summaryrefslogtreecommitdiffstats
path: root/content/posts/how-bsd-authentication-works/notes.org
diff options
context:
space:
mode:
Diffstat (limited to 'content/posts/how-bsd-authentication-works/notes.org')
-rw-r--r--content/posts/how-bsd-authentication-works/notes.org83
1 files changed, 83 insertions, 0 deletions
diff --git a/content/posts/how-bsd-authentication-works/notes.org b/content/posts/how-bsd-authentication-works/notes.org
new file mode 100644
index 0000000..9bd67d4
--- /dev/null
+++ b/content/posts/how-bsd-authentication-works/notes.org
@@ -0,0 +1,83 @@
+* Notes
+ https://web.archive.org/web/20170327150148/http://www.penzin.net/bsdauth/
+ - In the man page for [[https://man.openbsd.org/auth_subr.3#auth_call][=auth_call=]] it says
+ #+begin_src text
+ path The full path name of the login script to run. The call will
+ fail if path does not pass the requirements of the secure_path(3)
+ function.
+ #+end_src
+
+ However I don't see this enforced anywhere, I even wrote a small test
+ script to prove it.
+
+ #+CAPTION: =authfail.c=
+ #+begin_src c
+ #include <sys/types.h>
+ #include <login_cap.h>
+ #include <bsd_auth.h>
+ #include <stdio.h>
+
+ int main(void) {
+ auth_session_t *as;
+
+ as = auth_open();
+ auth_call(as, "/home/dante/auth_tests/authtest/test", "hello", NULL);
+ auth_close(as);
+ }
+ #+end_src
+
+ Changing ="/home/dante/auth_tests/authtest/test"= to the location
+ of the =test= binary.
+
+ #+CAPTION: =test.c=
+ #+begin_src c
+ #include <stdio.h>
+
+ int main(void) {
+ printf("Hello! I don't have a secure path!\n");
+ return 0;
+ }
+ #+end_src
+
+ #+CAPTION: =Makefile=
+ #+begin_src makefile
+ CFLAGS = -Wall -Wextra
+
+ run: authfail test
+ ./authfail
+
+ authfail: authfail.c
+ $(CC) -o $@ $(CFLAGS) $<
+
+ test: test.c
+ $(CC) -o $@ $(CFLAGS) $<
+ #+end_src
+
+ Which results in the following:
+
+ #+begin_src text
+ $ pwd && ls -l && make
+ /home/dante/auth_tests/authtest
+ total 12
+ -rw-r--r-- 1 dante dante 143 May 30 19:20 Makefile
+ -rw-r--r-- 1 dante dante 248 May 29 19:30 authfail.c
+ -rw-r--r-- 1 dante dante 115 May 29 19:22 test.c
+ cc -o authfail -Wall -Wextra authfail.c
+ cc -o test -Wall -Wextra test.c
+ ./authfail
+ Hello! I don't have a secure path!
+ #+end_src
+
+ - The manpage also says the path is limited to =/bin/= and =/usr/bin=,
+ which is also not the case.
+
+ - The man page describes the interface for =auth_getitem= is in the
+ format of =AUTH_<item>=, but in reality it is =AUTHV_<item>=.
+
+ # Ask jcs about the file descriptor situation, I don't understand it
+ # after reading both the man page and source.
+
+ - The [[#auth_getchallenge][=auth_getchallenge=]] function in the [[https://man.openbsd.org/auth_subr.3#auth_getchallenge][=auth_subr(3)=]] man page
+ doesn't seem to exist in the source code.
+
+** TODO How are these configured in login.conf?
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-29 21:09:21 +0000