BSD support? - Githubissues

francoismichel / ssh3

SSH3: faster and rich secure shell using HTTP/3, checkout our article here: https://arxiv.org/abs/2312.08396 and our Internet-Draft: https://datatracker.ietf.org/doc/draft-michel-ssh3/

https://arxiv.org/abs/2312.08396

Apache License 2.0

3.27k stars 82 forks source link

BSD support? #65

Open keltia opened 9 months ago

keltia commented 9 months ago

There does not seem to be any *BSD (FreeBSD, NetBSD, etc.) support. Need any help?

francoismichel commented 9 months ago

I would love help on that.

There actually is now some kind of BSD support on the build_server_on_bsd branch, and if you want the binaries attached to that branch, they are already available in this pre-release. The price to pay now is that password-based authentication is disabled on the server on BSD systems as it is handled differently than Linux.

If someone can look into a counterpart of unix/unix_util/linux_user.go for BSD systems, that would help a lot. Basically we just need to implement the userPasswordAuthentication() function.

So we would need something like unix/unix_util/whateveryoulike_bsd_user.go implementing userPasswordAuthentication() that is used by the server.

It would be the best to avoid using CGO as it is a pain and I am planning to remove any trace of CGO from SSH3.

francoismichel commented 9 months ago

FYI this is also extensively discussed (and progressively solved) in #18

Artoria2e5 commented 7 months ago

The major missing piece for userPasswordAuthentication on BSD is getspnam(). I think/hope pretty much everyone has getpwnam and crypt.

FreeBSD and OpenBSD don't seem to have a /etc/shadow; instead, they do a /etc/master.passwd, where the second entry is the password hash in crypt format. The "shadowing" happens by writing a redacted version of the file as /etc/passwd, which has no hash.

FreeBSD 14's getpwnam() tells you you the hashed password in the returned struct as long as the invoker is root. Otherwise it would read the redacted version. NetBSD 9.3 is the same, as far as the manual goes. The behavior seems to be the same down to 4.3BSD NET/2; presumably that's what every BSD does, except for OpenBSD (see below).
OpenBSD requires the program to call getpwnam_shadow() to get the same effect as FreeBSD's getpwnam().

(I'm just reading the manuals.)

sthen commented 7 months ago

* OpenBSD requires the program to call `getpwnam_shadow()` to get the same effect as FreeBSD's `getpwnam()`.

For OpenBSD the proper interface would be the "BSD Authentication" system, either with the auth_open(3) interface as used by OpenSSH, or the simplified auth_approval(3).

Unlike getpwnam_shadow() these handle alternative methods of storing passwords (LDAP, YP) and other auth mechanisms including OTP. Also they don't require that the process is able to read the shadow password database itself.