💾 Archived View for posixcafe.org › blogs › tlsclient.gem captured on 2021-12-17 at 13:26:06. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

Standalone UNIX tlsclient(1)

source

Recently I have been working on pulling out the authenticatoin parts of drawterm

in order to make the code a bit more 'standalone'. The result of this work has

been a portable unix tlsclient.

Drawterm

Drawterm is the program used for accessing plan9 machines from your favorite non-plan9 OS.

It functionally is a plan9 kernel that runs within the userspace of another OS, as well as

a port of a decent chunk of the c stdlib. As the name illudes the biggest use for this is

getting a remote graphical session in to a plan9 machine, and for that purpose it works great.

However, as one can imagine with including all that code it becomes a bit difficult to make use

of parts of it, namely the userspace kernel puts everything in a weird state. So a slight refactor

for a different use case was required.

9front TLS auth

It is probably also worth mentioning how exactly tls plays in to the equation here. 9front makes use of the

tls extension for PSK(pre tls1.3), in which the PSK is negotiated between the client/server and auth server

individually. This leads to a nice ease for arbitrary authenticated services, simply wrapping the program with

tlssrv -a will give you a gurantee that whatever comes next in the exec chain has been properly authenticated.

The 9front rcpu(1) program uses exact setup.

tlsclient(1)

As the name suggests tlsclient is a client capable of doing this auth negotiation then setting up the client

aspect of the tls connection. The unix port of the code does exactly this, through using the drawterm stdlib

port along with openssl to replace the kernel tls device. The modularity of this allows for it to be used with

things like Ori's hjgit protocol along with providing a more light weight interface in doing 9front auth from unix.

As a simple example, the code includes a pam module that will defer to 9front for user authentication.