1 files changed, 72 insertions, 2 deletions

diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index 9b2db27..a15d9ff 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -2274,8 +2274,15 @@
 
   =auth_approval= is used to check a user against the [[#approval][approval script]]
   for service =type=. Approval script types all begin with
-  =approval-=. If =type= doesn't begin with =approval-= it will be
-  prepended internally.
+  =approval-=.
+
+  Before running the scripts, first the validity of the account is
+  checked. This is done first using [[#auth_check_expired][=auth_check_expired=]], then
+  [[#_auth_checknologin][=_auth_checknologin=]], and finally [[https://man.openbsd.org/login_getcapbool#login_getcapbool][=login_getcapbool=]] to ensure the
+  user has a home directory if one is required by their login class.
+
+  If =type= doesn't begin with =approval-= it will be prepended
+  internally.
 
   if =as= is =NULL=, an auth session will be created and destroyed
   inside the function.
@@ -2343,6 +2350,69 @@
 
   If a username is invalid, it is logged in the syslog.
 
+* _auth_checknologin
+  :PROPERTIES:
+  :CUSTOM_ID: _auth_checknologin
+  :END:
+
+  @@html: <details> <summary> @@
+  #+begin_src c
+  static int _auth_checknologin(login_cap_t *lc, int print)
+  #+end_src
+  @@html: </summary> @@
+  #+begin_src c
+  {
+      struct stat sb;
+      char *nologin;
+      int mustfree;
+
+      if (login_getcapbool(lc, "ignorenologin", 0))
+          return (0);
+
+      /*
+       ,* If we fail to get the nologin file due to a database error,
+       ,* assume there should have been one...
+       ,*/
+      nologin = login_getcapstr(lc, "nologin", "", NULL);
+      mustfree = nologin && *nologin != '\0';
+      if (nologin == NULL)
+          goto print_nologin;
+
+      /* First try the nologin file specified in login.conf. */
+      if (*nologin != '\0' && stat(nologin, &sb) == 0)
+          goto print_nologin;
+      if (mustfree) {
+          free(nologin);
+          mustfree = 0;
+      }
+
+      /* If that doesn't exist try _PATH_NOLOGIN. */
+      if (stat(_PATH_NOLOGIN, &sb) == 0) {
+          nologin = _PATH_NOLOGIN;
+          goto print_nologin;
+      }
+
+      /* Couldn't stat any nologin files, must be OK to login. */
+      return (0);
+
+  print_nologin:
+      if (print) {
+          if (!nologin || *nologin == '\0' || auth_cat(nologin) == 0) {
+              puts("Logins are not allowed at this time.");
+              fflush(stdout);
+          }
+      }
+      if (mustfree)
+          free(nologin);
+      return (-1);
+  }
+  #+end_src
+  @@html: </details> @@
+
+  =_auth_checknologin= is a helper function in =authenticate.c=. It is
+  used to check the =nologin= status of the account. It returns =0= if
+  the user is allowed to login, and =-1= otherwise.
+
 * COMMENT note                                                     :noexport:
 
  ---