diff options
Diffstat (limited to 'content/posts')
| -rw-r--r-- | content/posts/WIP-how-bsd-authentication-works/index.org | 48 |
1 files changed, 25 insertions, 23 deletions
diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org index fd7d511..3426347 100644 --- a/content/posts/WIP-how-bsd-authentication-works/index.org +++ b/content/posts/WIP-how-bsd-authentication-works/index.org @@ -170,9 +170,9 @@ challenge-response methods. - If =password= is specified, then it's non-interactively tested - =auth_userokay= is just a wrapper around =auth_usercheck=. It takes - care of closing the session using =auth_close= for you, returning - the resulting value. + =auth_userokay= is just a wrapper around [[#auth_usercheck][=auth_usercheck=]], which + takes care of closing the session using =auth_close= for you, + returning the resulting value. * auth_session_t :PROPERTIES: @@ -384,7 +384,7 @@ #+end_src =auth_open= is used by several functions to create a new auth - session. It allocates an =auth_session_t= struct on the heap, sets + session. It allocates an [[#auth_session_t][=auth_session_t=]] struct on the heap, sets its default =service= to that defined by =LOGIN_DEFSERVICE= in =/include/login_cap.h=, which is currently ="login"=. @@ -421,7 +421,7 @@ specified, it is returned if available, otherwise =NULL= is returned, which causes =auch_usercheck= to return =NULL= as well. - It then creates a pointer =as= of type =auth_session_t=, and handles + It then creates a pointer =as= of type [[#auth_session_t][=auth_session_t=]], and handles it differently based on whether =*password= is =NULL=. - If the password is a string, it creates a new session using @@ -457,7 +457,7 @@ auth_session_t *auth_verify(auth_session_t *as, char *style, char *name, ...) #+END_SRC - =auth_verify= is used as a frontend for =auth_call=. + =auth_verify= is used as a frontend for [[#auth_call][=auth_call=]]. It creates an auth session using =auth_open= if =*as= is =NULL=. @@ -478,7 +478,7 @@ #+end_src It then copies its variable arguments to the auth session using - =auth_set_va_list=. + [[#auth_set_va_list][=auth_set_va_list=]]. Then =auth_call= is called with the session struct, the path to the auth module, the auth style, the "-s" flag followed by the service @@ -517,7 +517,7 @@ First, the variable arguments are placed in =as->ap0=. - =_auth_next_arg= is called once, with the result being set as the + [[#_auth_next_arg][=_auth_next_arg=]] is called once, with the result being set as the first element in =argv=. If =as->fd= is set, add =-v= and =fd=4= to =argv=. @@ -532,7 +532,7 @@ is called the "back channel", and is used to communicate with the authentication module. - The process now calls =fork()=. + The process now calls [[https://man.openbsd.org/man2/fork.2][=fork(2)=]]. Here two constants are set for the back channel and optional authentication file descriptors. @@ -542,12 +542,12 @@ #define AUTH_FD 4 #+end_src - In the child process, the back channel is set to file descriptor - 3, or =COMM_FD= using =dup2(3)=. If =as->fd=, is not =-1=, it is set - to file descriptor 4, or =AUTH_FD=, also using =dup2(3)=. The - remainder of the file descriptors are closed using either - =closefrom(COMM_FD + 1)= or =closefrom(AUTH_FD + 1)=, depending on - whether or not =AUTH_FD= is used. + In the child process, the back channel is set to file descriptor 3, + or =COMM_FD= using =dup2(3)=. If =as->fd=, is not =-1=, it is set to + file descriptor 4, or =AUTH_FD=, also using [[https://man.openbsd.org/man2/dup.2#dup2][=dup2(3)=]]. The remainder + of the file descriptors are closed using [[https://man.openbsd.org/man2/closefrom.2][=closefrom(2)=]] by calling + either =closefrom(COMM_FD + 1)= or =closefrom(AUTH_FD + 1)=, + depending on whether or not =AUTH_FD= is used. The child process then executes the module. @@ -583,7 +583,7 @@ The response from the authentication module is then read from the back channel and put into =as->spool= with an optional received file - descriptor placed in =as->fd=, using =_auth_spool=. + descriptor placed in =as->fd=, using [[#_auth_spool][=_auth_spool=]]. #+begin_src c _auth_spool(as, pfd[0]); @@ -676,8 +676,10 @@ #+END_SRC The scanner is looking for lines that begin with =BI_AUTH=, - =BI_REJECT=, or =BI_REMOVE=. Here =as->state= is set according to - the values defined on =login_cap.h=. + =BI_REJECT=, or =BI_REMOVE=. + + Here =as->state= is set according to the values defined on + =login_cap.h=. #+BEGIN_SRC c /* @@ -704,7 +706,7 @@ authorizations. For any lines beginning with =BI_REMOVE=, the file names after the - key word are sent to =_add_rmlist=. + key word are sent to [[#_add_rmlist][=_add_rmlist=]]. #+begin_src c _add_rmlist(as, line); #+end_src @@ -725,7 +727,7 @@ #define AUTH_ALLOW (AUTH_OKAY | AUTH_ROOTOKAY | AUTH_SECURE) #+end_src - If the status results in a rejection, =auth_clrenv= is called with + If the status results in a rejection, [[#auth_clrenv][=auth_clrenv=]] is called with =as=. This removes any requests the login script has made to set environment variables from =as->spool=. @@ -742,7 +744,7 @@ First goes through =as->ap0=, returning one argument at a time until it hits the =NULL= character pointer. At which point it - calls =va_end(as->ap0)= and =explicit_bzero='s it. + calls =va_end(as->ap0)= and [[https://man.openbsd.org/man3/bzero.3#explicit_bzero][=explicit_bzero(3)=]]'s it. Moves on to do the same thing for =as->ap=. @@ -762,7 +764,7 @@ on the spool. While spooling it converts newlines to =NUL='s in order to parse the output more easily. It also handles any file descriptors passed through the back channel by sending them to - =_recv_fd=. + [[#_recv_fd][=_recv_fd=]]. #+begin_src c // [...] @@ -836,7 +838,7 @@ All =as->optlist= structs are freed. - All =as->data= structs are =explicit_bzero='d and then freed. + All =as->data= structs are [[https://man.openbsd.org/man3/bzero.3#explicit_bzero][=explicit_bzero(3)=]]'d and then freed. =as->pwd= is =explicit_bzero='d and freed. |