ref: 11d45ecec19179616e11589d078c2c53d102646c
parent: 5ca0f0875e0762d2c34ce0f5450ffba585e413f0
parent: bf1166558a633c47495e14f2c8666fa05b3d2599
author: B. Atticus Grobe <grobe0ba@gmail.com>
date: Wed Jul 13 21:20:03 EDT 2022
Merge branch 'master' of git://shithub.us/moody/tlsclient
--- a/.builds/obsd.yml
+++ b/.builds/obsd.yml
@@ -4,10 +4,8 @@
packages:
- "openssl-1.1.1k"
artifacts:
- - tlsclient/tlsclient-obsd.tar.gz
+ - tlsclient/obsd.tar.gz
tasks:
- build: |
cd tlsclient
- sed -i '/^OPENSSL/d' Make.config
- sed -i 's/#OPENSSL/OPENSSL/g' Make.config
- make -j $(sysctl -n hw.ncpu) obsddist
+ OPENSSL=eopenssl11 make -j $(sysctl -n hw.ncpu) obsd.tar.gz
--- a/.builds/pam.yml
+++ b/.builds/pam.yml
@@ -2,8 +2,8 @@
sources:
- https://git.sr.ht/~moody/tlsclient
artifacts:
- - tlsclient/tlsclient.tar.gz
+ - tlsclient/linux.tar.gz
tasks:
- build: |
cd tlsclient
- make -j $(nproc) linuxdist
+ make -j $(nproc) linux.tar.gz
--- a/9cpu
+++ /dev/null
@@ -1,33 +1,0 @@
-#!/bin/sh
-
-auth=$AUTH
-user=$USER
-cpu=$CPU
-
-while :; do
- case $1 in
- -a)
- auth=$2
- shift
- ;;
- -u)
- user=$2
- shift
- ;;
- -h)
- cpu=$2
- shift
- ;;
- *)
- break;
- esac
- shift
-done
-
-cmd="rc -i"
-
-if [ "$#" -ne 0 ]; then
- cmd=$*
-fi
-
-USER=$user AUTH=$auth CPU=$cpu tlsclient -R $cmd
--- a/Make.config
+++ b/Make.config
@@ -7,3 +7,5 @@
all: default
+PREFIX ?= /usr
+OPENSSL ?= openssl
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,4 @@
ROOT=.
-
include ./Make.config
LIBS=\
@@ -10,23 +9,24 @@
third_party/boringssl/libcrypto.a\
third_party/boringssl/libssl.a
+default: tlsclient
OFILES=cpu.$O p9any.$O
default: $(TARG)
$(TARG): $(LIBS) $(OFILES)
- $(CXX) -pthread -Lthird_party/boringssl -Wl,--start-group -lcrypto -lssl -Wl,--end-group $(LDFLAGS) -o $(TARG) $(OFILES) -Wl,--start-group $(LIBS) -Wl,--end-group $(LDADD)
+ $(CXX) -pthread -Lthird_party/boringssl $(LDFLAGS) -o $(TARG) $(OFILES) -Wl,--start-group $(LIBS) -Wl,--end-group $(LDADD)
-login_-dp9ik: $(LIBS) p9any.$O bsd.$O
- $(CC) -o login_-dp9ik p9any.$O bsd.$O $(LIBS)
+login_-dp9ik: bsd.$O $(LIBS)
+ $(CC) -o $@ bsd.$O $(LIBS)
-pam_p9.so: $(LIBS) p9any.$O pam.$O
- $(CC) -shared -o pam_p9.so p9any.$O pam.$O $(LIBS)
+pam_p9.so: pam.$O $(LIBS)
+ $(CC) -shared -o $@ pam.$O $(LIBS)
cpu.$O: cpu.c
$(CC) -Ithird_party/boringssl/src/include $(CFLAGS) cpu.c -o cpu.o
-p9any.$O: p9any.c
- $(CC) $(CFLAGS) p9any.c -o p9any.o
+%.$O: %.c
+ $(CC) $(CFLAGS) $< -o $@
pam.$O: pam.c
$(CC) $(CFLAGS) pam.c -o pam.o
@@ -43,15 +43,12 @@
libauthsrv/libauthsrv.a:
(cd libauthsrv; $(MAKE))
-.PHONY: libmp/libmp.a
libmp/libmp.a:
(cd libmp; $(MAKE))
-.PHONY: libc/libc.a
libc/libc.a:
(cd libc; $(MAKE))
-.PHONY: libsec/libsec.a
libsec/libsec.a:
(cd libsec; $(MAKE))
@@ -67,6 +64,26 @@
tar cf tlsclient.tar tlsclient pam_p9.so 9cpu
gzip tlsclient.tar
-obsddist: tlsclient login_-dp9ik 9cpu
- tar cf tlsclient-obsd.tar tlsclient 9cpu login_-dp9ik
- gzip tlsclient-obsd.tar
+linux.tar.gz: tlsclient pam_p9.so tlsclient.1
+ tar cf - tlsclient pam_p9.so tlsclient.1 | gzip > $@
+
+tlsclient.obsd:
+ OPENSSL=eopenssl11 LDFLAGS="$(LDFLAGS) -Xlinker --rpath=/usr/local/lib/eopenssl11/" $(MAKE) tlsclient
+ mv tlsclient tlsclient.obsd
+
+obsd.tar.gz: tlsclient.obsd login_-dp9ik tlsclient.1
+ tar cf - tlsclient.obsd login_-dp9ik tlsclient.1 | gzip > $@
+
+.PHONY: tlsclient.install
+tlsclient.install: tlsclient tlsclient.1
+ cp tlsclient $(PREFIX)/bin
+ cp tlsclient.1 $(PREFIX)/man/man1/
+
+.PHONY: tlsclient.obsd.install
+tlsclient.obsd.install: tlsclient.obsd login_-dp9ik tlsclient.1
+ install tlsclient.obsd $(PREFIX)/bin/tlsclient
+ install tlsclient.1 $(PREFIX)/man/man1/
+ install -d $(PREFIX)/libexec/auth
+ install -g auth login_-dp9ik $(PREFIX)/libexec/auth/
+ install -d $(PREFIX)/libexec/git
+ install git-remote-hjgit $(PREFIX)/libexec/git
--- a/README
+++ b/README
@@ -14,41 +14,48 @@
Usage:
tlsclient [ -R ] [ -u user] [ -h host ] [ -a auth ] -p port cmd...
- 9cpu [ -u user ] [ -h host ] [ -a auth ] cmd...
Example:
- 9cpu -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient
+ tlsclient -R -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient
# with git-remote-hjgit in your $PATH
git clone hjgit://shithub.us/user/repo
+Building:
+ $ make tlsclient
+
OpenBSD:
OpenBSD uses LibreSSL in place of OpenSSL. Unfortunately LibreSSL does
- not have PSK cipher suites. Tweak Make.config as required. Openssl is
- only used for tlsclient and rcpu, login_-dp9ik does not require it.
+ not have the PSK cipher suites for tlsclient. As such, the openssl11
+ package is required, and a wrapper recipe is provided:
+ $ make tlsclient.obsd
+
OpenBSD Authentication:
Build:
- # Modify "char *authserver" in bsd.c to specify a default auth server
$ make login_-dp9ik
Testing:
- ./login_-dp9ik -d -v authserver="my.auth.server"
+ ./login_-dp9ik -d $USER
# you will see authenticate/reject print out on stdout
# for success/failure.
Install:
$ cp login_-dp9ik /usr/libexec/auth/
Config:
+ Each user is allowed to specify an auth
+ server within '$HOME/.p9auth'. The file must
+ have no group or other permissions set.
+
Modify the auth-defaults line of /etc/login.conf
to use the new executable. This will look something like:
auth-defaults:auth=-dp9ik,passwd,skey:
Notes:
- OpenBSD requires that all users regardless of
- authentication mechanism exist in /etc/passwd.
- OpenBSD does not retry with other mechanisms
- if one sends a rejection, this means all
- users(including root) must exist within the
- auth server.
+ Unless you have a root user in your authdom, it is likely
+ that installing this may lock you out of the root user,
+ logging in with the username 'root:passwd' will authenticate
+ against the system passwd file.
+ See Also:
+ login(1)
PAM Authentication:
Build:
--- a/bsd.c
+++ b/bsd.c
@@ -32,6 +32,7 @@
#include <sys/types.h>
#include <sys/resource.h>
+#include <sys/stat.h>
#include <errno.h>
#include <pwd.h>
@@ -62,10 +63,14 @@
main(int argc, char *argv[])
{FILE *back = NULL;
- char *class = NULL, *username = NULL, *wheel = NULL;
+ char *username = NULL, *wheel = NULL;
char response[1024], pbuf[1024], *pass = "";
- int ch, mode = 0, lastchance = 0, fd = -1;
+ char authconf[1024];
+ int n, afd;
+ int ch, mode = 0, fd = -1;
AuthInfo *ai;
+ struct stat sb;
+ char *p;
(void)signal(SIGQUIT, SIG_IGN);
(void)signal(SIGINT, SIG_IGN);
@@ -93,10 +98,6 @@
case 'v':
if (strncmp(optarg, "wheel=", 6) == 0)
wheel = optarg + 6;
- else if (strncmp(optarg, "lastchance=", 11) == 0)
- lastchance = (strcmp(optarg + 11, "yes") == 0);
- else if (strncmp(optarg, "authserver=", 11) == 0)
- authserver = optarg + 11;
break;
default:
syslog(LOG_ERR, "usage error");
@@ -106,8 +107,6 @@
switch (argc - optind) {case 2:
- class = argv[optind + 1];
- /* FALLTHROUGH */
case 1:
username = argv[optind];
break;
@@ -120,6 +119,39 @@
syslog(LOG_ERR, "reopening back channel: %m");
exit(1);
}
+
+ snprint(authconf, sizeof authconf, "/home/%s/.p9auth", username);
+ afd = open(authconf, OREAD);
+ if(afd < 0){+ fprintf(back, BI_REJECT " errormsg %s\n",
+ "user does not have an authserver configured");
+ exit(0);
+ }
+ if(fstat(afd, &sb) < 0){+ syslog(LOG_ERR, "could not stat: %m");
+ exit(1);
+ }
+ if(sb.st_mode & 077 != 0){+ fprintf(back, BI_REJECT " errormsg %s\n",
+ "user authserver has improper permissions");
+ exit(0);
+ }
+ n = read(afd, authconf, sizeof authconf - 1);
+ if(n < 0){+ fprintf(back, BI_REJECT " errormsg %s\n",
+ "could not read");
+ exit(1);
+ }
+ authserver = malloc(n+1);
+ if(authserver == NULL){+ syslog(LOG_ERR, "oom");
+ exit(1);
+ }
+ memmove(authserver, authconf, n);
+ authserver[n] = '\0';
+ if((p = strchr(authserver, '\n')) != NULL)
+ *p = '\0';
+
if (wheel != NULL && strcmp(wheel, "yes") != 0) {fprintf(back, BI_VALUE " errormsg %s\n",
"you are not in group wheel");
--- a/cpu.c
+++ b/cpu.c
@@ -1,6 +1,3 @@
-/*
- * cpu.c - Make a connection to a cpu server
- */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
@@ -23,6 +20,8 @@
char *authserver;
static char *user, *pass;
+char *shell[] = {"rc", "-i"};+
SSL_CTX *ssl_ctx;
SSL *ssl_conn;
@@ -42,9 +41,6 @@
return nsecret;
}
-/*
- * p9any authentication followed by tls-psk encryption
- */
static int
p9authtls(int fd)
{@@ -51,6 +47,7 @@
ai = p9any(user, pass, fd);
if(ai == nil)
sysfatal("can't authenticate");+ memset(pass, 0, strlen(pass));
SSL_set_fd(ssl_conn, fd);
if(SSL_connect(ssl_conn) < 0)
@@ -59,6 +56,9 @@
return fd;
}
+//clean exit signal handler
+void suicide(int num) { exit(0); }+
typedef size_t (*iofunc)(int, void*, size_t);
size_t tls_send(int f, void *b, size_t n) { return SSL_write(ssl_conn, b, n); } size_t tls_recv(int f, void *b, size_t n) { return SSL_read(ssl_conn, b, n); }@@ -71,11 +71,8 @@
char buf[12*1024];
size_t n;
- while((n = recvf(from, buf, sizeof buf)) > 0){- if(sendf(to, buf, n) < 0)
- break;
- }
-
+ while((n = recvf(from, buf, sizeof buf)) > 0 && sendf(to, buf, n) == n)
+ ;
}
void
@@ -99,9 +96,9 @@
int pout[2];
int infd, outfd;
int i;
- pid_t execc, xferc;
+ pid_t xferc;
- execc = xferc = 0;
+ xferc = 0;
Rflag = 0;
infd = 0;
outfd = 1;
@@ -140,7 +137,7 @@
if(*argv && !Rflag){pipe(pin);
pipe(pout);
- switch((execc = fork())){+ switch(fork()){case -1:
sysfatal("fork");case 0:
@@ -158,13 +155,15 @@
}
fd = unix_dial(host, port);
- if(fd < 0){- sysfatal("Failed to connect to the client");- }
-
+ if(fd < 0)
+ sysfatal("failed to connect to the client");p9authtls(fd);
- if(*argv && Rflag) {+ if(Rflag){+ if(*argv == nil){+ argv = shell;
+ argc = nelem(shell);
+ }
for(i=0,n=0; i<argc; i++)
n += snprint(buf+n, sizeof buf - n - 1, "%s ", argv[i]);
if(n <= 0)
@@ -177,10 +176,12 @@
tls_send(-1, buf, i);
}
+ signal(SIGUSR1, suicide);
switch((xferc = fork())){case -1:
sysfatal("fork");case 0:
+ xferc = getppid();
xfer(infd, -1, s_recv, tls_send);
break;
default:
@@ -187,10 +188,6 @@
xfer(-1, outfd, tls_recv, s_send);
break;
}
-
- if(xferc)
- kill(xferc, SIGTERM);
- if(execc)
- kill(execc, SIGTERM);
+ kill(xferc, SIGUSR1);
}
--- a/git-remote-hjgit
+++ b/git-remote-hjgit
@@ -8,27 +8,15 @@
dir="$GIT_DIR/hjgit/$alias"
prefix="refs/hjgit/$alias"
+refspec="refs/heads/*:$prefix/heads/*"
-default_refspec="refs/heads/*:${prefix}/heads/*"-
-refspec="${GIT_REMOTE_HJGIT_REFSPEC-$default_refspec}"-
+test $GIT_REMOTE_HJGIT_REFSPEC && refspec=$GIT_REMOTE_HJGIT_REFSPEC
test -z "$refspec" && prefix="refs"
-force=
-
mkdir -p "$dir"
-if test -z "$GIT_REMOTE_HJGIT_NO_MARKS"
-then
- gitmarks="$dir/git.marks"
- hjgitmarks="$dir/hjgit.marks"
- test -e "$gitmarks" || >"$gitmarks"
- test -e "$hjgitmarks" || >"$hjgitmarks"
-fi
-
packinitfmt(){- printf "%s %s\0host=%s" $1 $2 $3 | awk '{ printf("%04x%s\0", length($0)+1+4, $0) }'+ printf "%s %s\0host=%s\0" $1 $2 $3 | awk '{ printf("%04x%s", length($0)+4, $0) }'}
while read line
@@ -43,7 +31,7 @@
# lie that the connection works
echo
{- packinitfmt $(echo $line | awk '{ print $2 }') $path $host+ packinitfmt `echo $line | awk '{ print $2 }'` $path $hostcat
} | CPU=$host AUTH='p9auth.'$host tlsclient -p 17021
exit
--- /dev/null
+++ b/tlsclient.1
@@ -1,0 +1,55 @@
+.TH TLSCLIENT 1
+.SH NAME
+tlsclient \- 9front tls client
+.SH SYNOPSIS
+.B tlsclient
+[
+.B -R
+]
+[
+.B -u
+.I user
+]
+[
+.B -h
+.I host
+]
+[
+.B -a
+.I auth
+]
+.B -p
+.I port
+command...
+.SH DESCRIPTION
+.B Tlsclient
+may be used to establish encrypted tls tunnels with 9front
+.B tlssrv
+servers using p9any to derive pre-shared keys. The
+.BR -u ,
+.BR -h ,
+and
+.B -a
+flags configure the paramaters for authentication.
+These paramaters may also be configured through the
+.IR USER ,
+.IR CPU ,
+and
+.IR AUTH ,
+environment variables respectively.
+.PP
+The
+.I command
+given is executed on the client, with its
+standard input and output pointing to the output and input
+of the remote connection. The
+.B -R
+flag changes this behavior, causing the
+.I command
+to be executed on the remote system in a
+similar fashion to 9front's rcpu. In this
+mode, if
+.I command
+is not specified a rc login shell is used.
+.SH BUGS
+Well, if you want 'em.