summaryrefslogtreecommitdiffstats
path: root/content/posts
diff options
context:
space:
mode:
Diffstat (limited to 'content/posts')
-rw-r--r--content/posts/WIP-how-bsd-authentication-works/index.org24
1 files changed, 13 insertions, 11 deletions
diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index 22e3e9a..8678a09 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -137,7 +137,8 @@
#+END_SRC
The auth module communicates with its caller through what's called
- the "back channel" on file descriptor 3.
+ the "back channel" on file descriptor 3. This communication is
+ covered in greater detail in the [[#auth_call][=auth_call=]] section.
Some modules require an extra file descriptor to be passed in for
stateful challenge/response authentication. In these cases, an extra
@@ -179,11 +180,10 @@
:PROPERTIES:
:CUSTOM_ID: auth_userokay
:END:
-<<here>>
[[https://man.openbsd.org/authenticate.3#auth_userokay][=auth_userokay=]] is the highest level function, and easiest to use.
- It takes four character arrays as arguments, =name=, =style=,
- =type=, and =password=. It returns either a =0= for failure, of a
- non-zero value for success.
+ It takes four strings as arguments: =name=, =style=, =type=, and
+ =password=. It returns either a =0= for failure, of a non-zero value
+ for success.
@@html: <details> <summary> @@
#+BEGIN_SRC c
@@ -204,23 +204,22 @@
- =name= is the name of the user to be authenticated
- =style= is the login method to be used
- If =style= is =NULL=, the user's default login style will be
- used. By default this is =passwd= on normal accounts.
+ used. This is =passwd= on normal accounts.
- The style can be one of the installed authentication methods, like
=passwd=, =radius=, =skey=, =yubikey=, etc.
- - There's more information about available styles in =login.conf(5)=
- Styles can also be installed through BSD Auth module packages
- =type= is the authentication type
- - Types are defined in =login.conf= and define a group of allowed
- auth styles
+ - Types are defined in =login.conf= and as a group of allowed auth
+ styles
- If =type= is =NULL=, use the auth type for the user's login
class. The default type is =auth-default=, which allows
=psaswd= and =skey= auth methods.
- - There's more information about how to add methods in =login.conf(5)=
- =password= is the password to test
- If =password= is =NULL=, then the user is interactively
prompted. This is required for auth styles using
challenge-response methods.
- - If =password= is specified, then it's non-interactively tested
+ - If =password= is specified, then it's passed to the auth module
+ as a =response=
=auth_userokay= is just a wrapper around [[#auth_usercheck][=auth_usercheck=]] that takes
care of closing the session using [[#auth_close][=auth_close=]], and returning the
@@ -230,6 +229,9 @@
:PROPERTIES:
:CUSTOM_ID: auth_session_t
:END:
+
+ <<review>>
+
=auth_session_t= is the main data structure used to represent the
authentication session.
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 22:31:38 +0000