summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--content/posts/WIP-how-bsd-authentication-works/index.org37
1 files changed, 31 insertions, 6 deletions
diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index ab65930..9b2db27 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -2272,20 +2272,45 @@
#+end_src
@@html: </details> @@
- =auth_approval= is used to check a user against approval script for
- service =type=.
+ =auth_approval= is used to check a user against the [[#approval][approval script]]
+ for service =type=. Approval script types all begin with
+ =approval-=. If =type= doesn't begin with =approval-= it will be
+ prepended internally.
+
+ if =as= is =NULL=, an auth session will be created and destroyed
+ inside the function.
+
+ If =lc= is =NULL=, it will be retrieved internally by looking up
+ =name=.
+
+ If =type= is =NULL=, the default of =LOGIN_DEFSERVICE= is used. This
+ is defined in =login_cap.h= as =login=. This should call the default
+ =approval= script, according to the [[https://man.openbsd.org/login.conf#CAPABILITIES][=CAPABILITIES=]] section of the
+ =login.conf= man page.
It returns either =0= for disapproval, or non-zero for approval.
+* Approval Scripts
+ :PROPERTIES:
+ :CUSTOM_ID: approval
+ :END:
+
Approval scripts can be much simpler than the full login modules
used by the other functions. They may run with limited information
and instead of explicitly allowing or denying users with specific
conditions. They are given the same back-channel as auth modules,
- but may also either exit with a zero status for approval, or
- non-zero status to signal disapproval.
+ but do not have to explicitly authenticate or revoke users. They
+ should exit with a zero status for approval, or non-zero status to
+ signal disapproval.
+
+ Approval scrips receive arguments in the following form.
+ #+begin_src shell
+ approve [-v name=value] username class service
+ #+end_src
- Approval scrips receive arguments in the same format as auth
- modules.
+ It can also receive extra key-value =-v= arguments in the same format as
+ [[#modules][auth modules]]. More information is available in the [[https://man.openbsd.org/login.conf#APPROVAL][=APPROVAL=]]
+ section of the =login.conf= man page.
<<here>>
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-30 11:41:26 +0000