bsd_auth again
Hello, Perhaps somebody can help me a bit... Here is very simple login_-test.c, just to check if everything works: #include stdio.h int main (int argc, char **argv) { char buf[1024]; int i; for (i=0;iargc;i++) puts(argv[i]); read (3,buf,sizeof(buf)); puts(buf); } And a very simple calling program, that calls auth_userok, using exactly the way it is called from opensmtpd: #include sys/types.h #include login_cap.h #include bsd_auth.h #include stdio.h int main( ) { printf(%d\n,auth_userokay (greg, NULL , auth-smtp,password)); } As the last accord there are lines in /etc/login.conf: auth-smtp:auth=-test: everything other is the file left untouched. As it doesn't seem to be calling login_-test, I think that is because I failed to properly describe what I need in login.conf what should be done? Thank you. -- With best regards, Gregory Edigarov
Re: bsd_auth again
Gregory Edigarov schrieb: As it doesn't seem to be calling login_-test, I think that is because I failed to properly describe what I need in login.conf what should be done? Tell your user to use that class in vipw?
Re: bsd_auth again
On Mon, May 25, 2009 at 10:47:11AM +0300, Gregory Edigarov wrote: Hello, Perhaps somebody can help me a bit... Here is very simple login_-test.c, just to check if everything works: #include stdio.h int main (int argc, char **argv) { char buf[1024]; int i; for (i=0;iargc;i++) puts(argv[i]); read (3,buf,sizeof(buf)); puts(buf); } And a very simple calling program, that calls auth_userok, using exactly the way it is called from opensmtpd: #include sys/types.h #include login_cap.h #include bsd_auth.h #include stdio.h int main( ) { printf(%d\n,auth_userokay (greg, NULL , auth-smtp,password)); } As the last accord there are lines in /etc/login.conf: auth-smtp:auth=-test: everything other is the file left untouched. As it doesn't seem to be calling login_-test, I think that is because I failed to properly describe what I need in login.conf what should be done? For one thing (apart from login.conf issues), you do not return an exit code in your program and you do not write anything to fd 3, while login.conf says: In order for authentication to be successful, the authentication program must exit with a value of 0 as well as provide an authorize or authorize root statement on file descriptor 3. First of all, start READING and UNERSTANDING login.conf and study the existing authentication programs source code. Probably login_reject is a goof place to start. And a word of advice: before you attempt writing a bsd_auth login script, you better understand what you are doing. Otherwise you almost certainly will create a hole. This is no place for trial and error. -Otto
Re: bsd_auth again
Otto Moerbeek wrote: On Mon, May 25, 2009 at 10:47:11AM +0300, Gregory Edigarov wrote: Hello, Perhaps somebody can help me a bit... Here is very simple login_-test.c, just to check if everything works: #include stdio.h int main (int argc, char **argv) { char buf[1024]; int i; for (i=0;iargc;i++) puts(argv[i]); read (3,buf,sizeof(buf)); puts(buf); } And a very simple calling program, that calls auth_userok, using exactly the way it is called from opensmtpd: #include sys/types.h #include login_cap.h #include bsd_auth.h #include stdio.h int main( ) { printf(%d\n,auth_userokay (greg, NULL , auth-smtp,password)); } As the last accord there are lines in /etc/login.conf: auth-smtp:auth=-test: everything other is the file left untouched. As it doesn't seem to be calling login_-test, I think that is because I failed to properly describe what I need in login.conf what should be done? For one thing (apart from login.conf issues), you do not return an exit code in your program and you do not write anything to fd 3, while login.conf says: In order for authentication to be successful, the authentication program must exit with a value of 0 as well as provide an authorize or authorize root statement on file descriptor 3. First of all, start READING and UNERSTANDING login.conf and study the existing authentication programs source code. Probably login_reject is a goof place to start. And a word of advice: before you attempt writing a bsd_auth login script, you better understand what you are doing. Otherwise you almost certainly will create a hole. This is no place for trial and error. -Otto Otto, As I've written above it is just an experiment, in order to understand and write bigger script, that will do _ALL_ the necessary things, and will be as secure as possible. -- With best regards, Gregory Edigarov
Re: bsd_auth again
Otto Moerbeek wrote: On Mon, May 25, 2009 at 10:47:11AM +0300, Gregory Edigarov wrote: Hello, Perhaps somebody can help me a bit... Here is very simple login_-test.c, just to check if everything works: #include stdio.h int main (int argc, char **argv) { char buf[1024]; int i; for (i=0;iargc;i++) puts(argv[i]); read (3,buf,sizeof(buf)); puts(buf); } And a very simple calling program, that calls auth_userok, using exactly the way it is called from opensmtpd: #include sys/types.h #include login_cap.h #include bsd_auth.h #include stdio.h int main( ) { printf(%d\n,auth_userokay (greg, NULL , auth-smtp,password)); } As the last accord there are lines in /etc/login.conf: auth-smtp:auth=-test: everything other is the file left untouched. As it doesn't seem to be calling login_-test, I think that is because I failed to properly describe what I need in login.conf what should be done? For one thing (apart from login.conf issues), you do not return an exit code in your program and you do not write anything to fd 3, while login.conf says: In order for authentication to be successful, the authentication program must exit with a value of 0 as well as provide an authorize or authorize root statement on file descriptor 3. First of all, start READING and UNERSTANDING login.conf and study the existing authentication programs source code. Probably login_reject is a goof place to start. And a word of advice: before you attempt writing a bsd_auth login script, you better understand what you are doing. Otherwise you almost certainly will create a hole. This is no place for trial and error. Also Otto, the question I've asked was about how to correctly connect the would be script to the authentication mechanism in the login.conf file. It was not about quality of my code. The code is purely experimental, and will not even go into the real script. -- With best regards, Gregory Edigarov