summaryrefslogtreecommitdiffstats
path: root/content/posts
diff options
context:
space:
mode:
Diffstat (limited to 'content/posts')
-rw-r--r--content/posts/WIP-how-bsd-authentication-works/index.org35
1 files changed, 17 insertions, 18 deletions
diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index c06596b..0903ee7 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -11,27 +11,26 @@
[[https://web.archive.org/web/20170327150148/http://www.penzin.net/bsdauth/]]
* History
- OpenBSD is quite different from many other Unix-like operating systems
- in many ways, but one way which I find interesting is the
+ OpenBSD is quite different from many other Unix-like operating
+ systems in many ways, but one way which I find interesting is the
authentication system. Most systems from AIX, Solaris, and Linux to
most BSDs including MacOS use some form of a system called Pluggable
Authentication Module (PAM). The two main implementations of PAM are
- [[http://www.linux-pam.org/][Linux PAM]] and [[https://www.openpam.org/][OpenPAM]]. PAM modules are created a dynamically loaded
- shared objects, which communicate using a set of standard
- interfaces ([[https://linux.die.net/man/3/pam][Linux-PAM]] and [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). PAM is configured using the [[https://linux.die.net/man/5/pam.d][pam.d]]
- directory and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]].
+ [[http://www.linux-pam.org/][Linux PAM]] and [[https://www.openpam.org/][OpenPAM]]. PAM modules are created as dynamically loaded
+ shared objects, which communicate using a set of standard interfaces
+ ([[https://linux.die.net/man/3/pam][Linux-PAM]] and [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). PAM is configured using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory
+ and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]].
OpenBSD on the other hand uses a mechanism called BSD
Authentication. It was originally developed for a proprietary
operating system called [[https://en.wikipedia.org/wiki/BSD/OS][BSD/OS]] by [[https://en.wikipedia.org/wiki/Berkeley_Software_Design][Berkeley Software Design Inc.]], who
- later donated the system. It was adopted by OpenBSD in release
- 2.9. BSD Auth is comparatively much simpler than PAM. Modules or,
+ later donated the system. It was adopted by OpenBSD in release 2.9.
+ BSD Auth is comparatively much simpler than PAM. Modules or,
authentication "styles", are instead stand alone applications or
- scripts that communicate over IPC (=PF_LOCAL, SOCK_STREAM=,
- specifically). The program or script has no ability to interfere
- with the parent and can very easily revoke permissions using
- [[https://man.openbsd.org/pledge][=pledge(2)=]] or [[https://man.openbsd.org/unveil][=unveil(2)=]]. The BSD Authentication system of
- configured through [[https://man.openbsd.org/login.conf][=login.conf(5)=]].
+ scripts that communicate over IPC. The program or script has no
+ ability to interfere with the parent and can very easily revoke
+ permissions using [[https://man.openbsd.org/pledge][=pledge(2)=]] or [[https://man.openbsd.org/unveil][=unveil(2)=]]. The BSD Authentication
+ system of configured through [[https://man.openbsd.org/login.conf][=login.conf(5)=]].
* Why
@@ -56,13 +55,13 @@
header.
- =service= is the service type. Typically authentication methods
will accept one of three values here, =login=, =challenge=, or
- =response=. =login= is the default if it's not specified. =login=
- is used to let the module know to interact with the user directly,
+ =response=. =login= is the default if it's not specified, and is
+ used to let the module know to interact with the user directly,
while =challenge= and =response= are used to pass messages back
and forth through the BSD Auth API. Each style's man page will
have more details on these.
- - =-v key=value= is an optional argument. There is no limit to the
- number of =-v= arguments. This is used to pass extra data to the
+ - =-v key=value= is an optional argument. There can be more than one
+ arguments in this style. This is used to pass extra data to the
program under certain circumstances.
- =user= is the name of the user to be authenticated.
- =class= is optional and specifies the class of the user to be
@@ -589,7 +588,7 @@
** _auth_next_arg
#+BEGIN_SRC c
- static char * _auth_next_arg(auth_session_t *as)
+ static char *_auth_next_arg(auth_session_t *as)
#+END_SRC
First goes through =as->ap0=, returning one argument at a time
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-30 13:10:44 +0000