summaryrefslogtreecommitdiffstats
path: root/content
diff options
context:
space:
mode:
Diffstat (limited to 'content')
-rw-r--r--content/posts/WIP-how-bsd-authentication-works/index.org16
1 files changed, 8 insertions, 8 deletions
diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org
index 527f719..b81e12a 100644
--- a/content/posts/WIP-how-bsd-authentication-works/index.org
+++ b/content/posts/WIP-how-bsd-authentication-works/index.org
@@ -37,12 +37,12 @@
PAM can best be described as [[https://www.youtube.com/watch?v=-CXp3byvI1g][unstandardized black magic]].
OpenBSD on the other hand uses a mechanism called BSD
- Authentication. It was originally developed for a proprietary
- operating system called [[https://en.wikipedia.org/wiki/BSD/OS][BSD/OS]] by [[https://en.wikipedia.org/wiki/Berkeley_Software_Design][Berkeley Software Design Inc.]], who
- later donated the system. It was adopted by OpenBSD in release 2.9.
- BSD Auth is comparatively much simpler than PAM. Modules or,
- authentication "styles", are instead stand alone applications or
- scripts that communicate over IPC. The program or script has no
+ Authentication. It was originally developed for a now-defunct
+ proprietary operating system called [[https://en.wikipedia.org/wiki/BSD/OS][BSD/OS]] by [[https://en.wikipedia.org/wiki/Berkeley_Software_Design][Berkeley Software
+ Design Inc.]], who later donated the system. It was adopted by OpenBSD
+ in release 2.9. BSD Auth is comparatively much simpler than PAM.
+ Modules or, authentication "styles", are instead stand alone
+ applications or scripts that communicate over IPC. The module has no
ability to interfere with the parent and can very easily revoke
permissions using [[https://man.openbsd.org/pledge][=pledge(2)=]] or [[https://man.openbsd.org/unveil][=unveil(2)=]]. The BSD Authentication
system of configured through [[https://man.openbsd.org/login.conf][=login.conf(5)=]].
@@ -2359,8 +2359,8 @@
@@html: </details> @@
=auth_approval= is used to check a user against the [[#approval][approval script]]
- for service =type=. Approval script types all begin with
- =approval-=.
+ for service =type=. It is a front end for [[#auth_call][=auth_call=]]. Approval
+ script types all begin with =approval-=.
Before running the scripts, first the validity of the account is
checked. This is done first using [[#auth_check_expired][=auth_check_expired=]], then
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-30 07:09:24 +0000