[9fans] Argh -- auth checklist?

[9fans] Argh -- auth checklist?

[Dorman, Eric]

> -----Original Message-----
> From: James A. Robinson [mailto:Jim.Robinson@stanford.edu]
> Sent: Wednesday, February 24, 1999 3:21 PM
[xxx]
> I've
> got an entry in /lib/ndb/local stating that il=ticket port=566.

heh heh heh.  One of the more annoying bugs :)

> If I try and telnet in as anyone other then none, instead of getting a
> challenge I immeditely get back a failure:
> 
>     ; telnet <myauthserver>
>     Connected to <myauthserver.stanford.edu>.
>     Escape character is '^]'.
>     user: jimr
>     authentication failure
>     Connection closed by foreign host.

I don't know whether the auth/keyfs stuff generates diagnostic
output in /sys/log/auth or somewhere... i know auth.srv puts
cryptic stuff there when terminal auth fails for some reason.

[xx]
> Jim

Eric Dorman
eric.l.dorman@cpmx.saic.com

[9fans] Argh -- auth checklist?

[Berry]

At 08:41 AM 2/25/99 +0000, steve.kilbane@ind.alstom.com wrote:
>On 24/02/99 23:38:37 forsyth wrote:
>
>> delightful nymphs will swoon in your company, etc.

>...which sounds more frustrating than anything else. :-)

Yeah, I hate it when that happens...

[9fans] Argh -- auth checklist?

[steve.kilbane]

On 24/02/99 23:38:37 forsyth wrote:

> delightful nymphs will swoon in your company, etc.

...which sounds more frustrating than anything else. :-)

[9fans] Argh -- auth checklist?

[Lucio]

According to Charles Forsyth:
> 
> i suspect there is a small step that's either easy to miss out
> or easy to insert (given extrasensory knowledge).  i've set up
> several plan9 systems several times without trouble, but there
> seems to be Some Thing that i inadvertently do right or others
> accidentally do wrong: too many other people have had trouble.
> 
Well, I managed to get the actual IP address into the encrypted auth 
server configuration thingy (I think it's a separate partition) and to 
this day I've been wondering how to change it.  Of course, I could 
browse throught the sources, but each time that would take longer than 
waiting for the AS to time out :-(

> >>itself is the authserver? I have to use 0.1.0.0 as the auth
> >>server IP address, or it won't boot up (the default says it
> 
> try setting the address in /lib/ndb/local for auth= should to the
> true IP address.  use 0.1.0.0 only for the prompt for auth server
> address during the bootstrap.  otherwise, it might well become confused.
> 
A simple check for a zero value would stop a lot of PANICs in the AS 
start up code.  It's _another_ of those things that are too easy, yet 
too difficult to fix :-(

I wonder if we can persuade Red Hat to audit the Plan 9 sources too :-)
Under the new Lucent licence terms, of course :-)  :-)  :-)

++L

PS:  Charles, are you waiting for some response from me on the 
3C905B-TX NICs, and if so, will you remind me what I can do to help 
progress on their drivers?

[9fans] Argh -- auth checklist?

[James]

> heh heh heh.  One of the more annoying bugs :)

It took me going back into the mail archive to figure out what you meant
here. =) I was just working through one of the many docs when I put that
line in way back when I was setting up the system at first. =)

> I don't know whether the auth/keyfs stuff generates diagnostic
> output in /sys/log/auth or somewhere... i know auth.srv puts
> cryptic stuff there when terminal auth fails for some reason.

There is a /sys/log/auth, but it doesn't print out anything when I try
and telnet in from a unix box. I find that if I telnet back into the
system when I'm at the console, I get a similar error:

    <myauthserver>% telnet <myauthserver>
    connected to tcp!<myauthserver>
    !telnet on /net/tcp/15
    user: jimr
    authentication failure

There is *one* entry from today: Feb 24 07:03 user response timed out,
but I'm not sure what attempt generated that error.


Jim

[9fans] Argh -- auth checklist?

[forsyth]

given the effort you've expended thus far,
i suppose i should add: thank you for your persistence,
you are helping to make the computing world a better place,
delightful nymphs will swoon in your company, etc.

[9fans] Argh -- auth checklist?

[forsyth]

>>Anyone have a checklist of things to check for setting up the auth stuff?

i suspect there is a small step that's either easy to miss out
or easy to insert (given extrasensory knowledge).  i've set up
several plan9 systems several times without trouble, but there
seems to be Some Thing that i inadvertently do right or others
accidentally do wrong: too many other people have had trouble.

>>itself is the authserver? I have to use 0.1.0.0 as the auth
>>server IP address, or it won't boot up (the default says it

try setting the address in /lib/ndb/local for auth= should to the
true IP address.  use 0.1.0.0 only for the prompt for auth server
address during the bootstrap.  otherwise, it might well become confused.

[9fans] Argh -- auth checklist?

[James]

Anyone have a checklist of things to check for setting up the auth
stuff? I must not have set something up correctly, for I find that I
cannot telnet into my plan9 system and get a securenet challenge. =(

I've got my user login in the plan9 db and the securenet db. If I run
"status" on my user name, it comes back with

    user jimr: plan 9 key status is ok and never expires
    jimr:       James A. Robinson HighWire Press <jim.robinson@stanford.edu>
    user jimr: network key status is ok and never expires
    user jimr: net key NNN NNN NNN NNN NNN NNN NNN NNN
    jimr:       James A. Robinson HighWire Press <jim.robinson@stanford.edu>

where NNN are actually sets of 3 numbers. I've got keyfs running on both
key sets from /bin/cpurc:
    
    auth/keyfs -m/mnt/keys /adm/keys
    auth/keyfs -m/mnt/netkeys /adm/netkeys

Both /mnt/keys and /mnt/netkeys have directory 'jimr' and the info I can
get at inside them seem to indicate it is ok... Ummm, let's see. I've
got an entry in /lib/ndb/local stating that il=ticket port=566.

If I try and telnet in as anyone other then none, instead of getting a
challenge I immeditely get back a failure:

    ; telnet <myauthserver>
    Connected to <myauthserver.stanford.edu>.
    Escape character is '^]'.
    user: jimr
    authentication failure
    Connection closed by foreign host.

Sigh... I don't understand whether or not /lib/ndb/auth
is used for remote connections (I would think no, but...),
and I'm not sure what the fAQ means with the statement

    also: /lib/ndb/auth
    in /lib/ndb/local: 9P=auth

I'm missing something, but I have no idea what. =( I'm 
wondering if maybe the authserver doesn't realize that it
itself is the authserver? I have to use 0.1.0.0 as the auth
server IP address, or it won't boot up (the default says it
is 0.0.0.0, which crashes the system).


Jim