[9fans] ssh host key

[9fans] ssh host key

[erik quanstrom]

the sshserve(1) (sic.) man page mentions how to generate a host
key on-the-fly, but doesn't mention where to store the key.

where is the recommend place to stash that key?

- erik

Re: [9fans] ssh host key

[andrey mirtchovski]

put it in the hostowner's secstore where factotum will pick it up
every time the machine boots. let me know if you need an example.

On 7/27/07, erik quanstrom <quanstro@coraid.com> wrote:
> the sshserve(1) (sic.) man page mentions how to generate a host
> key on-the-fly, but doesn't mention where to store the key.
>
> where is the recommend place to stash that key?
>
> - erik
>

Re: [9fans] ssh host key

[andrey mirtchovski]

sorry, i wasn't clear. factotum won't pick up the file from secstore
by itself because secstored isn't started by the time the hostowner's
factotum starts, so you'll have to do it by yourself. this is a
typical cpurc for a cpu server running ssh:

	auth/secstored
	auth/secstore -n -G factotum > /mnt/factotum/ctl

with the host key in the factotum file, of course.

andrey

On 7/27/07, andrey mirtchovski <mirtchovski@gmail.com> wrote:
> put it in the hostowner's secstore where factotum will pick it up
> every time the machine boots. let me know if you need an example.
>
> On 7/27/07, erik quanstrom <quanstro@coraid.com> wrote:
> > the sshserve(1) (sic.) man page mentions how to generate a host
> > key on-the-fly, but doesn't mention where to store the key.
> >
> > where is the recommend place to stash that key?
> >
> > - erik
> >
>

Re: [9fans] ssh host key

[erik quanstrom]

heh.  this is exactly the dance i was worried about.
for some reason, i didn't notice the -n option to 
secstore.

alles klar.

- erik

Re: [9fans] ssh host key

[erik quanstrom]

i get this error

	ladd# auth/secstore -nG factotum
	ladd# echo $status
	secstore 1517: invalid password in nvram

however if i do it this way, it works:

	ladd# auth/secstore -G factotum
	secstore password: <same password entered>
	secstore
	<keys printed here>

i have a longish password, but it doesn't exceed ANAMELEN.
does nvram truncate the password?  are there any magic characters
which must be avoided?

- erik

Re: [9fans] ssh host key

[Francisco J Ballesteros]

I don't know about len limits, but mine has really weird characters and
works fine in nvram. This may seem silly, but, have you checked out that
your password is nvram is indeed ok? [that was a mistake I made]
You could try after rewriting it.

On 7/27/07, erik quanstrom <quanstro@coraid.com> wrote:
> i get this error
>
>         ladd# auth/secstore -nG factotum
>         ladd# echo $status
>         secstore 1517: invalid password in nvram
>
> however if i do it this way, it works:
>
>         ladd# auth/secstore -G factotum
>         secstore password: <same password entered>
>         secstore
>         <keys printed here>
>
> i have a longish password, but it doesn't exceed ANAMELEN.
> does nvram truncate the password?  are there any magic characters
> which must be avoided?
>
> - erik
>

Re: [9fans] ssh host key

[andrey mirtchovski]

invalidate the nvram first and make sure you set the secstore password
correctly to the one that you have set for hostowner's user in
secstored when it asks you on the next reboot. if you have done
already then simply cat the nvram partition: you should be able to see
it in full and in plain text and see if it's truncated.

if the system and secstore passwords are different for hostowner
perhaps there may be a bug in parsing the nvram. they are the same
around here so i've never tested that condition.

On 7/27/07, erik quanstrom <quanstro@coraid.com> wrote:
> i get this error
>
>         ladd# auth/secstore -nG factotum
>         ladd# echo $status
>         secstore 1517: invalid password in nvram
>
> however if i do it this way, it works:
>
>         ladd# auth/secstore -G factotum
>         secstore password: <same password entered>
>         secstore
>         <keys printed here>
>
> i have a longish password, but it doesn't exceed ANAMELEN.
> does nvram truncate the password?  are there any magic characters
> which must be avoided?
>
> - erik
>

Re: [9fans] ssh host key

[Francisco J Ballesteros]

>
> if the system and secstore passwords are different for hostowner
> perhaps there may be a bug in parsing the nvram. they are the same
> around here so i've never tested that condition.

We use different passwords for system and secstore, and it works just fine.

Re: [9fans] ssh host key

[erik quanstrom]

> I don't know about len limits, but mine has really weird characters and
> works fine in nvram. This may seem silly, but, have you checked out that
> your password is nvram is indeed ok? [that was a mistake I made]
> You could try after rewriting it.

well, the password does authenticate with the fs and
i did use auth/wrkey to rewrite it, just in case.

- erik

Re: [9fans] ssh host key

[Francisco J Ballesteros]

And the secstore password?

On 7/27/07, erik quanstrom <quanstro@coraid.com> wrote:
> > I don't know about len limits, but mine has really weird characters and
> > works fine in nvram. This may seem silly, but, have you checked out that
> > your password is nvram is indeed ok? [that was a mistake I made]
> > You could try after rewriting it.
>
> well, the password does authenticate with the fs and
> i did use auth/wrkey to rewrite it, just in case.
>
> - erik
>

Re: [9fans] ssh host key

[geoff]

The NVRAM secstore password is limited to 14 bytes; see Nvrsafe in
<authsrv.h>.

The other passwords are DES-encrypted into 7-byte keys for storage in
NVRAM.  See libauthsrv/passtokey.c for details.

Re: [9fans] ssh host key

[erik quanstrom]

i was just looking into that.  thanks.  we have a winner.

many thanks.  why is it called the "secstore key" and not the "secstore password"?

- erik

Re: [9fans] ssh host key

[erik quanstrom]

the length limit is actually 13 characters.  the field is 14 characters wide and
null terminated.

- erik