💾 Archived View for posixcafe.org › blogs › tlsclient.gem captured on 2022-06-11 at 20:51:46. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-17)
-=-=-=-=-=-=-
Recently I have been working on pulling out the authenticatoin parts of drawterm
in order to make the code a bit more 'standalone'. The result of this work has
been a portable unix tlsclient.
Drawterm is the program used for accessing plan9 machines from your favorite non-plan9 OS.
It functionally is a plan9 kernel that runs within the userspace of another OS, as well as
a port of a decent chunk of the c stdlib. As the name illudes the biggest use for this is
getting a remote graphical session in to a plan9 machine, and for that purpose it works great.
However, as one can imagine with including all that code it becomes a bit difficult to make use
of parts of it, namely the userspace kernel puts everything in a weird state. So a slight refactor
for a different use case was required.
It is probably also worth mentioning how exactly tls plays in to the equation here. 9front makes use of the
tls extension for PSK(pre tls1.3), in which the PSK is negotiated between the client/server and auth server
individually. This leads to a nice ease for arbitrary authenticated services, simply wrapping the program with
tlssrv -a will give you a gurantee that whatever comes next in the exec chain has been properly authenticated.
The 9front rcpu(1) program uses exact setup.
As the name suggests tlsclient is a client capable of doing this auth negotiation then setting up the client
aspect of the tls connection. The unix port of the code does exactly this, through using the drawterm stdlib
port along with openssl to replace the kernel tls device. The modularity of this allows for it to be used with
things like Ori's hjgit protocol along with providing a more light weight interface in doing 9front auth from unix.
As a simple example, the code includes a pam module that will defer to 9front for user authentication.