ref: a0f49f0e75230dbd1bf4c8e1de4b4098cdc8794a
parent: 0c9cb17126859a6121dd5d79a4e1d664e4e9ba48
author: Jacob Moody <[email protected]>
date: Tue Jul 12 20:28:27 EDT 2022
hopefully the last round of obsd build tweaks
--- a/Make.config
+++ b/Make.config
@@ -3,6 +3,4 @@
CFLAGS=-Wall -Wno-missing-braces -Wno-parentheses -ggdb -I$(ROOT) -I$(ROOT)/include -c -D_THREAD_SAFE -O2 -fPIC
O=o
PREFIX ?= /usr
-
-# For OpenBSD use 'eopenssl11'
OPENSSL ?= openssl
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,4 @@
ROOT=.
-
include ./Make.config
LIBS=\
@@ -12,7 +11,7 @@
default: tlsclient
tlsclient: cpu.$O $(LIBS)
- $(CC) `pkg-config $(OPENSSL) --libs` -o $@ cpu.$O $(LIBS)
+ $(CC) `pkg-config $(OPENSSL) --libs` $(LDFLAGS) -o $@ cpu.$O $(LIBS)
login_-dp9ik: bsd.$O $(LIBS)
$(CC) -o $@ bsd.$O $(LIBS)
@@ -43,10 +42,14 @@
rm -f *.o lib*/*.o lib*/*.a tlsclient pam_p9.so login_-dp9ik
linux.tar.gz: tlsclient pam_p9.so tlsclient.1
- tar c $^ | gzip > $@
+ tar cf - $^ | gzip > $@
-obsd.tar.gz: tlsclient login_-dp9ik tlsclient.1
- tar c $^ | gzip > $@
+tlsclient.obsd: login_-dp9ik
+ OPENSSL=eopenssl11 LDFLAGS="$(LDFLAGS) -Xlinker --rpath=/usr/local/lib/eopenssl11/" $(MAKE) tlsclient
+ mv tlsclient tlsclient.obsd
+
+obsd.tar.gz: tlsclient.obsd tlsclient.1
+ tar cf - tlsclient login_-dp9ik tlsclient.1 | gzip > $@
.PHONY: tlsclient.install
tlsclient.install: tlsclient tlsclient.1
--- a/README
+++ b/README
@@ -14,41 +14,48 @@
Usage:
tlsclient [ -R ] [ -u user] [ -h host ] [ -a auth ] -p port cmd...
- 9cpu [ -u user ] [ -h host ] [ -a auth ] cmd...
Example:
- 9cpu -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient
+ tlsclient -R -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient
# with git-remote-hjgit in your $PATH
git clone hjgit://shithub.us/user/repo
+Building:
+ $ make tlsclient
+
OpenBSD:
OpenBSD uses LibreSSL in place of OpenSSL. Unfortunately LibreSSL does
- not have PSK cipher suites. Tweak Make.config as required. Openssl is
- only used for tlsclient and rcpu, login_-dp9ik does not require it.
+ not have the PSK cipher suites for tlsclient. As such, the openssl11
+ package is required, and a wrapper recipe is provided:
+ $ make tlsclient.obsd
+
OpenBSD Authentication:
Build:
- # Modify "char *authserver" in bsd.c to specify a default auth server
$ make login_-dp9ik
Testing:
- ./login_-dp9ik -d -v authserver="my.auth.server"
+ ./login_-dp9ik -d $USER
# you will see authenticate/reject print out on stdout
# for success/failure.
Install:
$ cp login_-dp9ik /usr/libexec/auth/
Config:
+ Each user is allowed to specify an auth
+ server within '$HOME/.p9auth'. The file must
+ have no group or other permissions set.
+
Modify the auth-defaults line of /etc/login.conf
to use the new executable. This will look something like:
auth-defaults:auth=-dp9ik,passwd,skey:
Notes:
- OpenBSD requires that all users regardless of
- authentication mechanism exist in /etc/passwd.
- OpenBSD does not retry with other mechanisms
- if one sends a rejection, this means all
- users(including root) must exist within the
- auth server.
+ Unless you have a root user in your authdom, it is likely
+ that installing this may lock you out of the root user,
+ logging in with the username 'root:passwd' will authenticate
+ against the system passwd file.
+ See Also:
+ login(1)
PAM Authentication:
Build: