tlssrv: add -A flag to skip changing user after authentication (usefull for aan)

2 files changed, 12 insertions, 4 deletions

diff --git a/sys/man/8/tlssrv b/sys/man/8/tlssrv
index 35285e045..5cb594174 100644
--- a/sys/man/8/tlssrv
+++ b/sys/man/8/tlssrv
@@ -8,7 +8,7 @@ tlssrv, tlsclient, tlssrvtunnel, tlsclienttunnel \- TLS server and client
 .B -D
 ]
 [
-.B -a
+.BR - [ aA ]
 [
 .B -k
 .I keyspec
@@ -89,12 +89,16 @@ is by convention the same as for the target server.
 is mainly used for logging.
 If the
 .B -a
+or
+.B -A
 flag is specified,
 .B p9any
 authentication is run before the TLS handshake and the resulting
 plan9 session secret is used as a pre-shared key for TLS encryption.
 This enables the use of TLS without certificates and also runs
-the server command as the authorized user.
+the server command as the authorized user when the
+.B -a
+flag was specified.
 .PP
 .I Tlsclient
 is the reverse of
diff --git a/sys/src/cmd/tlssrv.c b/sys/src/cmd/tlssrv.c
index 853e208d6..8e6812fda 100644
--- a/sys/src/cmd/tlssrv.c
+++ b/sys/src/cmd/tlssrv.c
@@ -32,7 +32,7 @@ reporter(char *fmt, ...)
 void
 usage(void)
 {
-	fprint(2, "usage: tlssrv [-a [-k keyspec]] [-c cert] [-D] [-l logfile] [-r remotesys] cmd [args...]\n");
+	fprint(2, "usage: tlssrv [-D] -[aA] [-k keyspec]] [-c cert] [-l logfile] [-r remotesys] cmd [args...]\n");
 	fprint(2, "  after  auth/secretpem key.pem > /mnt/factotum/ctl\n");
 	exits("usage");
 }
@@ -50,7 +50,10 @@ main(int argc, char *argv[])
 		debug++;
 		break;
 	case 'a':
-		auth++;
+		auth = 1;
+		break;
+	case 'A':
+		auth = -1;	/* authenticate, but dont change user */
 		break;
 	case 'k':
 		keyspec = EARGF(usage());
@@ -82,6 +85,7 @@ main(int argc, char *argv[])
 		if(ai == nil)
 			sysfatal("auth_proxy: %r");
 
+		if(auth == 1)
 		if(auth_chuid(ai, nil) < 0)
 			sysfatal("auth_chuid: %r");