1.\" $OpenBSD: auth_subr.3,v 1.27 2023/02/19 21:33:38 aisha Exp $ 2.\" 3.\" Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. All advertising materials mentioning features or use of this software 14.\" must display the following acknowledgement: 15.\" This product includes software developed by Berkeley Software Design, 16.\" Inc. 17.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse 18.\" or promote products derived from this software without specific prior 19.\" written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" BSDI $From: auth_subr.3,v 2.5 2000/03/30 19:11:27 polk Exp $ 34.Dd $Mdocdate: February 19 2023 $ 35.Dt AUTH_OPEN 3 36.Os 37.Sh NAME 38.Nm auth_open , 39.Nm auth_call , 40.Nm auth_challenge , 41.Nm auth_check_change , 42.Nm auth_check_expire , 43.Nm auth_clean , 44.Nm auth_close , 45.Nm auth_clrenv , 46.Nm auth_clroption , 47.Nm auth_clroptions , 48.Nm auth_getitem , 49.Nm auth_getpwd , 50.Nm auth_getstate , 51.Nm auth_getvalue , 52.Nm auth_set_va_list , 53.Nm auth_setdata , 54.Nm auth_setenv , 55.Nm auth_setitem , 56.Nm auth_setoption , 57.Nm auth_setpwd , 58.Nm auth_setstate 59.Nd interface to the BSD Authentication system 60.Sh SYNOPSIS 61.In sys/types.h 62.In login_cap.h 63.In bsd_auth.h 64.Ft auth_session_t * 65.Fn auth_open "void" 66.Ft int 67.Fn auth_close "auth_session_t *as" 68.Ft int 69.Fn auth_call "auth_session_t *as" "char *path" "..." 70.Ft char * 71.Fn auth_challenge "auth_session_t *as" 72.Ft quad_t 73.Fn auth_check_change "auth_session_t *as" 74.Ft quad_t 75.Fn auth_check_expire "auth_session_t *as" 76.Ft void 77.Fn auth_clean "auth_session_t *as" 78.Ft void 79.Fn auth_clrenv "auth_session_t *as" 80.Ft void 81.Fn auth_clroption "auth_session_t * as" "char *name" 82.Ft void 83.Fn auth_clroptions "auth_session_t *as" 84.Ft char * 85.Fn auth_getitem "auth_session_t *as" "auth_item_t item" 86.Ft struct passwd * 87.Fn auth_getpwd "auth_session_t *as" 88.Ft int 89.Fn auth_getstate "auth_session_t *as" 90.Ft char * 91.Fn auth_getvalue "auth_session_t *as" "char *what" 92.Ft void 93.Fn auth_set_va_list "auth_session_t *as" "va_list ap" 94.Ft int 95.Fn auth_setdata "auth_session_t *as" "void *ptr" "size_t len" 96.Ft void 97.Fn auth_setenv "auth_session_t *as" 98.Ft int 99.Fn auth_setitem "auth_session_t *as" "auth_item_t item" "char *value" 100.Ft int 101.Fn auth_setoption "auth_session_t *as" "char *name" "char *value" 102.Ft int 103.Fn auth_setpwd "auth_session_t *as" "struct passwd *pwd" 104.Ft void 105.Fn auth_setstate "auth_session_t *as" "int state" 106.Sh DESCRIPTION 107These functions provide the lower level interface to the 108.Bx 109Authentication system. 110They all operate on a 111.Bx 112Authentication session pointer, 113.Fa as , 114which is returned by 115.Fn auth_open . 116The session pointer 117must be passed to all other 118.Bx 119Authentication functions called. 120The 121.Fn auth_open 122function returns 123.Dv NULL 124if it was unable to allocate memory for the session. 125The session is terminated by the 126.Fn auth_close 127function, 128which also sets any environment variables requested by the login script 129(assuming the user was not rejected) or removes files created by the 130login script if the authentication was not successful. 131It returns the final state of the authentication request. 132A return value of 0 implies the user was not authenticated. 133A non-zero return value is made up of 1 or more of the following values 134ORed together: 135.Bl -tag -width AUTH_ROOTOKAYXX 136.It Dv AUTH_OKAY 137The user was authenticated. 138.It Dv AUTH_ROOTOKAY 139The user was authenticated with a root instance. 140.It Dv AUTH_SECURE 141The user was authenticated via a mechanism which is not subject to 142eavesdropping attacks (such as provided by token cards). 143.El 144.Pp 145The full state of the session is returned by the 146.Fn auth_getstate 147function. 148In addition to the values above, it also may contain the bits: 149.Bl -tag -width AUTH_ROOTOKAYXX 150.It Dv AUTH_SILENT 151Do not report an error, the user was not authenticated for access and 152was not expected to be. 153This is returned by login scripts that allow changing of the user's password, 154for instance. 155This value is stripped off for normal returns. 156.It Dv AUTH_CHALLENGE 157The user was not authenticated for access and a challenge was issued. 158The challenge should be displayed to the user, a response retrieved, 159and the result verified. 160This value is stripped off for normal returns. 161.It Dv AUTH_EXPIRED 162The user's account has expired. 163.It Dv AUTH_PWEXPIRED 164The user's password has expired and needs to be changed. 165.El 166.Pp 167A session may be cleaned 168by calling 169.Fn auth_clean . 170This function removes any files created by a login script in this 171session and clears all state associated with this session, with the 172exception of the option settings. 173It is not necessary to call 174.Fn auth_clean 175if 176.Fn auth_close 177is called. 178.Pp 179The remaining functions are described in alphabetical order. 180.Pp 181The fundamental function for doing 182.Bx 183Authentication is 184.Fn auth_call . 185In addition to the pointer to the 186.Bx 187Authentication session, it takes 188the following parameters: 189.Bl -tag -width indent 190.It Ar path 191The full path name of the login script to run. 192.It Ar ... 193The remaining arguments, which should be of type 194.Vt char * 195and terminated with a 196.Dv NULL , 197are passed to the login script at the end of the command line. 198Non-optional arguments such as user should be prefixed by a 199.Qq -- 200argument so that 201.Xr getopt 3 202will not attempt to interpret them as optional flags. 203.El 204.Pp 205The 206.Fn auth_call 207function, after verifying the 208.Ar path , 209creates a bi-directional pipe (socketpair) which is located on 210file descriptor 3 for the child (the login script). 211This is known as the 212.Dq back channel . 213The actual command line passed to the child is made up of 2143 parts. 215The parameters passed to 216.Fn auth_call 217following 218.Ar path 219have appended to them any arguments specified by the 220.Fn auth_set_va_list 221function. 222These are typically the variable arguments passed to the function 223that calls 224.Fn auth_call . 225Any option values set by the 226.Fn auth_setoption 227function are inserted between the first argument (the command 228name) and the second argument with a preceding 229.Fl v 230flag. 231The name and value are separated by an 232.Sq = : 233.Pp 234.D1 Fl v Ar name=value 235.Pp 236Once the login script has been spawned, any data specified by the 237.Fn auth_setdata 238is written to the back channel. 239Multiple blocks of data may have been specified and they will be sent 240in the same order they were specified. 241As the data is sent, the storage for the data is zeroed out and then freed 242(the data is zeroed out since it may contain sensitive information, 243such as a password). 244Once any data is written out, 245.Fn auth_call 246reads up to 8192 bytes of data from the back channel. 247The state of the session is determined from this data (see 248.Xr login.conf 5 249for details). 250If the login script exits with a 0 and does not specify any return state 251on the back channel, the state prior to the call to 252.Fn auth_call 253is retained. 254.Pp 255Note that while 256.Fn auth_call 257will zero out the copies it makes of sensitive information, such as plain text 258passwords, after it is sent, it is the responsibility of the 259caller to zero out the original copies of this sensitive information. 260Due to the mechanics of the 261.Fn auth_call 262function, this data must be zeroed 263.Em before 264.Fn auth_call 265is called. 266The safest place to zero out sensitive information is immediately 267after it has been passed to 268.Fn auth_setdata . 269.Pp 270The back channel data may also contain a file descriptor passed back 271from the login script. 272If this is the case, the login script will first send back the string 273.Dq fd 274to indicate that a file descriptor will be the next data item. 275The file descriptor will be passed back to the next invocation of 276the login script with a number specified by the 277.Fl v Ar fd 278option. 279This is used to implement stateful challenge/response schemes that require 280a persistent connection during the challenge and response. 281The copy of the descriptor in the parent process is closed when the 282child is running to prevent deadlock when file locking is used. 283The descriptor is also closed by a call to 284.Fn auth_close 285or 286.Fn auth_clean . 287.Pp 288The data read from the back channel is also used by the 289.Fn auth_getvalue 290and 291.Fn auth_close 292functions. 293Subsequent calls to 294.Fn auth_call 295will cause this data to be lost and overwritten with the new data read 296from the new call. 297.Pp 298The environment passed to the login script by 299.Fn auth_call 300only contains two values: 301.Ev PATH 302and 303.Ev SHELL . 304The 305.Ev PATH 306is set to the default path 307.Pa ( /bin 308and 309.Pa /usr/bin ) 310while the 311.Ev SHELL 312is set to the default system shell 313.Pq Pa /bin/sh . 314.Pp 315The 316.Fn auth_challenge 317function queries the login script defined by the current 318.Ar style 319for a challenge for the user specified by 320.Ar name . 321(See below for the setting of the 322.Ar style 323and 324.Ar name ) . 325It internally uses the 326.Fn auth_call 327function. 328The generated challenge is returned. 329.Dv NULL 330is returned on error or if no challenge was generated. 331.Pp 332The 333.Fn auth_check_change 334and 335.Fn auth_check_expire 336functions check the password expiration (change) and account expiration 337times. 338They return 0 if no change or expiration time is set for the account. 339They return a negative value of how many seconds have passed since 340the password or account expired. 341In this case the state of the session is marked with either 342.Li AUTH_PWEXPIRED 343or 344.Li AUTH_EXPIRED 345as well as clearing any bits which would indicate the authentication was 346successful. 347If the password or account has not expired, they return the number of 348seconds left until the account does expire. 349The return value of -1 can either indicate the password or account 350just expired or that no password entry was set for the current session. 351.Pp 352The 353.Fn auth_clrenv 354function clears any requests set by a login script for 355environment variables to be set. 356.Pp 357The 358.Fn auth_clroption 359function clears the previously set option 360.Fa name . 361.Pp 362The 363.Fn auth_clroptions 364function clears all previously set options. 365.Pp 366The 367.Fn auth_getitem 368function returns the value of 369.Fa item . 370The 371.Fa item 372may be one of: 373.Bl -tag -width AUTH_INTERACTIVE 374.It Dv AUTH_CHALLENGE 375The latest challenge, if any, set for the session. 376.It Dv AUTH_CLASS 377The class of the user, as defined by the 378.Pa /etc/login.conf 379file. 380This value is not directly used by 381.Bx 382Authentication, rather, it is 383passed to the login scripts for their possible use. 384.It Dv AUTH_INTERACTIVE 385If set to any value, then the session is tagged as interactive. 386If not set, the session is not interactive. 387When the value is requested, it is always either 388.Dv NULL 389or 390.Dq True . 391The auth subroutines may choose to provide additional information to 392standard output or standard error when the session is interactive. 393There is no functional change in the operation of the subroutines. 394.It Dv AUTH_NAME 395The name of the user being authenticated. 396The name should include the instance, if any, that is being requested. 397.It Dv AUTH_SERVICE 398The service requesting the authentication. 399Initially it is set to the default service which provides the traditional 400interactive service. 401.It Dv AUTH_STYLE 402The style of authentication being performed, as defined by the 403.Pa /etc/login.conf 404file. 405The style determines which login script should actually be used. 406.El 407.Pp 408The value returned points to private memory and should not be 409freed by the caller. 410.Pp 411The 412.Fn auth_getvalue 413function returns the value, if any, associated with the specified internal 414variable 415.Ar what . 416These variables are set by login scripts. 417When a new login script is run 418(by the 419.Fn auth_call 420function), 421the values from the previous login script are lost. 422(See 423.Xr login.conf 5 424for details on internal variables.) 425.Pp 426The 427.Fn auth_set_va_list 428function establishes a variable argument list to be used by the 429.Fn auth_call 430function. 431It is intended to be used by functions which need to call 432.Fn auth_call 433but take a variable number of arguments themselves. 434Since the arguments are not copied, the call to 435.Fn auth_call 436must be placed within the scope of 437.Fa ap . 438The 439.Fn auth_call 440function will call 441.Xr va_end 3 442on 443.Fa ap . 444.Pp 445The 446.Fn auth_setdata 447function makes a copy of 448.Fa len 449bytes of data pointed to by 450.Fa ptr 451for use by 452.Fn auth_call . 453The data will be passed on the back channel to the next login script called. 454.Pp 455The 456.Fn auth_setenv 457function adds/deletes any environment variables requested by the 458login script to the current environment. 459.Pp 460The 461.Fn auth_setitem 462function assigns 463.Fa value 464to the specified 465.Fa item . 466The items are described above with the 467.Fn auth_getitem 468function. 469In addition, if 470.Fa value 471is 472.Dv NULL , 473the 474.Fa item 475is cleared. 476If 477.Fa value 478is 479.Dv NULL 480and 481.Fa item 482is 483.Li AUTH_ALL 484then all items are cleared. 485.Pp 486The 487.Fn auth_setoption 488function requests that the option 489.Fa name 490be set with the value of 491.Fa value 492when a script is executed by 493.Fn auth_call . 494The actual arguments to the script will be placed at the beginning 495of the argument vector. 496For each option two arguments will be issued: 497.Li -v name=value . 498.Pp 499The function 500.Fn auth_setpwd 501establishes the password file entry for the authentication session. 502If the name has already been set by 503.Fn auth_setitem 504then the 505.Fa pwd 506argument may be 507.Dv NULL , 508else it must be the password entry to use. 509.Pp 510The function 511.Fn auth_getpwd 512retrieves the saved password file entry for the authentication session. 513If no entry has been saved (either explicitly via 514.Fn auth_setpwd 515or implicitly via 516.Fn auth_check_expire 517or 518.Fn auth_check_change ) , 519it returns 520.Dv NULL . 521Note that the memory containing the password file entry is freed by 522a call to 523.Fn auth_close 524or 525.Fn auth_clean . 526.Pp 527The function 528.Fn auth_setstate 529sets the sessions state to 530.Fa state . 531Typically this is either 532.Li AUTH_OKAY 533or 0. 534.Sh SEE ALSO 535.Xr authenticate 3 , 536.Xr login_cap 3 , 537.Xr pw_dup 3 , 538.Xr login.conf 5 539