define AUTH_CHALLENGE 0x10 /* a challenge was given */ -#define AUTH_EXPIRED 0x20 /* account expired */ -#define AUTH_PWEXPIRED 0x40 /* password expired */ -#+END_SRC - - =name= is the name of the user to be authenticated - =style= is the login method to be used - If =style= is =NULL=, the user's default login style will be @@ -108,6 +103,8 @@ returns a finished auth session of type =auth_session_t=. It closes the auth session using =auth_close= and returns the value returned from closing. +* auth_session_t + #+BEGIN_SRC c struct auth_session_t { char *name; /* name of use being authenticated */ @@ -155,6 +152,7 @@ struct authdata { }; #+END_SRC +* auth_usercheck #+BEGIN_SRC c auth_session_t *auth_usercheck(char *name, char *style, char *type, char *password) #+END_SRC @@ -182,6 +180,8 @@ the user name, style, login class, and =NULL= char pointer to arguments. It then returns the auth session pointer the call returns. +* auth_verify + #+BEGIN_SRC c auth_session_t *auth_verify(auth_session_t *as, char *style, char *name, ...) #+END_SRC @@ -208,6 +208,7 @@ auth_call(as, path, auth_getitem(as, AUTHV_STYLE), "-s", auth_getitem(as, AUTHV_SERVICE), "--", name, (char *)NULL); #+END_SRC +* auth_call #+BEGIN_SRC c int auth_call(auth_session_t *as, char *path, ...) @@ -290,9 +291,24 @@ it continues to scan for any other qualifiers such as =pwexpired= or =silent=. The struct's =state= is set to one using the =AUTH_= values from =login_cap.h= accordingly. +#+BEGIN_SRC c +/* + * bits which can be returned by authenticate()/auth_scan() + */ +#define AUTH_OKAY 0x01 /* user authenticated */ +#define AUTH_ROOTOKAY 0x02 /* authenticated as root */ +#define AUTH_SECURE 0x04 /* secure login */ +#define AUTH_SILENT 0x08 /* silent rejection */ +#define AUTH_CHALLENGE 0x10 /* a challenge was given */ +#define AUTH_EXPIRED 0x20 /* account expired */ +#define AUTH_PWEXPIRED 0x40 /* password expired */ +#+END_SRC + + This is the integer returned by =auth_userokay=. +* grapgh? # Setting env on auth_close(as) # partual rewrite below |