clone: git://shithub.us/moody/tlsclient gits://shithub.us/moody/tlsclient
patches to: email@example.com
on 2021/09/05 11:50
tlsclient: tlsclient(1) for unix
This repo contains:
9cpu: rcpu(1) on unix
tlsclient: tlsclient(1) on unix
git-remote-hjgit: git remote helper for using hjgit repos.
pam_p9.so: A pam module that authenticates against a 9front auth server.
login_-dp9ik: An OpenBSD bsd auth executable that auths against a 9front auth server.
Most of the tlsclient code is pillaged from jsdrawterm: https://github.com/aiju/jsdrawterm
The main difference between tlsclient and drawterm is that tlsclient has stripped out the
plan9 kernel that runs in userspace. This means we use openssl for TLS and and don't provide
things like /mnt/term, but gain some more flexibility.
tlsclient [ -R ] [ -u user] [ -h host ] [ -a auth ] -p port cmd...
9cpu [ -u user ] [ -h host ] [ -a auth ] cmd...
9cpu -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient
# with git-remote-hjgit in your $PATH
git clone hjgit://shithub.us/user/repo
OpenBSD uses LibreSSL in place of OpenSSL. Unfortunately LibreSSL does
not have PSK cipher suites. Tweak Make.config as required. Openssl is
only used for tlsclient and rcpu, login_-dp9ik does not require it.
# Modify "char *authserver" in bsd.c to specify a default auth server
$ make login_-dp9ik
./login_-dp9ik -d -v authserver="my.auth.server"
# you will see authenticate/reject print out on stdout
# for success/failure.
$ cp login_-dp9ik /usr/libexec/auth/
Modify the auth-defaults line of /etc/login.conf
to use the new executable. This will look something like:
OpenBSD requires that all users regardless of
authentication mechanism exist in /etc/passwd.
OpenBSD does not retry with other mechanisms
if one sends a rejection, this means all
users(including root) must exist within the
$ make pam_p9.so
Install and Config:
Many systems configure PAM differently so defer to your OS
documentation for where to store pam_p9.so and which pam
configuration needs to be changed. Pam_p9.so accepts
a single argument within the pam configuration, that being
the auth server to use. Something akin to the following
should work as additions to a pam configuration.
auth sufficent pam_p9.so flan
account sufficent pam_p9.so flan
With "flan" being the hostname or ip of the desired auth server.