Open keltia opened 9 months ago
I would love help on that.
There actually is now some kind of BSD support on the build_server_on_bsd branch, and if you want the binaries attached to that branch, they are already available in this pre-release. The price to pay now is that password-based authentication is disabled on the server on BSD systems as it is handled differently than Linux.
If someone can look into a counterpart of unix/unix_util/linux_user.go
for BSD systems, that would help a lot. Basically we just need to implement the userPasswordAuthentication()
function.
So we would need something like unix/unix_util/whateveryoulike_bsd_user.go
implementing userPasswordAuthentication()
that is used by the server.
It would be the best to avoid using CGO as it is a pain and I am planning to remove any trace of CGO from SSH3.
FYI this is also extensively discussed (and progressively solved) in #18
The major missing piece for userPasswordAuthentication
on BSD is getspnam()
. I think/hope pretty much everyone has getpwnam and crypt.
FreeBSD and OpenBSD don't seem to have a /etc/shadow
; instead, they do a /etc/master.passwd
, where the second entry is the password hash in crypt format. The "shadowing" happens by writing a redacted version of the file as /etc/passwd
, which has no hash.
getpwnam()
tells you you the hashed password in the returned struct as long as the invoker is root. Otherwise it would read the redacted version. NetBSD 9.3 is the same, as far as the manual goes. The behavior seems to be the same down to 4.3BSD NET/2; presumably that's what every BSD does, except for OpenBSD (see below).getpwnam_shadow()
to get the same effect as FreeBSD's getpwnam()
.(I'm just reading the manuals.)
* OpenBSD requires the program to call `getpwnam_shadow()` to get the same effect as FreeBSD's `getpwnam()`.
For OpenBSD the proper interface would be the "BSD Authentication" system, either with the auth_open(3) interface as used by OpenSSH, or the simplified auth_approval(3).
Unlike getpwnam_shadow() these handle alternative methods of storing passwords (LDAP, YP) and other auth mechanisms including OTP. Also they don't require that the process is able to read the shadow password database itself.
There does not seem to be any *BSD (FreeBSD, NetBSD, etc.) support. Need any help?