summaryrefslogtreecommitdiffstats
path: root/content/posts/WIP-how-bsd-authentication-works/index.org
diff options
context:
space:
mode:
Diffstat (limited to 'content/posts/WIP-how-bsd-authentication-works/index.org')
-rw-r--r--content/posts/WIP-how-bsd-authentication-works/index.org43
1 files changed, 25 insertions, 18 deletions
diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index 63cd38b..a8ebeb5 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -8,6 +8,8 @@
#+SLUG:
#+SUMMARY:
+#+ATTR_HTML: :title OpenBSD Internals
+#+ATTR_HTML: :alt OpenBSD mascot cutaway view with spinning gears inside
[[file:openbsd_internals.gif]]
* History
@@ -15,23 +17,28 @@
:CUSTOM_ID: history
:END:
- OpenBSD is quite different from many other Unix-like operating
- systems. One which I find interesting is the authentication system.
- Most systems from AIX, Solaris, and Linux to other BSDs including
- MacOS, use a framework called [[https://en.wikipedia.org/wiki/Pluggable_authentication_module][Pluggable Authentication Module]] (PAM).
- The two main implementations are [[http://www.linux-pam.org/][Linux PAM]] and [[https://www.openpam.org/][OpenPAM]]. PAM modules
- are created as dynamically loaded shared objects, which communicate
- using a combination of common and implementation specific interfaces
- ([[https://linux.die.net/man/3/pam][Linux-PAM]] and [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). It's configured using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory
- and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]] file. PAM can best be described as [[https://www.youtube.com/watch?v=-CXp3byvI1g][unstandardized black
- magic]].
+ The way OpenBSD authenticates users is quite different from other
+ Unix-like operating systems. Most systems from AIX to Solaris,
+ including Linux, the other BSDs, and MacOS, use a framework called
+ [[https://en.wikipedia.org/wiki/Pluggable_authentication_module][Pluggable Authentication Module]] (PAM). The two main implementations
+ are [[http://www.linux-pam.org/][Linux PAM]] and [[https://www.openpam.org/][OpenPAM]]. PAM modules are created as dynamically
+ loaded shared objects, which communicate using a combination of
+ common and implementation specific interfaces ([[https://linux.die.net/man/3/pam][Linux-PAM]] and
+ [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). It's configured using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]]
+ file. While it can be flexible, it's highly complex and very easy to
+ mis-configure, leaving you open to strange and hard to track down
+ authentication bugs. On top of that, the fact that it's a shared
+ library means that any vulnerability in a poorly vetted
+ authentication module gives attackers direct access to the internals
+ of your application. Author Michael W. Lucas said it best when he
+ described PAM as [[https://www.youtube.com/watch?v=-CXp3byvI1g][unstandardized black magic]].
OpenBSD on the other hand uses a mechanism called BSD
Authentication. It was originally developed for a now-defunct
proprietary operating system called [[https://en.wikipedia.org/wiki/BSD/OS][BSD/OS]] by [[https://en.wikipedia.org/wiki/Berkeley_Software_Design][Berkeley Software
- Design Inc.]], who later donated the system. It was adopted by OpenBSD
- in release 2.9. BSD Auth is comparatively much simpler than PAM.
- Modules or, authentication "styles", are instead stand alone
+ Design Inc.]], who later donated the system. It was then adopted by
+ OpenBSD in release 2.9. BSD Auth is comparatively much simpler than
+ PAM. Modules or, authentication "styles", are instead stand alone
applications or scripts that communicate over IPC. The module has no
ability to interfere with the parent and can very easily revoke
permissions using [[https://man.openbsd.org/pledge][=pledge(2)=]] or [[https://man.openbsd.org/unveil][=unveil(2)=]]. The BSD Authentication
@@ -44,7 +51,7 @@
There isn't much on the internet about how to use BSD
Authentication. I was curious about how the internals worked, and I
- figured someone else might be too :-)
+ figured someone else might be too :^)
* Documentation
:PROPERTIES:
@@ -88,8 +95,8 @@
arguments in this style. This is used to pass extra data to the
program under certain circumstances.
- =user= is the name of the user to be authenticated.
- - =class= is optional and specifies the class of the user to be
- authenticated.
+ - =class= is optional and specifies the login class to use for the
+ user.
=login= and =su= pass in extra data as =-v= flags.
@@ -126,8 +133,8 @@
wheel when using the su(1) program to become super user.
#+END_SRC
- The auth module communicates with its caller through file
- descriptor 3.
+ The auth module communicates with its caller through what's called
+ the "back channel" on file descriptor 3.
Some modules require an extra file descriptor to be passed in for
stateful challenge/response authentication. In these cases, an extra
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 22:15:27 +0000