ref: 370c2a5ee086243da420e5c569b10880d85c05e2
dir: /README/
tlsclient: tlsclient(1) for unix This is a fork of moody's tlsclient(1) (https://shithub.us/moody/tlsclient/HEAD/info.html). The primary change is that BoringSSL is vendored into the build system, so it functions on any platform BoringSSL builds on. It also works fine with standalone compiler environments that have only libc and libc++. It has been tested on OpenBSD 7.0, RHEL 8.5/8.6, Ubunutu 20.04 on arm64, and a statically linked x86_64-linux-musl compiler environment. This repo contains: tlsclient: tlsclient(1) on unix git-remote-hjgit: git remote helper for using hjgit repos. pam_p9.so: A pam module that authenticates against a 9front auth server. login_-dp9ik: An OpenBSD bsd auth executable that auths against a 9front auth server. mount.9ptls: A Linux mount helper that wraps a traditional Linux v9fs in a tlsclient tunnel. Most of the tlsclient code is pillaged from jsdrawterm: https://github.com/aiju/jsdrawterm The main difference between tlsclient and drawterm is that tlsclient has stripped out the plan9 kernel that runs in userspace. This means we use openssl for TLS and don't provide things like /mnt/term, but gain some more flexibility. Usage: tlsclient [ -R ] [ -u user] [ -h host ] [ -a auth ] -p port cmd... Example: tlsclient -R -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient # with git-remote-hjgit in your $PATH git clone hjgit://shithub.us/user/repo # with mount.9ptls in /sbin mount -t 9ptls -o user=moody,port=9090,uid=moody flan n Building: $ make tlsclient ======= OpenBSD: OpenBSD uses LibreSSL in place of OpenSSL. Unfortunately LibreSSL does not have the PSK cipher suites for tlsclient. As such, the openssl11 package is required, and a wrapper recipe is provided: $ make tlsclient.obsd Mount Helper: Build: $ make mount.9ptls Install: $ make mount.9ptls.install OpenBSD Authentication: Build: $ make login_-dp9ik Testing: ./login_-dp9ik -d $USER # you will see authenticate/reject print out on stdout # for success/failure. Install: $ cp login_-dp9ik /usr/libexec/auth/ Config: Each user is allowed to specify an auth server within '$HOME/.p9auth'. The file must have no group or other permissions set. Modify the auth-defaults line of /etc/login.conf to use the new executable. This will look something like: auth-defaults:auth=-dp9ik,passwd,skey: Notes: Unless you have a root user in your authdom, it is likely that installing this may lock you out of the root user, logging in with the username 'root:passwd' will authenticate against the system passwd file. See Also: login(1) PAM Authentication: Build: $ make pam_p9.so Install and Config: Many systems configure PAM differently so defer to your OS documentation for where to store pam_p9.so and which pam configuration needs to be changed. Pam_p9.so accepts a single argument within the pam configuration, that being the auth server to use. Something akin to the following should work as additions to a pam configuration. auth sufficent pam_p9.so flan account sufficent pam_p9.so flan With "flan" being the hostname or ip of the desired auth server.