ref: dce45f38c8308048d849ede9128a8656e6b2889d
parent: d253ae959d6c505d4a93a981ea097bf7b89442a1
author: Jacob Moody <[email protected]>
date: Sat Sep 4 15:06:56 EDT 2021
add login_-dp9ik
--- a/Make.config
+++ b/Make.config
@@ -1,9 +1,12 @@
AR=ar
RANLIB=ranlib
-CC=gcc
CFLAGS=-Wall -Wno-missing-braces -Wno-parentheses -ggdb -I$(ROOT) -I$(ROOT)/include -c -D_THREAD_SAFE -O2 -fPIC
O=o
LDADD=
TARG=tlsclient
+
+# For OpenBSD switch these two following lines
+OPENSSL=openssl
+#OPENSSL=eopnssl11
all: default
--- a/Makefile
+++ b/Makefile
@@ -12,13 +12,16 @@
default: $(TARG)
$(TARG): $(LIBS) $(OFILES)
- $(CC) `pkg-config openssl --libs` $(LDFLAGS) -o $(TARG) $(OFILES) $(LIBS) $(LDADD)
+ $(CC) `pkg-config $(OPENSSL) --libs` $(LDFLAGS) -o $(TARG) $(OFILES) $(LIBS) $(LDADD)
+login_-dp9ik: $(LIBS) p9any.$O bsd.$O
+ $(CC) -o login_-dp9ik p9any.$O bsd.$O $(LIBS)
+
pam_p9.so: $(LIBS) p9any.$O pam.$O
$(CC) -shared -o pam_p9.so p9any.$O pam.$O $(LIBS)
cpu.$O: cpu.c
- $(CC) `pkg-config openssl --cflags` $(CFLAGS) cpu.c -o cpu.o
+ $(CC) `pkg-config $(OPENSSL) --cflags` $(CFLAGS) cpu.c -o cpu.o
p9any.$O: p9any.c
$(CC) $(CFLAGS) p9any.c -o p9any.o
@@ -26,9 +29,12 @@
pam.$O: pam.c
$(CC) $(CFLAGS) pam.c -o pam.o
+bsd.$O: bsd.c
+ $(CC) $(CFLAGS) bsd.c -o bsd.o
+
.PHONY: clean
clean:
- rm -f *.o */*.o */*.a *.a $(TARG) pam_p9.so
+ rm -f *.o */*.o */*.a *.a $(TARG) pam_p9.so login_-dp9ik
.PHONY: libauthsrv/libauthsrv.a
libauthsrv/libauthsrv.a:
--- a/README
+++ b/README
@@ -5,6 +5,7 @@
tlsclient: tlsclient(1) on unix
git-remote-hjgit: git remote helper for using hjgit repos.
pam_p9.so: A pam module that authenticates against a 9front auth server.
+ login_-dp9ik: An OpenBSD bsd auth executable that auths against a 9front auth server.
Most of the tlsclient code is pillaged from jsdrawterm: https://github.com/aiju/jsdrawterm
The main difference between tlsclient and drawterm is that tlsclient has stripped out the
@@ -20,3 +21,7 @@
# with git-remote-hjgit in your $PATH
git clone hjgit://shithub.us/user/repo
+
+OpenBSD:
+ OpenBSD uses LibreSSL in place of OpenSSL. Unfortunately LibreSSL does
+ have all we need. Tweak Make.config as needed.
--- /dev/null
+++ b/bsd.c
@@ -1,0 +1,143 @@
+#include <sys/types.h>
+#include <sys/resource.h>
+
+#include <errno.h>
+#include <pwd.h>
+#include <readpassphrase.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <util.h>
+#include <login_cap.h>
+
+#undef login
+
+#include <u.h>
+#include <args.h>
+#include <libc.h>
+#include <auth.h>
+#include <authsrv.h>
+#include <libsec.h>
+
+#include "fncs.h"
+
+char *authserver;
+
+int
+main(int argc, char *argv[])
+{
+ FILE *back = NULL;
+ char *class = NULL, *username = NULL, *wheel = NULL;
+ char response[1024], pbuf[1024], *pass = "";
+ int ch, mode = 0, lastchance = 0, fd = -1;
+ AuthInfo *ai;
+
+ (void)signal(SIGQUIT, SIG_IGN);
+ (void)signal(SIGINT, SIG_IGN);
+ (void)setpriority(PRIO_PROCESS, 0, 0);
+
+ openlog(NULL, LOG_ODELAY, LOG_AUTH);
+
+ while ((ch = getopt(argc, argv, "ds:v:")) != -1) {
+ switch (ch) {
+ case 'd':
+ back = stdout;
+ break;
+ case 's': /* service */
+ if (strcmp(optarg, "login") == 0)
+ mode = 0;
+ else if (strcmp(optarg, "challenge") == 0)
+ mode = 1;
+ else if (strcmp(optarg, "response") == 0)
+ mode = 2;
+ else {
+ syslog(LOG_ERR, "%s: invalid service", optarg);
+ exit(1);
+ }
+ break;
+ case 'v':
+ if (strncmp(optarg, "wheel=", 6) == 0)
+ wheel = optarg + 6;
+ else if (strncmp(optarg, "lastchance=", 11) == 0)
+ lastchance = (strcmp(optarg + 11, "yes") == 0);
+ else if (strncmp(optarg, "authserver=", 11) == 0)
+ authserver = optarg + 11;
+ break;
+ default:
+ syslog(LOG_ERR, "usage error");
+ exit(1);
+ }
+ }
+
+ switch (argc - optind) {
+ case 2:
+ class = argv[optind + 1];
+ /* FALLTHROUGH */
+ case 1:
+ username = argv[optind];
+ break;
+ default:
+ syslog(LOG_ERR, "usage error");
+ exit(1);
+ }
+
+ if (back == NULL && (back = fdopen(3, "r+")) == NULL) {
+ syslog(LOG_ERR, "reopening back channel: %m");
+ exit(1);
+ }
+ if (wheel != NULL && strcmp(wheel, "yes") != 0) {
+ fprintf(back, BI_VALUE " errormsg %s\n",
+ "you are not in group wheel");
+ fprintf(back, BI_REJECT "\n");
+ exit(1);
+ }
+
+ if (mode == 1) {
+ fprintf(back, BI_SILENT "\n");
+ exit(0);
+ }
+
+ (void)setpriority(PRIO_PROCESS, 0, -4);
+
+ if (mode == 2) {
+ mode = 0;
+ ch = -1;
+ while (++ch < sizeof(response) &&
+ read(3, &response[ch], 1) == 1) {
+ if (response[ch] == '\0' && ++mode == 2)
+ break;
+ if (response[ch] == '\0' && mode == 1)
+ pass = response + ch + 1;
+ }
+ if (mode < 2) {
+ syslog(LOG_ERR, "protocol error on back channel");
+ exit(1);
+ }
+ } else {
+ pass = readpassphrase("Password:", pbuf, sizeof(pbuf),
+ RPP_ECHO_OFF);
+ }
+
+ if (pass == NULL){
+ fprintf(back, BI_REJECT "\n");
+ exit(1);
+ }
+
+ fd = unix_dial(authserver, "17019");
+ if(fd < 0){
+ fprintf(back, BI_REJECT "\n");
+ exit(1);
+ }
+
+ ai = p9any(username, pass, fd);
+ if(ai == nil){
+ fprintf(back, BI_REJECT "\n");
+ exit(1);
+ }
+
+ fprintf(back, BI_AUTH "\n");
+ exit(0);
+}
--- a/include/auth.h
+++ b/include/auth.h
@@ -91,8 +91,6 @@
extern int noworld(char*);
extern int amount(int, char*, int, char*);
-extern int login(char*, char*, char*);
-
typedef struct Attr Attr;
enum {
AttrNameval, /* name=val -- when matching, must have name=val */