These docs are under active development.
§1.1 1 Introduction

Scope

This specification defines the Peios authentication subsystem: the processes, data, and protocols that turn a principal's credentials into a kernel token. It covers two daemons and the contracts between them:

  • authd — the authentication broker. authd holds SeTcbPrivilege and SeCreateTokenPrivilege, owns the client-facing socket, routes requests to the appropriate principal source, applies system policy, and is the sole userspace caller of the kernel token- and session-minting syscalls. authd holds no accounts and no stored secrets.
  • lpsd — the Local Principal Store. lpsd is the SQLite-backed database of local users, groups, and credentials for a standalone system. It is the reference principal source and the local analogue of a domain directory.

This specification covers:

  • The component split between authd, lpsd, and future domain sources, and the boundary (the "seam") between a source and the broker (§2)
  • The routing rule that decides whether an operation passes through authd or goes directly to a source (§2.2)
  • lpsd's principal model: entities, the SID namespace, the user and group records, the credential model, and the storage design (§3)
  • The resolved-principal contract a source returns to authd (§4)
  • The end-to-end authentication (logon) flow, the policy phase authd applies, and the session/token mint (§5)
  • The socket layout, the caller trust model, the request taxonomy, and the client wire protocol (§6)
  • First-boot bootstrap, first-admin seeding, and account administration (§7)
  • Features deferred to later versions (§8)

This specification does not cover:

  • Tokens, sessions, SIDs, security descriptors, privileges, integrity levels, impersonation, and the access check — PSD-004 (KACS). This specification consumes those primitives; it does not redefine them.
  • The registry, the RSI, and loregdPSD-005 (LCS), PSD-006 (loregd). The registry is configuration storage, not identity storage.
  • Boot orchestration, the SYSTEM-token handoff, and service supervision — PSD-007 (peinit). This specification defines authd's startup obligations but not how peinit launches or supervises it.
  • The KMES event and audit pipeline — PSD-003 (KMES). This specification names the events it emits; it does not define KMES.
  • CAAP distribution. authd's role in pushing central access policies into the kernel cache is deferred (§8) and is not specified here.
  • Domain join, Active Directory integration, and Kerberos — deferred (§8). The domain principal source (adpsd) is described only where it constrains the source-neutral contracts.
§1.2 1 Introduction

Terminology

Terms defined in PSD-004 (token, primary token, impersonation token, logon session, auth_id, SID, RID, security descriptor (SD), DACL, privilege, integrity level, logon SID, SeTcbPrivilege, SeCreateTokenPrivilege) are used here with the same meaning and are not redefined. Terms defined in PSD-006 (hive, registry source) and PSD-007 (the SYSTEM bootstrap token, the boot handoff) are likewise used as defined.

This specification defines the following terms.

  • authd — the authentication broker daemon (§2.1).
  • lpsd — the Local Principal Store daemon; the reference principal source (§2.1, §3).
  • adpsd — the (deferred) domain principal source that fronts Active Directory; named only where it constrains source-neutral contracts.
  • Principal source (or source) — a process that authoritatively verifies credentials for, and resolves the identity of, some set of principals. lpsd and adpsd are sources. A source occupies a fixed structural role behind authd's router.
  • Source registry — the directory of source sockets under which each source registers itself so authd can discover and connect to it (§6.1).
  • Brokerauthd, in its role as the privileged intermediary that applies policy and mints tokens. "The broker" and "authd" are interchangeable.
  • Resolved principal — the PAC-shaped record a source returns to authd on successful verification: the principal's SID, its namespace-expanded group SIDs, its source-native claims, and its account state (§4).
  • Credential — material a caller presents to prove identity (for this version, a password). A transient credential is the material in flight during a logon; a verifier is the stored value a source checks it against (for this version, an argon2id hash).
  • Logon — a single authentication event. A successful logon creates exactly one logon session and at least one token.
  • Source-transparent operation — an operation that MUST behave identically regardless of which source backs the principal (authentication, ChangePassword, self-service). Source-transparent operations pass through authd (§2.2).
  • Source-shaped operation — an operation whose form legitimately differs between sources (account and group administration, policy). Source-shaped operations go directly to a source (§2.2).
  • Domain object — the single lpsd record holding the machine SID, the RID counter, and the password/lockout policy (§3.1).
  • Policy phase — the stage in which authd, after a source verifies a principal, applies system policy (group merge, privilege assignment, logon-rights gate, integrity level, token shaping) before minting (§5.2).
§1.3 1 Introduction

Conventions

This specification conforms to PSD-001.

This specification uses the normative keywords MUST, MUST NOT, SHOULD, SHOULD NOT, and MAY per RFC 2119.

Binary fields are little-endian unless stated otherwise, matching the KACS wire formats of PSD-004. Strings on the wire are UTF-8 and are length-prefixed, never NUL-terminated.

SIDs are written in the S-R-I-S… string form for readability; their binary encoding is defined by PSD-004 §2 and is the form actually transmitted and stored. RID constants are written in decimal.

SQL examples use SQLite syntax with SQLite type affinity (INTEGER, TEXT, BLOB, REAL). As in PSD-006, the schema is normative but the exact DDL is illustrative: an implementation MUST preserve the columns and constraints described, but MAY differ in incidental syntax.

Pseudocode and message-sequence descriptions are illustrative. Where prose and pseudocode disagree, the prose is normative.

authd and lpsd are specified to be implemented in Rust against the peios crate's KACS bindings (PSD-004) and, for lpsd, SQLite via a bundled (statically compiled) SQLite library. The language and library choices are recorded for implementers; they are not themselves normative requirements of the subsystem's behaviour.

Where this specification names a KACS syscall, security descriptor, token field, or privilege, PSD-004 is authoritative for its semantics; this document is authoritative only for how authd and lpsd use it.

§1.4 1 Introduction

Prior Art

The Peios authentication subsystem is modelled on the Windows security architecture, with deliberate divergences. This section records the parity mapping and the divergences, and notes the standards adopted.

§1.4.1 Windows parity

Peios Windows analogue Notes
authd LSASS Broker that loads authentication results and mints tokens. Holds the TCB privilege.
lpsd the local SAM The standalone account/credential store.
adpsd (deferred) AD via lsass over Kerberos/NTLM Domain principal source.
Resolved principal (§4) the PAC (PAC_LOGON_INFO + claims) Source-to-broker authorization identity.
Policy phase (§5.2) LSASS token assembly + LSA policy Privilege/rights assignment, integrity level, local-group merge.
Logon types Windows logon types Values are shared with PSD-004.

The central structural decision — that the source owns credential verification and namespace group expansion, while the broker owns local/system policy and minting — is taken directly from Windows, where even a domain logon's final token is assembled by the member machine's LSASS layering local policy over the KDC-signed PAC. This boundary (§2.2) is what keeps lpsd and a future AD source interchangeable.

§1.4.2 Deliberate divergences

  • Credential storage. Windows stores the unsalted NT hash (MD4) and, on a DC, Kerberos keys. Peios stores neither for a member system. lpsd uses argon2id verifiers (§3.3). This is safe because the credential format never crosses the source/broker seam (§2.2): the broker is credential-agnostic, so the source is free to use a modern, memory-hard verifier without affecting interoperability.
  • Local store shape. The Windows SAM and AD share the security-principal data model but not the directory machinery. lpsd adopts the data model (SIDs, RIDs, well-known principals, account-control flags, group semantics) but is a flat, RID-keyed store, not an LDAP/X.500 directory. It has no DIT, distinguished names, organisational units, schema engine, or replication (§3).
  • Source-to-broker contract. The contract is PAC-isomorphic (§4): information-equivalent to the Windows PAC but a clean, versioned, signature-free format, because the source/broker hop is a trusted local IPC rather than an untrusted network hop. A domain source verifies a real PAC's signatures and then translates into this format.
  • Routing by transparency. Windows routes account administration to the directory (SAMR/LDAP) and authentication to LSASS. Peios generalises this into an explicit rule (§2.2): operations that MUST be source-transparent pass through the broker; source-shaped operations go direct.

§1.4.3 Standards

  • RFC 2119 — normative keywords (§1.3).
  • argon2id — the password verifier (§3.3), per the Argon2 password hashing specification; parameters are policy (§3.4).
  • The KACS syscall and wire-format contracts of PSD-004token, session, peer-token, and impersonation primitives. Where this specification and PSD-004 disagree, PSD-004 is correct.