shithub: tlsclient

Download patch

ref: a0f49f0e75230dbd1bf4c8e1de4b4098cdc8794a
parent: 0c9cb17126859a6121dd5d79a4e1d664e4e9ba48
author: Jacob Moody <moody@posixcafe.org>
date: Tue Jul 12 20:28:27 EDT 2022 

hopefully the last round of obsd build tweaks


--- a/Make.config
+++ b/Make.config
@@ -3,6 +3,4 @@
 CFLAGS=-Wall -Wno-missing-braces -Wno-parentheses -ggdb -I$(ROOT) -I$(ROOT)/include -c -D_THREAD_SAFE -O2 -fPIC
 O=o
 PREFIX ?= /usr
-
-# For OpenBSD use 'eopenssl11'
 OPENSSL ?= openssl
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,4 @@
 ROOT=.
-
 include ./Make.config
 
 LIBS=\
@@ -12,7 +11,7 @@
 default: tlsclient
 
 tlsclient: cpu.$O $(LIBS)
-	$(CC) `pkg-config $(OPENSSL) --libs` -o $@ cpu.$O $(LIBS)
+	$(CC) `pkg-config $(OPENSSL) --libs` $(LDFLAGS) -o $@ cpu.$O $(LIBS)
 
 login_-dp9ik: bsd.$O $(LIBS)
 	$(CC) -o $@ bsd.$O $(LIBS)
@@ -43,10 +42,14 @@
 	rm -f *.o lib*/*.o lib*/*.a tlsclient pam_p9.so login_-dp9ik
 
 linux.tar.gz: tlsclient pam_p9.so tlsclient.1
-	tar c $^ | gzip > $@
+	tar cf - $^ | gzip > $@
 
-obsd.tar.gz: tlsclient login_-dp9ik tlsclient.1
-	tar c $^ | gzip > $@
+tlsclient.obsd: login_-dp9ik
+	OPENSSL=eopenssl11 LDFLAGS="$(LDFLAGS) -Xlinker --rpath=/usr/local/lib/eopenssl11/" $(MAKE) tlsclient
+	mv tlsclient tlsclient.obsd
+
+obsd.tar.gz: tlsclient.obsd tlsclient.1
+	tar cf - tlsclient login_-dp9ik tlsclient.1 | gzip > $@
 
 .PHONY: tlsclient.install
 tlsclient.install: tlsclient tlsclient.1
--- a/README
+++ b/README
@@ -14,41 +14,48 @@
 
 Usage:
 	tlsclient [ -R ] [ -u user] [ -h host ] [ -a auth ] -p port cmd...
-	9cpu [ -u user ] [ -h host ] [ -a auth ] cmd...
 
 Example:
-	9cpu -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient
+	tlsclient -R -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient
 
 	# with git-remote-hjgit in your $PATH
 	git clone hjgit://shithub.us/user/repo
 
+Building:
+	$ make tlsclient
+
 OpenBSD:
 	OpenBSD uses LibreSSL in place of OpenSSL. Unfortunately LibreSSL does
-	not have PSK cipher suites. Tweak Make.config as required. Openssl is
-	only used for tlsclient and rcpu, login_-dp9ik does not require it.
+	not have the PSK cipher suites for tlsclient. As such, the openssl11
+	package is required, and a wrapper recipe is provided:
 
+	$ make tlsclient.obsd
+
 OpenBSD Authentication:
 	Build:
-		# Modify "char *authserver" in bsd.c to specify a default auth server
 		$ make login_-dp9ik
 	Testing:
-		./login_-dp9ik -d -v authserver="my.auth.server"
+		./login_-dp9ik -d $USER
 		# you will see authenticate/reject print out on stdout
 		# for success/failure.
 	Install:
 		$ cp login_-dp9ik /usr/libexec/auth/
 	Config:
+		Each user is allowed to specify an auth
+		server within '$HOME/.p9auth'. The file must
+		have no group or other permissions set.
+
 		Modify the auth-defaults line of /etc/login.conf
 		to use the new executable. This will look something like:
 
 		auth-defaults:auth=-dp9ik,passwd,skey:
 	Notes:
-		OpenBSD requires that all users regardless of
-		authentication mechanism exist in /etc/passwd.
-		OpenBSD does not retry with other mechanisms
-		if one sends a rejection, this means all
-		users(including root) must exist within the
-		auth server.
+		Unless you have a root user in your authdom, it is likely
+		that installing this may lock you out of the root user,
+		logging in with the username 'root:passwd' will authenticate
+		against the system passwd file.
+	See Also:
+		login(1)
 
 PAM Authentication:
 	Build: