From 01ad7e5ffc7285811fa138ae49affe119df5db98 Mon Sep 17 00:00:00 2001
From: Dante Catalfamo
Date: Mon, 29 Jun 2020 16:50:54 -0400
Subject: More work on auth post, add headings

---
 .../posts/how-bsd-authentication-works/index.org   | 80 +++++++++++++---------
 1 file changed, 48 insertions(+), 32 deletions(-)

(limited to 'content')

diff --git a/content/posts/how-bsd-authentication-works/index.org b/content/posts/how-bsd-authentication-works/index.org
index 35a3fb4..6eae6a5 100644
--- a/content/posts/how-bsd-authentication-works/index.org
+++ b/content/posts/how-bsd-authentication-works/index.org
@@ -2,13 +2,14 @@
 #+DATE: 2020-06-26T18:31:36-04:00
 #+DRAFT: true
 #+DESCRIPTION:
-#+TAGS[]:
-#+KEYWORDS[]:
+#+TAGS[]: openbsd
+#+KEYWORDS[]: openbsd
 #+SLUG:
 #+SUMMARY:
+#+SHOWTOC: true
 
 [[https://web.archive.org/web/20170327150148/http://www.penzin.net/bsdauth/]]
-
+* History
 OpenBSD is quite different from many other Unix-like operating systems
 in many ways, but one way which I find interesting is the
 authentication system. Most systems from AIX, Solaris, and Linux to
@@ -30,32 +31,41 @@ specifically). The program or script has no ability to interfere with
 the parent and can very easily revoke permissions using =pledge(3)= or
 =unveil(3)=.
 
+* Why
+This one is pretty difficult, since there seems to be very little
+information about how BSD Auth works apart from the source code
+itself. This is my best attempt to understand the flow of BSD Auth
+from what I've read.
+
+
+* BSD Auth Modules
 These programs or scripts are located in =/usr/libexec/auth/= with the
-naming convention =login_<style>=. They typically take arguments in
-the form of
+naming convention =login_<style>=. They take arguments in the form of
 
 #+BEGIN_SRC shell
 login_<style> [-s service] [-v key=value] user [class]
 #+END_SRC
 
-<<here2>>
-
-- =<style>= is the authentication method. This could be =passwd=, =
+- =<style>= is the authentication method. This could be =passwd=,
+  =radius=, =skey=, =yubikey=, etc.
+  - There's more information about available styles in =login.conf(5)=
 - =service= is the service type. Typically authentication methods will
   accept three values here, =login=, =challenge=, or =response=. Some
-  styles take different service arguments, so read the method's man
-  page for details.
-  - =login= is the default method, it's typically
-
-This one is pretty difficult, since there seems to be very little
-information about how BSD Auth works apart from the source code
-itself. This is my best attempt to understand the flow of BSD Auth
-from what I've read.
-
+  styles take different service arguments, read the style's man page
+  for details.
+  - =login= is typically the default method
+- =-v key=value= is an optional argument. This is used to pass extra
+  data to the program under certain circumstances.
+- =user= is the name of the user to be authenticated.
+- =class= is optional and specifies the class of the user to be
+  authenticated.
+
+* Documentation
 All of the high level authentication functions are described in
 =authenticate(3)=, with the lower level functions being described in
 =auth_subr(3)=.
 
+* auth_userokay
 The highest level function, and easiest to use is =auth_userokay=. It
 takes four character arrays as arguments, =name=, =style=, =type=, and
 =password=. It returns either a =0= for failure, of a non-zero value
@@ -67,21 +77,6 @@ This function lives inside =/lib/libc/gen/authenticate.c=
 int auth_userokay(char *name, char *style, char *type, char *password);
 #+END_SRC
 
-The return codes are defined inside of =login_cap.h= as
-
-#+BEGIN_SRC c
-/*
- * bits which can be returned by authenticate()/auth_scan()
- */
-#define  AUTH_OKAY       0x01            /* user authenticated */
-#define  AUTH_ROOTOKAY   0x02            /* authenticated as root */
-#define  AUTH_SECURE     0x04            /* secure login */
-#define  AUTH_SILENT     0x08            /* silent rejection */
-#define  AUTH_CHALLENGE  0x10            /* a challenge was given */
-#define  AUTH_EXPIRED    0x20            /* account expired */
-#define  AUTH_PWEXPIRED  0x40            /* password expired */
-#+END_SRC
-
 - =name= is the name of the user to be authenticated
 - =style= is the login method to be used
   - If =style= is =NULL=, the user's default login style will be
@@ -108,6 +103,8 @@ returns a finished auth session of type =auth_session_t=. It closes
 the auth session using =auth_close= and returns the value returned
 from closing.
 
+* auth_session_t
+
 #+BEGIN_SRC c
 struct auth_session_t {
     char    *name;                 /* name of use being authenticated */
@@ -155,6 +152,7 @@ struct authdata {
 };
 #+END_SRC
 
+* auth_usercheck
 #+BEGIN_SRC c
 auth_session_t *auth_usercheck(char *name, char *style, char *type, char *password)
 #+END_SRC
@@ -182,6 +180,8 @@ the user name, style, login class, and =NULL= char pointer to
 arguments. It then returns the auth session pointer the call
 returns.
 
+* auth_verify
+
 #+BEGIN_SRC c
 auth_session_t *auth_verify(auth_session_t *as, char *style, char *name, ...)
 #+END_SRC
@@ -208,6 +208,7 @@ auth_call(as, path, auth_getitem(as, AUTHV_STYLE), "-s",
     auth_getitem(as, AUTHV_SERVICE), "--", name, (char *)NULL);
 #+END_SRC
 
+* auth_call
 
 #+BEGIN_SRC c
 int auth_call(auth_session_t *as, char *path, ...)
@@ -290,9 +291,24 @@ it continues to scan for any other qualifiers such as =pwexpired= or
 =silent=. The struct's =state= is set to one using the =AUTH_= values
 from =login_cap.h= accordingly.
 
+#+BEGIN_SRC c
+/*
+ * bits which can be returned by authenticate()/auth_scan()
+ */
+#define  AUTH_OKAY       0x01            /* user authenticated */
+#define  AUTH_ROOTOKAY   0x02            /* authenticated as root */
+#define  AUTH_SECURE     0x04            /* secure login */
+#define  AUTH_SILENT     0x08            /* silent rejection */
+#define  AUTH_CHALLENGE  0x10            /* a challenge was given */
+#define  AUTH_EXPIRED    0x20            /* account expired */
+#define  AUTH_PWEXPIRED  0x40            /* password expired */
+#+END_SRC
+
+
 This is the integer returned by
 =auth_userokay=.
 
+* grapgh?
 # Setting env on auth_close(as)
 # partual rewrite below
 
-- 
cgit v1.2.3