shithub: tlsclient

branches: master


clone: git:// gits://
push: hjgit://

Last commit

7adde978 – Jacob Moody <> authored on 2024/05/09 09:24
ci: update openbsd ci


tlsclient: tlsclient(1) for unix

This repo contains:
	tlsclient: tlsclient(1) on unix
	git-remote-hjgit: git remote helper for using hjgit repos. A pam module that authenticates against a 9front auth server.
	login_-dp9ik: An OpenBSD bsd auth executable that auths against a 9front auth server.
	mount.9ptls: A Linux mount helper that wraps a traditional Linux v9fs in a tlsclient tunnel.

Most of the tlsclient code is pillaged from jsdrawterm:
The main difference between tlsclient and drawterm is that tlsclient has stripped out the
plan9 kernel that runs in userspace. This means we use openssl for TLS and don't provide
things like /mnt/term, but gain some more flexibility.

	tlsclient [ -R ] [ -u user] [ -h host ] [ -a auth ] -p port cmd...

	tlsclient -R -u moody -h -a newrepo tlsclient

	# with git-remote-hjgit in your $PATH
	git clone hjgit://

	# with mount.9ptls in /sbin
	mount -t 9ptls -o user=moody,port=9090,uid=moody flan n

	$ make tlsclient

	OpenBSD uses LibreSSL in place of OpenSSL. Unfortunately LibreSSL does
	not have the PSK cipher suites for tlsclient. As such, the openssl11
	package is required, and a wrapper recipe is provided:

	$ make tlsclient.obsd

Mount Helper:
		$ make mount.9ptls
		$ make mount.9ptls.install

OpenBSD Authentication:
		$ make login_-dp9ik
		./login_-dp9ik -d $USER
		# you will see authenticate/reject print out on stdout
		# for success/failure.
		$ cp login_-dp9ik /usr/libexec/auth/
		Each user is allowed to specify an auth
		server within '$HOME/.p9auth'. The file must
		have no group or other permissions set.

		Modify the auth-defaults line of /etc/login.conf
		to use the new executable. This will look something like:

		Unless you have a root user in your authdom, it is likely
		that installing this may lock you out of the root user,
		logging in with the username 'root:passwd' will authenticate
		against the system passwd file.
	See Also:

PAM Authentication:
		$ make
	Install and Config:
		Many systems configure PAM differently so defer to your OS
		documentation for where to store and which pam
		configuration needs to be changed. accepts
		a single argument within the pam configuration, that being
		the auth server to use. Something akin to the following
		should work as additions to a pam configuration.

		auth sufficent flan
		account sufficent flan
		With "flan" being the hostname or ip of the desired auth server.