1.\"	$OpenBSD: auth_subr.3,v 1.25 2021/05/31 19:54:04 millert Exp $
2.\"
3.\" Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\" 1. Redistributions of source code must retain the above copyright
9.\"    notice, this list of conditions and the following disclaimer.
10.\" 2. Redistributions in binary form must reproduce the above copyright
11.\"    notice, this list of conditions and the following disclaimer in the
12.\"    documentation and/or other materials provided with the distribution.
13.\" 3. All advertising materials mentioning features or use of this software
14.\"    must display the following acknowledgement:
15.\"	This product includes software developed by Berkeley Software Design,
16.\"	Inc.
17.\" 4. The name of Berkeley Software Design, Inc.  may not be used to endorse
18.\"    or promote products derived from this software without specific prior
19.\"    written permission.
20.\"
21.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND
22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24.\" ARE DISCLAIMED.  IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE
25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31.\" SUCH DAMAGE.
32.\"
33.\"	BSDI $From: auth_subr.3,v 2.5 2000/03/30 19:11:27 polk Exp $
34.Dd $Mdocdate: May 31 2021 $
35.Dt AUTH_OPEN 3
36.Os
37.Sh NAME
38.Nm auth_open ,
39.Nm auth_call ,
40.Nm auth_challenge ,
41.Nm auth_check_change ,
42.Nm auth_check_expire ,
43.Nm auth_clean ,
44.Nm auth_close ,
45.Nm auth_clrenv ,
46.Nm auth_clroption ,
47.Nm auth_clroptions ,
48.Nm auth_getitem ,
49.Nm auth_getpwd ,
50.Nm auth_getstate ,
51.Nm auth_getvalue ,
52.Nm auth_set_va_list ,
53.Nm auth_setdata ,
54.Nm auth_setenv ,
55.Nm auth_setitem ,
56.Nm auth_setoption ,
57.Nm auth_setpwd ,
58.Nm auth_setstate
59.Nd interface to the BSD Authentication system
60.Sh SYNOPSIS
61.In sys/types.h
62.In login_cap.h
63.In bsd_auth.h
64.Ft auth_session_t *
65.Fn auth_open "void"
66.Ft int
67.Fn auth_close "auth_session_t *as"
68.Ft int
69.Fn auth_call "auth_session_t *as" "char *path" "..."
70.Ft char *
71.Fn auth_challenge "auth_session_t *as"
72.Ft quad_t
73.Fn auth_check_change "auth_session_t *as"
74.Ft quad_t
75.Fn auth_check_expire "auth_session_t *as"
76.Ft void
77.Fn auth_clean "auth_session_t *as"
78.Ft void
79.Fn auth_clrenv "auth_session_t *as"
80.Ft void
81.Fn auth_clroption "auth_session_t * as" "char *name"
82.Ft void
83.Fn auth_clroptions "auth_session_t *as"
84.Ft char *
85.Fn auth_getitem "auth_session_t *as" "auth_item_t item"
86.Ft struct passwd *
87.Fn auth_getpwd "auth_session_t *as"
88.Ft int
89.Fn auth_getstate "auth_session_t *as"
90.Ft char *
91.Fn auth_getvalue "auth_session_t *as" "char *what"
92.Ft void
93.Fn auth_set_va_list "auth_session_t *as" "va_list ap"
94.Ft int
95.Fn auth_setdata "auth_session_t *as" "void *ptr" "size_t len"
96.Ft void
97.Fn auth_setenv "auth_session_t *as"
98.Ft int
99.Fn auth_setitem "auth_session_t *as" "auth_item_t item" "char *value"
100.Ft int
101.Fn auth_setoption "auth_session_t *as" "char *name" "char *value"
102.Ft int
103.Fn auth_setpwd "auth_session_t *as" "struct passwd *pwd"
104.Ft void
105.Fn auth_setstate "auth_session_t *as" "int state"
106.Sh DESCRIPTION
107These functions provide the lower level interface to the
108.Bx
109Authentication system.
110They all operate on a
111.Bx
112Authentication session pointer,
113.Fa as ,
114which is returned by
115.Fn auth_open .
116The session pointer
117must be passed to all other
118.Bx
119Authentication functions called.
120The
121.Fn auth_open
122function returns
123.Dv NULL
124if it was unable to allocate memory for the session.
125The session is terminated by the
126.Fn auth_close
127function,
128which also sets any environment variables requested by the login script
129(assuming the user was not rejected) or removes files created by the
130login script if the authentication was not successful.
131It returns the final state of the authentication request.
132A return value of 0 implies the user was not authenticated.
133A non-zero return value is made up of 1 or more of the following values
134ORed together:
135.Bl -tag -width AUTH_ROOTOKAYXX
136.It Dv AUTH_OKAY
137The user was authenticated.
138.It Dv AUTH_ROOTOKAY
139The user was authenticated with a root instance.
140.It Dv AUTH_SECURE
141The user was authenticated via a mechanism which is not subject to
142eavesdropping attacks (such as provided by token cards).
143.El
144.Pp
145The full state of the session is returned by the
146.Fn auth_getstate
147function.
148In addition to the values above, it also may contain the bits:
149.Bl -tag -width AUTH_ROOTOKAYXX
150.It Dv AUTH_SILENT
151Do not report an error, the user was not authenticated for access and
152was not expected to be.
153This is returned by login scripts that allow changing of the user's password,
154for instance.
155This value is stripped off for normal returns.
156.It Dv AUTH_CHALLENGE
157The user was not authenticated for access and a challenge was issued.
158The challenge should be displayed to the user, a response retrieved,
159and the result verified.
160This value is stripped off for normal returns.
161.It Dv AUTH_EXPIRED
162The user's account has expired.
163.It Dv AUTH_PWEXPIRED
164The user's password has expired and needs to be changed.
165.El
166.Pp
167A session may be cleaned
168by calling
169.Fn auth_clean .
170This function removes any files created by a login script in this
171session and clears all state associated with this session, with the
172exception of the option settings.
173It is not necessary to call
174.Fn auth_clean
175if
176.Fn auth_close
177is called.
178.Pp
179The remaining functions are described in alphabetical order.
180.Pp
181The fundamental function for doing
182.Bx
183Authentication is
184.Fn auth_call .
185In addition to the pointer to the
186.Bx
187Authentication session, it takes
188the following parameters:
189.Bl -tag -width indent
190.It Ar path
191The full path name of the login script to run.
192.It Ar ...
193The remaining arguments, which should be of type
194.Vt char *
195and terminated with a
196.Dv NULL ,
197are passed to the login script at the end of the command line.
198Non-optional arguments such as user should be prefixed by a
199.Qq --
200argument so that
201.Xr getopt 3
202will not attempt to interpret them as optional flags.
203.El
204.Pp
205The
206.Fn auth_call
207function, after verifying the
208.Ar path ,
209creates a bi-directional pipe (socketpair) which is located on
210file descriptor 3 for the child (the login script).
211This is known as the
212.Dq back channel .
213The actual command line passed to the child is made up of
2143 parts.
215The parameters passed to
216.Fn auth_call
217following
218.Ar path
219have appended to them any arguments specified by the
220.Fn auth_set_va_list
221function.
222These are typically the variable arguments passed to the function
223that calls
224.Fn auth_call .
225Any option values set by the
226.Fn auth_setoption
227function are inserted between the first argument (the command
228name) and the second argument with a preceding
229.Fl v
230flag.
231The name and value are separated by an
232.Sq = :
233.Pp
234.D1 Fl v Ar name=value
235.Pp
236Once the login script has been spawned, any data specified by the
237.Fn auth_setdata
238is written to the back channel.
239Multiple blocks of data may have been specified and they will be sent
240in the same order they were specified.
241As the data is sent, the storage for the data is zeroed out and then freed
242(the data is zeroed out since it may contain sensitive information,
243such as a password).
244Once any data is written out,
245.Fn auth_call
246reads up to 8192 bytes of data from the back channel.
247The state of the session is determined from this data (see
248.Xr login.conf 5
249for details).
250If the login script exits with a 0 and does not specify any return state
251on the back channel, the state prior to the call to
252.Fn auth_call
253is retained.
254.Pp
255Note that while
256.Fn auth_call
257will zero out the copies it makes of sensitive information, such as plain text
258passwords, after it is sent, it is the responsibility of the
259caller to zero out the original copies of this sensitive information.
260Due to the mechanics of the
261.Fn auth_call
262function, this data must be zeroed
263.Em before
264.Fn auth_call
265is called.
266The safest place to zero out sensitive information is immediately
267after it has been passed to
268.Fn auth_setdata .
269.Pp
270The back channel data may also contain a file descriptor passed back
271from the login script.
272If this is the case, the login script will first send back the string
273.Dq fd
274to indicate that a file descriptor will be the next data item.
275The file descriptor will be passed back to the next invocation of
276the login script with a number specified by the
277.Fl v Ar fd
278option.
279This is used to implement stateful challenge/response schemes that require
280a persistent connection during the challenge and response.
281The copy of the descriptor in the parent process is closed when the
282child is running to prevent deadlock when file locking is used.
283The descriptor is also closed by a call to
284.Fn auth_close
285or
286.Fn auth_clean .
287.Pp
288The data read from the back channel is also used by the
289.Fn auth_getvalue
290and
291.Fn auth_close
292functions.
293Subsequent calls to
294.Fn auth_call
295will cause this data to be lost and overwritten with the new data read
296from the new call.
297.Pp
298The environment passed to the login script by
299.Fn auth_call
300only contains two values:
301.Ev PATH
302and
303.Ev SHELL .
304The
305.Ev PATH
306is set to the default path
307.Pa ( /bin
308and
309.Pa /usr/bin )
310while the
311.Ev SHELL
312is set to the default system shell
313.Pq Pa /bin/sh .
314.Pp
315The
316.Fn auth_challenge
317function queries the login script defined by the current
318.Ar style
319for a challenge for the user specified by
320.Ar name .
321(See below for the setting of the
322.Ar style
323and
324.Ar name ) .
325It internally uses the
326.Fn auth_call
327function.
328The generated challenge is returned.
329.Dv NULL
330is returned on error or if no challenge was generated.
331The challenge can also be extracted by the
332.Fn auth_getchallenge
333function, which simply returns the last challenge generated
334for this session.
335.Pp
336The
337.Fn auth_check_change
338and
339.Fn auth_check_expire
340functions check the password expiration (change) and account expiration
341times.
342They return 0 if no change or expiration time is set for the account.
343They return a negative value of how many seconds have passed since
344the password or account expired.
345In this case the state of the session is marked with either
346.Li AUTH_PWEXPIRED
347or
348.Li AUTH_EXPIRED
349as well as clearing any bits which would indicate the authentication was
350successful.
351If the password or account has not expired, they return the number of
352seconds left until the account does expire.
353The return value of -1 can either indicate the password or account
354just expired or that no password entry was set for the current session.
355.Pp
356The
357.Fn auth_clrenv
358function clears any requests set by a login script for
359environment variables to be set.
360.Pp
361The
362.Fn auth_clroption
363function clears the previously set option
364.Fa name .
365.Pp
366The
367.Fn auth_clroptions
368function clears all previously set options.
369.Pp
370The
371.Fn auth_getitem
372function returns the value of
373.Fa item .
374The
375.Fa item
376may be one of:
377.Bl -tag -width AUTH_INTERACTIVE
378.It Dv AUTH_CHALLENGE
379The latest challenge, if any, set for the session.
380.It Dv AUTH_CLASS
381The class of the user, as defined by the
382.Pa /etc/login.conf
383file.
384This value is not directly used by
385.Bx
386Authentication, rather, it is
387passed to the login scripts for their possible use.
388.It Dv AUTH_INTERACTIVE
389If set to any value, then the session is tagged as interactive.
390If not set, the session is not interactive.
391When the value is requested it is always either
392.Dv NULL
393or
394.Dq True .
395The auth subroutines may choose to provide additional information to
396standard output or standard error when the session is interactive.
397There is no functional change in the operation of the subroutines.
398.It Dv AUTH_NAME
399The name of the user being authenticated.
400The name should include the instance, if any, that is being requested.
401.It Dv AUTH_SERVICE
402The service requesting the authentication.
403Initially it is set to the default service which provides the traditional
404interactive service.
405.It Dv AUTH_STYLE
406The style of authentication being performed, as defined by the
407.Pa /etc/login.conf
408file.
409The style determines which login script should actually be used.
410.El
411.Pp
412The value returned points to private memory and should not be
413freed by the caller.
414.Pp
415The
416.Fn auth_getvalue
417function returns the value, if any, associated with the specified internal
418variable
419.Ar what .
420These variables are set by login scripts.
421When a new login script is run
422(by the
423.Fn auth_call
424function)
425the values from the previous login script are lost.
426(See
427.Xr login.conf 5
428for details on internal variables.)
429.Pp
430The
431.Fn auth_set_va_list
432function establishes a variable argument list to be used by the
433.Fn auth_call
434function.
435It is intended to be used by functions which need to call
436.Fn auth_call
437but take a variable number of arguments themselves.
438Since the arguments are not copied, the call to
439.Fn auth_call
440must be placed within the scope of
441.Fa ap .
442The
443.Fn auth_call
444function will call
445.Xr va_end 3
446on
447.Fa ap .
448.Pp
449The
450.Fn auth_setdata
451function makes a copy of
452.Fa len
453bytes of data pointed to by
454.Fa ptr
455for use by
456.Fn auth_call .
457The data will be passed on the back channel to the next login script called.
458.Pp
459The
460.Fn auth_setenv
461function adds/deletes any environment variables requested by the
462login script to the current environment.
463.Pp
464The
465.Fn auth_setitem
466function assigns
467.Fa value
468to the specified
469.Fa item .
470The items are described above with the
471.Fn auth_getitem
472function.
473In addition, if
474.Fa value
475is
476.Dv NULL ,
477the
478.Fa item
479is cleared.
480If
481.Fa value
482is
483.Dv NULL
484and
485.Fa item
486is
487.Li AUTH_ALL
488then all items are cleared.
489.Pp
490The
491.Fn auth_setoption
492function requests that the option
493.Fa name
494be set with the value of
495.Fa value
496when a script is executed by
497.Fn auth_call .
498The actual arguments to the script will be placed at the beginning
499of the argument vector.
500For each option two arguments will be issued:
501.Li -v name=value .
502.Pp
503The function
504.Fn auth_setpwd
505establishes the password file entry for the authentication session.
506If the name has already been set by
507.Fn auth_setitem
508then the
509.Fa pwd
510argument may be
511.Dv NULL ,
512else it must be the password entry to use.
513.Pp
514The function
515.Fn auth_getpwd
516retrieves the saved password file entry for the authentication session.
517If no entry has been saved (either explicitly via
518.Fn auth_setpwd
519or implicitly via
520.Fn auth_check_expire
521or
522.Fn auth_check_change )
523it returns
524.Dv NULL .
525Note that the memory containing the password file entry is freed by
526a call to
527.Fn auth_close
528or
529.Fn auth_clean .
530.Pp
531The function
532.Fn auth_setstate
533sets the sessions state to
534.Fa state .
535Typically this is either
536.Li AUTH_OKAY
537or 0.
538.Sh SEE ALSO
539.Xr authenticate 3 ,
540.Xr login_cap 3 ,
541.Xr pw_dup 3 ,
542.Xr login.conf 5
543