summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--content/posts/WIP-how-bsd-authentication-works/index.org32
1 files changed, 18 insertions, 14 deletions
diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index de3b6ac..c7576a1 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -18,20 +18,20 @@
:END:
The way OpenBSD authenticates users is quite different from other
- Unix-like operating systems. Most systems from AIX to Solaris,
- including Linux, the other BSDs, and MacOS, use a framework called
- [[https://en.wikipedia.org/wiki/Pluggable_authentication_module][Pluggable Authentication Module]] (PAM). The two main implementations
- are [[http://www.linux-pam.org/][Linux PAM]] and [[https://www.openpam.org/][OpenPAM]]. PAM modules are created as dynamically
- loaded shared objects, which communicate using a combination of
- common and implementation specific interfaces ([[https://linux.die.net/man/3/pam][Linux-PAM]] and
- [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). It's configured using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]]
- file. While it can be flexible, it's highly complex and very easy to
- mis-configure, leaving you open to strange and hard to track down
- authentication bugs. On top of that, the fact that it's a shared
- library means that any vulnerability in a poorly vetted
- authentication module gives attackers direct access to the internals
- of your application. Author Michael W. Lucas said it best when he
- described PAM as [[https://www.youtube.com/watch?v=-CXp3byvI1g][unstandardized black magic]].
+ Unix-like operating systems. Most other systems like AIX, Solaris,
+ Linux, the other BSDs, and MacOS, use a framework called [[https://en.wikipedia.org/wiki/Pluggable_authentication_module][Pluggable
+ Authentication Module]] (PAM). The two main implementations are [[http://www.linux-pam.org/][Linux
+ PAM]] and [[https://www.openpam.org/][OpenPAM]]. PAM modules are created as dynamically loaded
+ shared objects, which communicate using a combination of common and
+ implementation specific interfaces ([[https://linux.die.net/man/3/pam][Linux-PAM]] and [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). It's
+ configured using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]] file. While it can
+ be flexible, it's highly complex and very easy to mis-configure,
+ leaving you open to strange and hard to track down authentication
+ bugs. On top of that, the fact that it's a shared library means that
+ any vulnerability in a poorly vetted authentication module gives
+ attackers direct access to the internals of your application. Author
+ Michael W. Lucas said it best when he described PAM as
+ [[https://www.youtube.com/watch?v=-CXp3byvI1g][unstandardized black magic]].
OpenBSD on the other hand uses a mechanism called BSD
Authentication. It was originally developed for a now-defunct
@@ -143,6 +143,10 @@
The simplest way to authenticate a user with BSD Auth is by using
[[#auth_userokay][=auth_userokay=]].
+ For cases where challenge / response authentication is required and
+ the user can't interacting through =stdin= and =stdout=,
+ [[#auth_userchallenge][=auth_userchallenge=]] and [[#auth_userresponse][=auth_userresponse=]] can be used.
+
* Approval Scripts
:PROPERTIES:
:CUSTOM_ID: approval
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 21:26:32 +0000