V
VernisOS
Security

Authentication

VernisOS uses SHA-256 hashing for credential storage and token-based authentication for the web admin panel. All authentication events are recorded in the audit log.

Login Flow

text
1. User enters username + password
2. Kernel looks up user in credential store
3. Password is hashed with SHA-256
4. Hash is compared against stored hash
5. On match: session created, capabilities assigned
6. On failure: audit event logged, trust score decremented

Web Admin Authentication

The admin panel uses a token-based system. The token is set in your .env file as NEXT_PUBLIC_API_URL and validated via the X-Admin-Token header.

bash
# .env.local
NEXT_PUBLIC_API_URL=http://localhost:3001
ADMIN_TOKEN=your-secret-admin-token-here

Password Storage

Passwords are never stored in plaintext. VernisOS uses SHA-256 with per-user salts:

c
// Credential storage format
typedef struct {
    char     username[32];
    uint8_t  salt[16];           // Random per-user salt
    uint8_t  password_hash[32];  // SHA-256(salt + password)
    uint32_t capabilities;       // Bitmask of allowed caps
    uint32_t trust_score;        // AI-assigned trust level
} user_credential_t;

// Verification
bool verify_password(user_credential_t *user, const char *password) {
    uint8_t hash[32];
    sha256(user->salt, 16, password, strlen(password), hash);
    return memcmp(hash, user->password_hash, 32) == 0;
}

Security Measures

No Plaintext

Passwords stored as SHA-256 hashes with unique salts

Failed Login Lockout

5 failed attempts → 30-second cooldown

Audit Trail

Every login attempt (success or fail) is SHA-256 logged

Trust Decay

Failed logins decrease the source process trust score

← Policy SystemBack to Overview →