[9fans] how do you usually deal with new users and secstore?

[9fans] how do you usually deal with new users and secstore?

[mirtchov]

when adding new users to the system is it better to create their
secstore account immediately after the auth one and have them change
their password on both the auth server and secstore at the same time?
or is it better to let them know they can ask you for it when they
really need it?

if the former, can we add sectore as an option to auth/changeuser
('create secstore account [y/n]?')?

i can see why one wants to keep secstore passwords separate (and
different) from the auth/keyfs one, but what's a good practice for
educating the users?

andrey

Re: [9fans] how do you usually deal with new users and secstore?

[Eric Grosse]

[-- Attachment #1: Type: text/plain, Size: 1127 bytes --]

I create a secstore account immediately for new users and set
their p9sk1 password to a string with, say, 80 bits of entropy
so brute-force attack on sniffed challenge/response packets is
infeasible.  When creating the initial secstore factotum file,
I encourage the new user to install an RSA key as well, for
ssh to remote systems without having to type any more passwords.

There are other internal procedures we're adjusting here
at the Labs before making this a builtin option.

Eric

mirtchov@cpsc.ucalgary.ca wrote:
> when adding new users to the system is it better to create their
> secstore account immediately after the auth one and have them change
> their password on both the auth server and secstore at the same time?
> or is it better to let them know they can ask you for it when they
> really need it?
>
> if the former, can we add sectore as an option to auth/changeuser
> ('create secstore account [y/n]?')?
>
> i can see why one wants to keep secstore passwords separate (and
> different) from the auth/keyfs one, but what's a good practice for
> educating the users?
>
> andrey

[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/x-pkcs7-signature, Size: 14230 bytes --]

Re: [9fans] how do you usually deal with new users and secstore?

[mirtchov]

> I create a secstore account immediately for new users and set
> their p9sk1 password to a string with, say, 80 bits of entropy
> so brute-force attack on sniffed challenge/response packets is
> infeasible.  When creating the initial secstore factotum file,
> I encourage the new user to install an RSA key as well, for
> ssh to remote systems without having to type any more passwords.

such a huge password would be impossible to use in our environment,
where we don't have any other means of proving who a user is -- people
logging in with drawterm can't be expected to remember an 80-character
string, especially a random one...

am I missing something?  i can't see how one can get access to
secstore without first having done a p9sk1 authentication..

on a different topic -- what is the syntax for an rsa key?  i'm
currently using a secstore entry (on a per-user, per-machine basis)
for remote ssh connections similar to:

	key proto=pass server=some.machone service=ssh user=andrey ...

andrey

Re: [9fans] how do you usually deal with new users and secstore?

[Eric Grosse]

> such a huge password would be impossible to use in our environment,

Yes, such considerations are the reason this is not the default.
I hope someday we can get factotum integrated well enough into
Linux and Windows that you won't feel that way.

> logging in with drawterm can't be expected to remember an 80-character

I thought drawterm's time had passed and people were migrating
to VNC or VMware.  If not, then its security should certainly
be improved (as has been recently discussed).  One item could be
borrowing the code from factotum for getting keys.   By the way,
it's not an 80 character password---just enough randomness for
your environment, packed base64.  60 bits = 10 bytes might be enough.

> on a different topic -- what is the syntax for an rsa key?

It is what you get out of:
    auth/rsagen > ssh.secret.factotum
and should be added to your secstore factotum file.  You then
    auth/rsa2ssh ssh.secret.factotum > ssh.public
and "cat ssh.public >> .ssh/authorized_keys" on your Unix server.
I feel comfortable using the same ssh.public on remote university
accounts, but wouldn't want to use a single password everywhere.

Eric

Re: [9fans] how do you usually deal with new users and secstore?

[Dan Cross]

mirtchov@cpsc.ucalgary.ca writes:
> Eric wrote:
> > I create a secstore account immediately for new users and set
> > their p9sk1 password to a string with, say, 80 bits of entropy
                                                ^^^^^^^
> > so brute-force attack on sniffed challenge/response packets is
> > infeasible.  When creating the initial secstore factotum file,
> > I encourage the new user to install an RSA key as well, for
> > ssh to remote systems without having to type any more passwords.
>
> such a huge password would be impossible to use in our environment,
> where we don't have any other means of proving who a user is -- people
> logging in with drawterm can't be expected to remember an 80-character
                                                            ^^^^^^^^^^^^
> string, especially a random one...
>
> am I missing something?

Yeah; you're confusing bits char bytes.  If each character contributed
eight bits to the entropy of a password, then a password with 80 bits
of entropy would be only 10 bytes long; much more managable than an 80
character password.  :-)

Of course, in reality it takes a bit more, but not 80 characters.

	- Dan C.

Re: [9fans] how do you usually deal with new users and secstore?

[mirtchov]

> I thought drawterm's time had passed and people were migrating
> to VNC or VMware.  If not, then its security should certainly
> be improved (as has been recently discussed).  One item could be
> borrowing the code from factotum for getting keys.   By the way,

drawterm has the closest look&feel to a native plan9 terminal...  i've
found both vnc and vmware difficult to adapt to from an end-user point
of view -- they're just not the real thing...

i have a vnc session that i use for things that i know are surely
going to crash drawterm, but i like to stay away from it as much as
possible.  it's fast, but as soon as i right click some text in acme
i'm reminded bluntly that it's not the real thing.

ideally i would have an inexpensive EPIA board hooked to a
monitor/mouse/keyboard multiplexor and just boot that as a terminal...

either that or fixing drawterm...

> it's not an 80 character password---just enough randomness for
> your environment, packed base64.  60 bits = 10 bytes might be enough.

oops, i misread the original message, my bad.

> It is what you get out of:
>     auth/rsagen > ssh.secret.factotum
> and should be added to your secstore factotum file.  You then
>     auth/rsa2ssh ssh.secret.factotum > ssh.public
> and "cat ssh.public >> .ssh/authorized_keys" on your Unix server.
> I feel comfortable using the same ssh.public on remote university
> accounts, but wouldn't want to use a single password everywhere.
>

i'm using this in linux already, didn't know how to do it in plan9.

thanx!

Re: [9fans] how do you usually deal with new users and secstore?

[ron minnich]

On Sun, 7 Sep 2003 mirtchov@cpsc.ucalgary.ca wrote:

> drawterm has the closest look&feel to a native plan9 terminal...  i've
> found both vnc and vmware difficult to adapt to from an end-user point
> of view -- they're just not the real thing...

second that. I like drawterm.

> ideally i would have an inexpensive EPIA board hooked to a
> monitor/mouse/keyboard multiplexor and just boot that as a terminal...

working on it ...

ron

Re: [9fans] how do you usually deal with new users and secstore?

[boyd, rounin]

> second that. I like drawterm.

me too.  that way i don't have to kernel hack so i can type [non qwerty layout].

and the job gets done in ny ;) while i can hack in paris.

Re: [9fans] how do you usually deal with new users and secstore?

[matt]

yep, drawterm every time

vnc doesn't cut it

vmware is too expensive