From mboxrd@z Thu Jan 1 00:00:00 1970 Message-Id: <200510051708.j95H8de10107@zamenhof.cs.utwente.nl> To: 9fans@cse.psu.edu From: Axel Belinfante MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <10101.1128532119.1@zamenhof.cs.utwente.nl.cs.utwente.nl> Date: Wed, 5 Oct 2005 19:08:39 +0200 Subject: [9fans] config wisdom? (factotum? cmdline flags? ctl file?) Topicbox-Message-UUID: 95180362-ead0-11e9-9d60-3106f5b1d025 (back to boring technical questions/discussion) I'm still not exactly sure what would be the best (working, easiest to use) way to give my 802.1x supplicant the information it needs to do its work, so I'm looking for opinions or reasons to pick one over the other. I envision it being run in two ways: - on boot, to get the network up to get root from fs - by the user on an already up&running system I can imagine the use of: - command line options (cumbersome) - factotum (remembers things for us) - writing to ctl file (cumbersome) - env vars - reading config file (needs to think of format) linux supplicant uses an intimidating config file. macos x seems to have a nice gui for it. the config info consists of: - 'external identity' (realm, authdom) - auth-scheme-specific stuff, for one or more auth schemes (currently only ttls-pap is implemented) (for ttls-pap we just need user, password, where user may be something like name@realm) So far I call auth_getuserpasswd only once at the start of the program, which makes factotum ask me for user and passwd. I expect the user to be of the form name@realm and then I use the '@realm' part also for the external identity. This may not work in the general case. There seem to be some disadvantages to this: - it is easy to forget the '@realm' part when factotum asks for user (I found how I can make auth_getuserpasswd ask separately for realm, in addition to user and password, but how to make use of that once it is in factotum??) - it is not very 'dynamic': in case of errors in username or password one has to kill the 8021x program and delete the keys and start over (or else the program will keep retrying with the erronous stuff) of course one does not make errors, but still... - when I tried to integrate this into the booting process I did not succeed to make this work with factotum, mainly because it might be nice to first start 8021x and bring the net up and only then start factotum, such that factotum can look for a secstore. - in the general case much more complex config may have to be accomodated (do not worry about that now?) I have been thinking of giving external id (realm) on command line, and then ask factotum for user/password whenever it is needed (i.e. in each re-auth). The latter part allows to 'only' delete keys and supply new ones, while the program continues running. (this does not solve the case of mistyped realm comand line option though) It might even be possible 'decide' if an 8021x ttls-pap auth failure was most likely caused by an erroneous user/passwd, in which case we might try to tell facotum (how?), so it can ignore the user/passwd it tried. For the on-boot running, I've been thinking about using plan9.ini vars to - decide whether or not to start 8021x (already succeded to use this) - specify user/passwd/realm a la the wvkey stuff, and then write those to the 8021x ctl file but this means I would use _both_ factotum _and_ the ctl file to provide the same info. that seems a bit duplication of ways/work. Too many options (and I still have to try to get the log thing of my previous question working). Axel. (hats off to all who contribute(d) to plan 9 -- tweaking this 8021.x thingy does give me some feedback on what effort it (may) take(s) to get things right, or (maybe more realistic in my case :-) just somewhat arbitrary close(r) to 'right')