[9fans] config wisdom? (factotum? cmdline flags? ctl file?)

[Axel Belinfante <Axel.Belinfante@cs.utwente.nl>]

(back to boring technical questions/discussion)

I'm still not exactly sure what would be the best
(working, easiest to use) way to give my 802.1x
supplicant the information it needs to do its work,
so I'm looking for opinions or reasons to pick one
over the other.

I envision it being run in two ways:
 - on boot, to get the network up to get root from fs
 - by the user on an already up&running system

I can imagine the use of:
 - command line options (cumbersome)
 - factotum (remembers things for us)
 - writing to ctl file (cumbersome)
 - env vars
 - reading config file (needs to think of format)

linux supplicant uses an intimidating config file.
macos x seems to have a nice gui for it.

the config info consists of:
 - 'external identity' (realm, authdom)
 - auth-scheme-specific stuff, for one or more
   auth schemes (currently only ttls-pap is implemented)
   (for ttls-pap we just need user, password,
	where user may be something like name@realm)

So far I call auth_getuserpasswd only once at
the start of the program, which makes factotum ask me
for user and passwd. I expect the user to be of the
form name@realm and then I use the '@realm' part
also for the external identity.
This may not work in the general case.

There seem to be some disadvantages to this:
 - it is easy to forget the '@realm' part
   when factotum asks for user
   (I found how I can make auth_getuserpasswd
	ask separately for realm, in addition to user
	and password, but how to make use of that once
	it is in factotum??)
 - it is not very 'dynamic': in case of errors
   in username or password one has to kill the
   8021x program and delete the keys and start over
   (or else the program will keep retrying with
	the erronous stuff)
   of course one does not make errors, but still...
 - when I tried to integrate this into the booting
   process I did not succeed to make this work
   with factotum, mainly because it might be nice
   to first start 8021x and bring the net up and
   only then start factotum, such that
   factotum can look for a secstore.
 - in the general case much more complex config
   may have to be accomodated
   (do not worry about that now?)

I have been thinking of giving external id (realm)
on command line, and then ask factotum for user/password
whenever it is needed (i.e. in each re-auth).
The latter part allows to 'only' delete keys
and supply new ones, while the program continues
running. (this does not solve the case of mistyped
realm comand line option though)
It might even be possible 'decide' if an 8021x ttls-pap
auth failure was most likely caused by an erroneous
user/passwd, in which case we might try to tell
facotum (how?), so it can ignore the user/passwd it tried.

For the on-boot running,
I've been thinking about using plan9.ini vars to
 - decide whether or not to start 8021x
   (already succeded to use this)
 - specify user/passwd/realm a la the wvkey stuff,
   and then write those to the 8021x ctl file
   but this means I would use _both_ factotum
   _and_ the ctl file to provide the same info.
   that seems a bit duplication of ways/work.


Too many options (and I still have to try to get
the log thing of my previous question working).

Axel.

(hats off to all who contribute(d) to plan 9 --
 tweaking this 8021.x thingy does give me some feedback
 on what effort it (may) take(s) to get things right,
 or (maybe more realistic in my case :-)
 just somewhat arbitrary close(r) to 'right')