+8

deno.json

··· 1 1 + { 2 2 + "tasks": { 3 3 + "dev": "deno run --watch src/main.ts" 4 4 + }, 5 5 + "imports": { 6 6 + "@std/assert": "jsr:@std/assert@1" 7 7 + } 8 8 + }

+36

native/src/nss_atpam.c

··· 1 1 + 2 2 + /* libnss_atpam – synthesise passwd entries for at(plc|web)-* names */ 3 3 + #define _GNU_SOURCE 4 4 + #include <errno.h> 5 5 + #include <nss.h> 6 6 + #include <pwd.h> 7 7 + #include <string.h> 8 8 + #include <stdlib.h> 9 9 + #include <stdio.h> 10 10 + #include <sys/types.h> 11 11 + 12 12 + static uid_t uid_for(const char *name) 13 13 + { 14 14 + return 2000 + (name[7]*31 + name[8]) % 30000; 15 15 + } 16 16 + 17 17 + enum nss_status _nss_atpam_getpwnam_r(const char *name, struct passwd *pw, 18 18 + char *buf, size_t buflen, int *err){ 19 19 + if (strncmp(name,"didplc-",6) && strncmp(name,"didweb-",6)) 20 20 + return NSS_STATUS_NOTFOUND; 21 21 + 22 22 + pw->pw_name = (char*)name; 23 23 + //pw->pw_uid = uid_for(name); 24 24 + pw->pw_uid = 60051; 25 25 + pw->pw_gid = 60050; /* must exist */ 26 26 + pw->pw_gecos= (char*)"atpam user"; 27 27 + pw->pw_dir = buf; 28 28 + pw->pw_shell= (char*)"/bin/bash"; 29 29 + int needed = snprintf(buf,buflen,"/home/%s",name); 30 30 + if ((size_t)needed>=buflen){ *err=ERANGE; return NSS_STATUS_TRYAGAIN;} 31 31 + return NSS_STATUS_SUCCESS; 32 32 + } 33 33 + enum nss_status _nss_atpam_getpwuid_r(uid_t uid, struct passwd *pw, 34 34 + char *buf, size_t buflen, int *err){ 35 35 + return NSS_STATUS_NOTFOUND; 36 36 + }

+68

native/src/pam_atpam.c

··· 1 1 + /* pam_atpam.c – talk to the atpam Unix-socket daemon (DEBUG build) */ 2 2 + #define PAM_SM_AUTH 3 3 + #include <security/pam_modules.h> 4 4 + #include <security/pam_ext.h> 5 5 + #include <stdio.h> 6 6 + #include <string.h> 7 7 + #include <unistd.h> 8 8 + #include <sys/socket.h> 9 9 + #include <sys/un.h> 10 10 + 11 11 + #define SOCK "/run/atpam.sock" 12 12 + 13 13 + PAM_EXTERN int 14 14 + pam_sm_authenticate(pam_handle_t *pamh, int flags, 15 15 + int argc, const char **argv) 16 16 + { 17 17 + const char *user = NULL, *pass = NULL; 18 18 + pam_get_user(pamh, &user, NULL); 19 19 + pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL); 20 20 + 21 21 + fprintf(stderr, "DEBUG pam_atpam: user=[%s] pass-len=%zu\n", 22 22 + user ? user : "(null)", pass ? strlen(pass) : 0); 23 23 + 24 24 + const char *field, *value; 25 25 + if (strchr(user, ':')) { 26 26 + field = "did"; value = user; 27 27 + } else if (strncmp(user, "didplc-", 7) == 0 || 28 28 + strncmp(user, "didweb-", 7) == 0) { 29 29 + field = "unix"; value = user; 30 30 + } else { 31 31 + field = "handle"; value = user; 32 32 + } 33 33 + fprintf(stderr, "DEBUG pam_atpam: chosen field=[%s] value=[%s]\n", field, value); 34 34 + 35 35 + char json[512]; 36 36 + int n = snprintf(json, sizeof(json), 37 37 + "{\"%s\":\"%s\",\"password\":\"%s\"}", 38 38 + field, value, pass ? pass : ""); 39 39 + fprintf(stderr, "DEBUG pam_atpam: sending %.*s\n", n, json); 40 40 + 41 41 + int fd = socket(AF_UNIX, SOCK_STREAM, 0); 42 42 + if (fd < 0) { perror("socket"); return PAM_AUTH_ERR; } 43 43 + 44 44 + struct sockaddr_un addr = { .sun_family = AF_UNIX }; 45 45 + strncpy(addr.sun_path, SOCK, sizeof(addr.sun_path) - 1); 46 46 + 47 47 + if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) { 48 48 + perror("connect"); 49 49 + close(fd); 50 50 + return PAM_AUTH_ERR; 51 51 + } 52 52 + fprintf(stderr, "DEBUG pam_atpam: connected to %s\n", SOCK); 53 53 + 54 54 + if (write(fd, json, n) != n) { perror("write"); close(fd); return PAM_AUTH_ERR; } 55 55 + 56 56 + n = read(fd, json, sizeof(json) - 1); 57 57 + close(fd); 58 58 + if (n <= 0) { perror("read"); return PAM_AUTH_ERR; } 59 59 + json[n] = '\0'; 60 60 + 61 61 + fprintf(stderr, "DEBUG pam_atpam: daemon replied [%s]\n", json); 62 62 + return strstr(json, "\"ok\":true") ? PAM_SUCCESS : PAM_AUTH_ERR; 63 63 + } 64 64 + 65 65 + PAM_EXTERN int 66 66 + pam_sm_setcred(pam_handle_t *pamh, int flags, 67 67 + int argc, const char **argv) 68 68 + { return PAM_SUCCESS; }

+102

src/main.ts

··· 1 1 + import { AtpAgent } from "https://esm.sh/@atproto/api@0.14?target=deno"; 2 2 + 3 3 + const SOCK = "/run/atpam.sock"; 4 4 + const PID = "/run/atpam.pid"; 5 5 + const DIDMAP = "/etc/atpam/dids.json"; 6 6 + const AT_ENDPOINT = "https://zio.blue"; // NOTE: hardcoded because lazy rn 7 7 + 8 8 + function exists(path: string): boolean { 9 9 + try { Deno.statSync(path); return true; } 10 10 + catch (e: any) { 11 11 + if (e instanceof Deno.errors.NotFound) return false; 12 12 + throw e; 13 13 + } 14 14 + } 15 15 + const loadMap = () => exists(DIDMAP) ? JSON.parse(Deno.readTextFileSync(DIDMAP)) : {}; 16 16 + const saveMap = (m: Record<string,string>) => 17 17 + Deno.writeTextFileSync(DIDMAP, JSON.stringify(m, null, 2)); 18 18 + 19 19 + const didToUnix = (did: string) => 20 20 + did.replace(/^did:/, "").replace(/:/g, "-").replace(/\./g, "-"); 21 21 + 22 22 + async function resolveCurrentHandle(did: string): Promise<string> { 23 23 + const [meth, id] = did.replace(/^did:/, "").split(":"); 24 24 + if (meth === "plc") { 25 25 + const doc = await fetch(`https://plc.directory/${did}`).then(r => r.json()); 26 26 + const aka = doc.alsoKnownAs?.find((s: string) => s.startsWith("at://")); 27 27 + return aka ? aka.slice(5) : "handle.invalid"; 28 28 + } else if (meth === "web") { 29 29 + const doc = await fetch(`https://${id}/.well-known/did.json`).then(r => r.json()); 30 30 + const aka = doc.alsoKnownAs?.find((s: string) => s.startsWith("at://")); 31 31 + return aka ? aka.slice(5) : "handle.invalid"; 32 32 + } 33 33 + return "handle.invalid"; 34 34 + } 35 35 + 36 36 + async function authenticate( 37 37 + cred: {handle?:string; did?:string; unix?:string; password:string} 38 38 + ): Promise<{ok:boolean; unixUser?:string; error?:string}> { 39 39 + const map = loadMap(); 40 40 + let did: string; 41 41 + 42 42 + if (cred.did) { 43 43 + did = cred.did; 44 44 + } else if (cred.unix) { 45 45 + const expand = (u: string): string | null => { 46 46 + if (u.startsWith("didplc-")) return "did:plc:" + u.slice(7); 47 47 + if (u.startsWith("didweb-")) return "did:web:" + u.slice(7).replace(/-/g, "."); 48 48 + return null; 49 49 + }; 50 50 + const exp = expand(cred.unix); 51 51 + if (!exp) return {ok:false, error:"Bad unix name"}; 52 52 + did = exp; 53 53 + } else if (cred.handle) { 54 54 + let cached = map[cred.handle]; 55 55 + if (!cached) { 56 56 + const u = new URL(`${AT_ENDPOINT}/xrpc/com.atproto.identity.resolveHandle`); 57 57 + u.searchParams.set("handle", cred.handle); 58 58 + const {did: resolved} = await fetch(u).then(r => r.json()); 59 59 + if (!resolved) return {ok:false, error:"Handle not found"}; 60 60 + cached = resolved; 61 61 + map[cred.handle] = cached; 62 62 + saveMap(map); 63 63 + } 64 64 + did = cached; 65 65 + } else { 66 66 + return {ok:false, error:"No identity provided"}; 67 67 + } 68 68 + 69 69 + const current = await resolveCurrentHandle(did); 70 70 + if (current === "handle.invalid") 71 71 + return {ok:false, error:"DID has no valid handle"}; 72 72 + 73 73 + const agent = new AtpAgent({service: AT_ENDPOINT}); 74 74 + //try { 75 75 + await agent.login({identifier:current, password:cred.password}); 76 76 + //} catch { 77 77 + // return {ok:false, error:"Auth failed"}; 78 78 + //} 79 79 + return {ok:true, unixUser: didToUnix(did)}; 80 80 + } 81 81 + 82 82 + /* ---------- socket server ---------- */ 83 83 + try { await Deno.remove(SOCK); } catch {} 84 84 + const listener = Deno.listen({ path: SOCK, transport: "unix" }); 85 85 + Deno.writeTextFileSync(PID, String(Deno.pid)); 86 86 + console.log(`atpam listening on ${SOCK} (PID ${Deno.pid})`); 87 87 + 88 88 + for await (const conn of listener) { 89 89 + (async () => { 90 90 + const buf = new Uint8Array(4096); 91 91 + const n = await conn.read(buf); 92 92 + if (!n) return conn.close(); 93 93 + //try { 94 94 + const cred = JSON.parse(new TextDecoder().decode(buf.slice(0, n))); 95 95 + const res = await authenticate(cred); 96 96 + await conn.write(new TextEncoder().encode(JSON.stringify(res))); 97 97 + //} catch { 98 98 + // await conn.write(new TextEncoder().encode(JSON.stringify({ok:false}))); 99 99 + //} 100 100 + conn.close(); 101 101 + })(); 102 102 + }