ref: 24150b117110e982496b10c2f1dfef329160a36a
parent: 3b835a1d2398b4ddfc590e24ff6f81f3051e6e61
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sat Feb 13 12:24:59 EST 2016
tlssrv: add -A flag to skip changing user after authentication (usefull for aan)
--- a/sys/man/8/tlssrv
+++ b/sys/man/8/tlssrv
@@ -8,7 +8,7 @@
.B -D
]
[
-.B -a
+.BR - [ aA ]
[
.B -k
.I keyspec
@@ -89,12 +89,16 @@
is mainly used for logging.
If the
.B -a
+or
+.B -A
flag is specified,
.B p9any
authentication is run before the TLS handshake and the resulting
plan9 session secret is used as a pre-shared key for TLS encryption.
This enables the use of TLS without certificates and also runs
-the server command as the authorized user.
+the server command as the authorized user when the
+.B -a
+flag was specified.
.PP
.I Tlsclient
is the reverse of
--- a/sys/src/cmd/tlssrv.c
+++ b/sys/src/cmd/tlssrv.c
@@ -32,7 +32,7 @@
void
usage(void)
{- fprint(2, "usage: tlssrv [-a [-k keyspec]] [-c cert] [-D] [-l logfile] [-r remotesys] cmd [args...]\n");
+ fprint(2, "usage: tlssrv [-D] -[aA] [-k keyspec]] [-c cert] [-l logfile] [-r remotesys] cmd [args...]\n");
fprint(2, " after auth/secretpem key.pem > /mnt/factotum/ctl\n");
exits("usage");}
@@ -50,8 +50,11 @@
debug++;
break;
case 'a':
- auth++;
+ auth = 1;
break;
+ case 'A':
+ auth = -1; /* authenticate, but dont change user */
+ break;
case 'k':
keyspec = EARGF(usage());
break;
@@ -82,6 +85,7 @@
if(ai == nil)
sysfatal("auth_proxy: %r");+ if(auth == 1)
if(auth_chuid(ai, nil) < 0)
sysfatal("auth_chuid: %r");