diff options
| -rw-r--r-- | content/posts/how-bsd-authentication-works/index.org | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/content/posts/how-bsd-authentication-works/index.org b/content/posts/how-bsd-authentication-works/index.org index f6c46af..35a3fb4 100644 --- a/content/posts/how-bsd-authentication-works/index.org +++ b/content/posts/how-bsd-authentication-works/index.org @@ -30,6 +30,23 @@ specifically). The program or script has no ability to interfere with the parent and can very easily revoke permissions using =pledge(3)= or =unveil(3)=. +These programs or scripts are located in =/usr/libexec/auth/= with the +naming convention =login_<style>=. They typically take arguments in +the form of + +#+BEGIN_SRC shell +login_<style> [-s service] [-v key=value] user [class] +#+END_SRC + +<<here2>> + +- =<style>= is the authentication method. This could be =passwd=, = +- =service= is the service type. Typically authentication methods will + accept three values here, =login=, =challenge=, or =response=. Some + styles take different service arguments, so read the method's man + page for details. + - =login= is the default method, it's typically + This one is pretty difficult, since there seems to be very little information about how BSD Auth works apart from the source code itself. This is my best attempt to understand the flow of BSD Auth @@ -146,7 +163,6 @@ auth_session_t *auth_usercheck(char *name, char *style, char *type, char *passwo checks the login class against the =login.conf= db, along with confirming the login styles available. - If the password is non-=NULL=, then it calls =auth_open=, which allocates and returns the pointer to an =auth_session_t=, and sets its default =service= to =login=, and it's =fd= to =-1=. After that's |