moody/tlsclient

Description
tlsclient: tlsclient(1) for unix

This repo contains:
	9cpu: rcpu(1) on unix
	tlsclient: tlsclient(1) on unix
	git-remote-hjgit: git remote helper for using hjgit repos.
	pam_p9.so: A pam module that authenticates against a 9front auth server.
	login_-dp9ik: An OpenBSD bsd auth executable that auths against a 9front auth server.

Most of the tlsclient code is pillaged from jsdrawterm: https://github.com/aiju/jsdrawterm
The main difference between tlsclient and drawterm is that tlsclient has stripped out the
plan9 kernel that runs in userspace. This means we use openssl for TLS and and don't provide
things like /mnt/term, but gain some more flexibility.

Usage:
	tlsclient [ -R ] [ -u user] [ -h host ] [ -a auth ] -p port cmd...
	9cpu [ -u user ] [ -h host ] [ -a auth ] cmd...

Example:
	9cpu -u moody -h shithub.us -a p9auth.shithub.us newrepo tlsclient

	# with git-remote-hjgit in your $PATH
	git clone hjgit://shithub.us/user/repo

OpenBSD:
	OpenBSD uses LibreSSL in place of OpenSSL. Unfortunately LibreSSL does
	not have PSK cipher suites. Tweak Make.config as required. Openssl is
	only used for tlsclient and rcpu, login_-dp9ik does not require it.

OpenBSD Authentication:
	Build:
		# Modify "char *authserver" in bsd.c to specify a default auth server
		$ make login_-dp9ik
	Testing:
		./login_-dp9ik -d -v authserver="my.auth.server"
		# you will see authenticate/reject print out on stdout
		# for success/failure.
	Install:
		$ cp login_-dp9ik /usr/libexec/auth/
	Config:
		Modify the auth-defaults line of /etc/login.conf
		to use the new executable. This will look something like:

		auth-defaults:auth=-dp9ik,passwd,skey:
	Notes:
		OpenBSD requires that all users regardless of
		authentication mechanism exist in /etc/passwd.
		OpenBSD does not retry with other mechanisms
		if one sends a rejection, this means all
		users(including root) must exist within the
		auth server.

PAM Authentication:
	Build:
		$ make pam_p9.so
	Install and Config:
		Many systems configure PAM differently so defer to your OS
		documentation for where to store pam_p9.so and which pam
		configuration needs to be changed. Pam_p9.so accepts
		a single argument within the pam configuration, that being
		the auth server to use. Something akin to the following
		should work as additions to a pam configuration.

		auth sufficent pam_p9.so flan
		account sufficent pam_p9.so flan
	
		With "flan" being the hostname or ip of the desired auth server.
Last 5 commits (shortlog)
Date Author Short message Commit hash
2021-09-05 Jacob doc tidy 7b6722df5d44de56329d2e4cfb0152c4397c945f
2021-09-05 Jacob add some documentation on configuring PAM f208e59263d823ebdd8f4160825be3de63556a10
2021-09-05 Jacob legal 1a02ec3b5c4f3cb41c7a5b377c5fffa0a415e3b7
2021-09-05 Jacob add login_-dp9ik dce45f38c8308048d849ede9128a8656e6b2889d
2021-07-23 Jacob enable posting to remote /srv through -s d253ae959d6c505d4a93a981ea097bf7b89442a1
Files (browse)
9cpu
LICENSE
Make.config
Makefile
README
bsd.c
cpu.c
fncs.h
git-remote-hjgit
include/
libauthsrv/
libc/
libmp/
libsec/
p9any.c
pam.c