From 659a8adaaccaecbc374fe23f199bb6918d9c2c49 Mon Sep 17 00:00:00 2001 From: Dante Catalfamo Date: Fri, 30 Oct 2020 17:19:30 -0400 Subject: Pretty much finish auth_call --- .../WIP-how-bsd-authentication-works/index.org | 81 +++++++++++++++++----- 1 file changed, 65 insertions(+), 16 deletions(-) diff --git a/content/posts/WIP-how-bsd-authentication-works/index.org b/content/posts/WIP-how-bsd-authentication-works/index.org index 5bc90b7..98a13e2 100644 --- a/content/posts/WIP-how-bsd-authentication-works/index.org +++ b/content/posts/WIP-how-bsd-authentication-works/index.org @@ -14,12 +14,12 @@ OpenBSD is quite different from many other Unix-like operating systems in many ways, but one way which I find interesting is the authentication system. Most systems from AIX, Solaris, and Linux to - most BSDs including MacOS use some form of a system called Pluggable - Authentication Module (PAM). The two main implementations of PAM are + most BSDs including MacOS use some form of a system called [[https://en.wikipedia.org/wiki/Pluggable_authentication_module][Pluggable + Authentication Module]] (PAM). The two main implementations of PAM are [[http://www.linux-pam.org/][Linux PAM]] and [[https://www.openpam.org/][OpenPAM]]. PAM modules are created as dynamically loaded - shared objects, which communicate using a set of standard interfaces - ([[https://linux.die.net/man/3/pam][Linux-PAM]] and [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). PAM is configured using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory - and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]]. + shared objects, which communicate using a set of somewhat + standardized interfaces ([[https://linux.die.net/man/3/pam][Linux-PAM]] and [[https://www.freebsd.org/cgi/man.cgi?query=pam&apropos=0&sektion=3&manpath=FreeBSD+12.1-RELEASE+and+Ports&arch=default&format=html][OpenPAM]]). PAM is configured + using the [[https://linux.die.net/man/5/pam.d][pam.d]] directory and [[https://www.freebsd.org/cgi/man.cgi?query=pam.conf&sektion=5&apropos=0&manpath=FreeBSD+12.1-RELEASE+and+Ports][pam.conf]]. OpenBSD on the other hand uses a mechanism called BSD Authentication. It was originally developed for a proprietary @@ -488,10 +488,8 @@ _auth_spool(as, pfd[0]); #+end_src - <> - - After that the spooled data is scanned for key words defined in - =login_cap.h=. + Once the back channel data has finished spooling, it is scanned for + key words defined in =login_cap.h=. #+BEGIN_SRC c #define BI_AUTH "authorize" /* Accepted authentication */ @@ -576,13 +574,9 @@ #+END_SRC - # Write about =auth_getvalue= - - It is looking for lines that start with either =BI_AUTH= - (=authorize=), or =BI_REJECT= (=reject=). If the line is still longer, - it continues to scan for any other qualifiers such as =pwexpired= or - =silent=. The struct's =state= is set to one using the =AUTH_= values - from =login_cap.h= accordingly. + The scanner is looking for lines that begin with =BI_AUTH=, + =BI_REJECT=, or =BI_REMOVE=. Here =as->state= is set according to + the values defined on =login_cap.h=. #+BEGIN_SRC c /* @@ -597,6 +591,49 @@ #define AUTH_PWEXPIRED 0x40 /* password expired */ #+END_SRC + If an authorization is received (any line starting with =BI_AUTH=), + the appropriate state is bitwise =or=-ed onto =as->state=, allowing + multiple authorizations, such as a case where both =BI_ROOTOKAY=, + resulting in a state of =AUTH_ROOTOKAY=, and =BI_SECURE=, resulting + in a state of =AUTH_SECURE= are both sent. + + If a rejection is received (any line starting with =BI_REJECT=), + =as->state= is set according to the rejection, and the scanning is + stopped. Rejections are final and take precedence over any + authorizations. + + For any lines beginning with =BI_REMOVE=, the file names after the + key word are sent to =_add_rmlist=. + #+begin_src c + _add_rmlist(as, line); + #+end_src + + After scanning is complete, the resulting status is checked against + a bitmask to ensure the result is either only accept or only reject. + + An =okay= value is then defined by masking the state with the value + =AUTH_ALLOW=. + + #+begin_src c + okay = as->state & AUTH_ALLOW; + #+end_src + + =AUTH_ALLOW= is defined in =login_cap.h=. + + #+begin_src c + #define AUTH_ALLOW (AUTH_OKAY | AUTH_ROOTOKAY | AUTH_SECURE) + #+end_src + + If the status results in a rejection, =auth_clearenv= is called on + =as=. + + =okay= is then returned to the caller. + + + # Write about =auth_getvalue= + + <> + ** COMMENT note --- @@ -656,6 +693,18 @@ =fd= and tried to receive a file descriptor. If it receives one and =as->fd= is equal to =-1=, it sets it to the received file descriptor. Otherwise it closes the received file descriptor. + +** _add_rmlist + #+begin_src c + static void _add_rmlist(auth_session_t *as, char *file) + #+end_src + + =_add_rmlist= is used to add to the list of files to be removed + after authentication is complete + + A =rmfiles= struct is allocated and appended to the end of the + =as->rmlist= linked list. + * auth_close =auth_close= is the function responsible for cleaning up the session and taking care of the values returned though the back channel. -- cgit v1.2.3