summaryrefslogtreecommitdiffstats
path: root/content/posts
diff options
context:
space:
mode:
Diffstat (limited to 'content/posts')
-rw-r--r--content/posts/how-bsd-authentication-works/index.org80
1 files changed, 48 insertions, 32 deletions
diff --git a/content/posts/how-bsd-authentication-works/index.org b/content/posts/how-bsd-authentication-works/index.org
index 35a3fb4..6eae6a5 100644
--- a/content/posts/how-bsd-authentication-works/index.org
+++ b/content/posts/how-bsd-authentication-works/index.org
@@ -2,13 +2,14 @@
#+DATE: 2020-06-26T18:31:36-04:00
#+DRAFT: true
#+DESCRIPTION:
-#+TAGS[]:
-#+KEYWORDS[]:
+#+TAGS[]: openbsd
+#+KEYWORDS[]: openbsd
#+SLUG:
#+SUMMARY:
+#+SHOWTOC: true
[[https://web.archive.org/web/20170327150148/http://www.penzin.net/bsdauth/]]
-
+* History
OpenBSD is quite different from many other Unix-like operating systems
in many ways, but one way which I find interesting is the
authentication system. Most systems from AIX, Solaris, and Linux to
@@ -30,32 +31,41 @@ specifically). The program or script has no ability to interfere with
the parent and can very easily revoke permissions using =pledge(3)= or
=unveil(3)=.
+* Why
+This one is pretty difficult, since there seems to be very little
+information about how BSD Auth works apart from the source code
+itself. This is my best attempt to understand the flow of BSD Auth
+from what I've read.
+
+
+* BSD Auth Modules
These programs or scripts are located in =/usr/libexec/auth/= with the
-naming convention =login_<style>=. They typically take arguments in
-the form of
+naming convention =login_<style>=. They take arguments in the form of
#+BEGIN_SRC shell
login_<style> [-s service] [-v key=value] user [class]
#+END_SRC
-<<here2>>
-
-- =<style>= is the authentication method. This could be =passwd=, =
+- =<style>= is the authentication method. This could be =passwd=,
+ =radius=, =skey=, =yubikey=, etc.
+ - There's more information about available styles in =login.conf(5)=
- =service= is the service type. Typically authentication methods will
accept three values here, =login=, =challenge=, or =response=. Some
- styles take different service arguments, so read the method's man
- page for details.
- - =login= is the default method, it's typically
-
-This one is pretty difficult, since there seems to be very little
-information about how BSD Auth works apart from the source code
-itself. This is my best attempt to understand the flow of BSD Auth
-from what I've read.
-
+ styles take different service arguments, read the style's man page
+ for details.
+ - =login= is typically the default method
+- =-v key=value= is an optional argument. This is used to pass extra
+ data to the program under certain circumstances.
+- =user= is the name of the user to be authenticated.
+- =class= is optional and specifies the class of the user to be
+ authenticated.
+
+* Documentation
All of the high level authentication functions are described in
=authenticate(3)=, with the lower level functions being described in
=auth_subr(3)=.
+* auth_userokay
The highest level function, and easiest to use is =auth_userokay=. It
takes four character arrays as arguments, =name=, =style=, =type=, and
=password=. It returns either a =0= for failure, of a non-zero value
@@ -67,21 +77,6 @@ This function lives inside =/lib/libc/gen/authenticate.c=
int auth_userokay(char *name, char *style, char *type, char *password);
#+END_SRC
-The return codes are defined inside of =login_cap.h= as
-
-#+BEGIN_SRC c
-/*
- * bits which can be returned by authenticate()/auth_scan()
- */
-#define AUTH_OKAY 0x01 /* user authenticated */
-#define AUTH_ROOTOKAY 0x02 /* authenticated as root */
-#define AUTH_SECURE 0x04 /* secure login */
-#define AUTH_SILENT 0x08 /* silent rejection */
-#define AUTH_CHALLENGE 0x10 /* a challenge was given */
-#define AUTH_EXPIRED 0x20 /* account expired */
-#define AUTH_PWEXPIRED 0x40 /* password expired */
-#+END_SRC
-
- =name= is the name of the user to be authenticated
- =style= is the login method to be used
- If =style= is =NULL=, the user's default login style will be
@@ -108,6 +103,8 @@ returns a finished auth session of type =auth_session_t=. It closes
the auth session using =auth_close= and returns the value returned
from closing.
+* auth_session_t
+
#+BEGIN_SRC c
struct auth_session_t {
char *name; /* name of use being authenticated */
@@ -155,6 +152,7 @@ struct authdata {
};
#+END_SRC
+* auth_usercheck
#+BEGIN_SRC c
auth_session_t *auth_usercheck(char *name, char *style, char *type, char *password)
#+END_SRC
@@ -182,6 +180,8 @@ the user name, style, login class, and =NULL= char pointer to
arguments. It then returns the auth session pointer the call
returns.
+* auth_verify
+
#+BEGIN_SRC c
auth_session_t *auth_verify(auth_session_t *as, char *style, char *name, ...)
#+END_SRC
@@ -208,6 +208,7 @@ auth_call(as, path, auth_getitem(as, AUTHV_STYLE), "-s",
auth_getitem(as, AUTHV_SERVICE), "--", name, (char *)NULL);
#+END_SRC
+* auth_call
#+BEGIN_SRC c
int auth_call(auth_session_t *as, char *path, ...)
@@ -290,9 +291,24 @@ it continues to scan for any other qualifiers such as =pwexpired= or
=silent=. The struct's =state= is set to one using the =AUTH_= values
from =login_cap.h= accordingly.
+#+BEGIN_SRC c
+/*
+ * bits which can be returned by authenticate()/auth_scan()
+ */
+#define AUTH_OKAY 0x01 /* user authenticated */
+#define AUTH_ROOTOKAY 0x02 /* authenticated as root */
+#define AUTH_SECURE 0x04 /* secure login */
+#define AUTH_SILENT 0x08 /* silent rejection */
+#define AUTH_CHALLENGE 0x10 /* a challenge was given */
+#define AUTH_EXPIRED 0x20 /* account expired */
+#define AUTH_PWEXPIRED 0x40 /* password expired */
+#+END_SRC
+
+
This is the integer returned by
=auth_userokay=.
+* grapgh?
# Setting env on auth_close(as)
# partual rewrite below
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 21:05:33 +0000