1 files changed, 16 insertions, 5 deletions

diff --git a/content/posts/how-bsd-authentication-works/index.org b/content/posts/how-bsd-authentication-works/index.org
index 5d756da..fb0103f 100644
--- a/content/posts/how-bsd-authentication-works/index.org
+++ b/content/posts/how-bsd-authentication-works/index.org
@@ -230,10 +230,11 @@
   auth_session_t *auth_verify(auth_session_t *as, char *style, char *name, ...)
   #+END_SRC
 
-  =auth_verify= creates an auth session if =as= is =NULL=. It then sets
-  the user name and style of the session, if the respective arguments
-  are non-=NULL=. It then copies its variable arguments to the auth
-  session's =va_list ap=, which is used inside of =auth_call=.
+  =auth_verify= creates an auth session using =auth_open= if =as= is
+  =NULL=. It then sets the user name and style of the session, if the
+  respective arguments are non-=NULL=. It then copies its variable
+  arguments to the auth session's =va_list ap=, which is used inside
+  of =auth_call=.
 
   After that it constructs the path of the authentication module by
   combining =_PATH_AUTHPROG=, which is defined in =login_cap.h= as
@@ -351,8 +352,18 @@
 ** _auth_spool
 
 ** _recv_fd
+
 * auth_close
-  <<here3>>
+  =auth_close= is the function responsible for cleaning up the session
+  and taking care of the values returned though the back channel.
+
+  It first sets the environment variables returned through the back
+  channel by passing the auth session to =auth_setenv=. It then goes
+  through the =rmlist= of the session, deleting the files if the
+  session reported a failure. It then zeroes out all sensitive
+  information, and frees the various structs associated with the current
+  =auth_session_t=, and then the session itself. Finally it returns
+  the session's state =&='ed with =AUTH_ALLOW=.
 * grapgh?
 # Setting env on auth_close(as)
 # partual rewrite below