[9fans] security model

[9fans] security model

[Phil Kulin]

I intsalled  combined cpu/auth server
I need some explanatories for plan9 security model, because I have
some troubles with undestanding dependences between factotum,secstore
and keyfs.

First I don't undestand why I must run auth/secstored on my auth
server. In fact keyfs provide to me interface to keys at nvram, and
secstore provide to me interface to keys at nvram...

Second I don't undestand what means "password" (after "secstore key")
in auth/wrkey dialog. System password? Who is a "system password"?

Third I think that I must to add all my permanent auth-server users
(users with remote terminals) of my "auth domain" to secstore on
auth-server. But cpu-server users of THIS cpu-server I must add to
factotum too. I must copy some keys from secstore to factotum at boot
time if I want to grant access to both auth and cpu servers. Am I
right?

Forth why noany ask me to password to access to secstore at boot time?

Thanks :)

-- 
Phil Kulin

Re: [9fans] security model

[erik quanstrom]

i'll take a stab at this.

On Thu Feb  1 08:34:58 EST 2007, schors@gmail.com wrote:
> I intsalled  combined cpu/auth server
> I need some explanatories for plan9 security model, because I have
> some troubles with undestanding dependences between factotum,secstore
> and keyfs.
> 
> First I don't undestand why I must run auth/secstored on my auth
> server. 

it is not required.  secstore provides secure storage for users. also you
don't need to run secstore on the auth server, but for most people
that's where it makes sense.

> In fact keyfs provide to me interface to keys at nvram, and

keyfs provides an interface to /adm/keys*.  nvram is something different.
on a cpu server, nvram stores the hostowner, and the hostowner's password
(secret) and a few other things so the machine can boot without operator
intervention.  

> secstore provide to me interface to keys at nvram...

no.  secstore is secure storage for users.  however, factotum will consult
secstore for you and try to load keys from the secstore file called
"factotum".  you can store anything you'd like in secstore.

> 
> Second I don't undestand what means "password" (after "secstore key")
> in auth/wrkey dialog. System password? Who is a "system password"?

secstore requires a password before it will allow access.  in this case factotum
is trying to to retrive the file "factotum" on your behalf.

> 
> Third I think that I must to add all my permanent auth-server users
> (users with remote terminals) of my "auth domain" to secstore on
> auth-server. 

secstore storage isn't required.

> But cpu-server users of THIS cpu-server I must add to
> factotum too. 

factotum is a proxy, not permanant storage.  factotum is like ssh-agent, but it
works for all (okay, most) of the authentication types plan 9 requires. 
the actual secrets go in /adm/keys.  see auth(8).

>  I must copy some keys from secstore to factotum at boot
> time if I want to grant access to both auth and cpu servers. Am I
> right?

nope.  factotum is run a login time.  the factotum interacts with the user
and secstore to compile a list of keys to hand over to various servers as
your proxy.

> 
> Forth why noany ask me to password to access to secstore at boot time?

bringing it all back home.  i assume this is on the auth server.  the auth server
is a cpu server.  the assumption is that there is physical security of this box.
the hostowner and key are kept in nvram.  if you are not comfortable with this
(and you can live with the auth server being down until you're at the console
to enter the hostowner and password), you don't need an nvram file and you
can wipe it clean on a pc with
	dd -if /dev/zero -of /dev/$disk/nvram -count 1

- erik

Re: [9fans] security model

[C H Forsyth]

> I intsalled  combined cpu/auth server
> I need some explanatories for plan9 security model, because I have
> some troubles with undestanding dependences between factotum,secstore
> and keyfs.
> 
> First I don't undestand why I must run auth/secstored on my auth
> server. In fact keyfs provide to me interface to keys at nvram, and
> secstore provide to me interface to keys at nvram...

there isn't any need to run secstored.  they do quite different things,
though.

secstored securely stores files on behalf of users, in particular a
file "factotum" that holds keys that user wants loaded into the user's
factotum on login.  of course one of those users could be a system
user (eg, "bootes").

you need auth/keyfs though, to hold the per-user shared secrets used
to authenticate them to a plan 9 domain.  it manages /adm/keys.

> Second I don't undestand what means "password" (after "secstore key")
> in auth/wrkey dialog. System password? Who is a "system password"?

it's the shared secret that allows one plan 9 server to authenticate itself to another.
it also encrypts the keys file.  the secstore key is a separate key used by secstored.

> Third I think that I must to add all my permanent auth-server users
> (users with remote terminals) of my "auth domain" to secstore on
> auth-server.

only if you'd like them to use secstore.

: But cpu-server users of THIS cpu-server I must add to
> factotum too.

no, there's a speaks-for relationship configured by /lib/ndb/auth.
see the section on Authentication Database in authsrv(6).

>I must copy some keys from secstore to factotum at boot
> time if I want to grant access to both auth and cpu servers. Am I
> right?

no.  there's no need for users to run factotum; if they don't, they'll be prompted
every time they need to authenticate to something.  if they run factotum, and the key
isn't already in factotum (eg, from secstore), they'll be prompted once.

> Forth why noany ask me to password to access to secstore at boot time?

it got the password from the place that wrkey stored it.

Re: [9fans] security model

[Alberto Cortés]

Phil Kulin said:

> I intsalled  combined cpu/auth server
> I need some explanatories for plan9 security model, because I have
> some troubles with undestanding dependences between factotum,secstore
> and keyfs.
> 
> First I don't undestand why I must run auth/secstored on my auth
> server.

auth/secstored serves secstore.

A user have its secstore stored in the auth server.

Then a user boots a terminal.

The terminal wants to provide the user with a nice secstore, but
it doesn't have any. The terminal asks the auth server for the
missing secstore by talking to the auth/secstored server running
there.


> In fact keyfs provide to me interface to keys at nvram, and
> secstore provide to me interface to keys at nvram...

> Second I don't undestand what means "password" (after "secstore key")
> in auth/wrkey dialog. System password? Who is a "system password"?
> 
> Third I think that I must to add all my permanent auth-server users
> (users with remote terminals) of my "auth domain" to secstore on
> auth-server. But cpu-server users of THIS cpu-server I must add to
> factotum too. I must copy some keys from secstore to factotum at boot
> time if I want to grant access to both auth and cpu servers. Am I
> right?
> 
> Forth why noany ask me to password to access to secstore at boot time?
> 
> Thanks :)
> 
> -- 
> Phil Kulin
> 

-- 
-- 
Alberto Cortés

Re: [9fans] security model

[Georg Lehner]

erik quanstrom <quanstro@coraid.com> writes:

> i'll take a stab at this.
>
> On Thu Feb  1 08:34:58 EST 2007, schors@gmail.com wrote:
...
>> First I don't undestand why I must run auth/secstored on my auth
>> server. 
>
> it is not required.  secstore provides secure storage for users. also you
> don't need to run secstore on the auth server, but for most people
> that's where it makes sense.
...

drawterm (on linux, at least) always tries to contact secstore on the
authserver during startup.  So it may not be *required* to run
secstore there, but I guess doing otherwise is not feasible.

Regards,

    Jorge-León

Re: [9fans] security model

[C H Forsyth]

[-- Attachment #1: Type: text/plain, Size: 117 bytes --]

it times out, reasonably quickly on the systems i've used.
it then falls back to talking directly to an auth server.

[-- Attachment #2: Type: message/rfc822, Size: 3278 bytes --]

From: Georg Lehner <jorge-plan9@magma.com.ni>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] security model
Date: Thu, 01 Feb 2007 23:35:42 +0100
Message-ID: <878xfh4ibl.fsf@jorgito.magma.intern>

erik quanstrom <quanstro@coraid.com> writes:

> i'll take a stab at this.
>
> On Thu Feb  1 08:34:58 EST 2007, schors@gmail.com wrote:
...
>> First I don't undestand why I must run auth/secstored on my auth
>> server. 
>
> it is not required.  secstore provides secure storage for users. also you
> don't need to run secstore on the auth server, but for most people
> that's where it makes sense.
...

drawterm (on linux, at least) always tries to contact secstore on the
authserver during startup.  So it may not be *required* to run
secstore there, but I guess doing otherwise is not feasible.

Regards,

    Jorge-León

Re: [9fans] security model

[Steve Simon]

I thought drawterm only contacted a secstore server if given the address of the
server to attach to (via the -s arg).

Unfortunately I am not in a position to use the source at
present so I only comment from memory.

-Steve

Re: [9fans] security model

[C H Forsyth]

[-- Attachment #1: Type: text/plain, Size: 156 bytes --]

i was too lazy to fetch the source but tried just
running it instead with only -a and -c options, and it
made contact with the secstore at the -a address.

[-- Attachment #2: Type: message/rfc822, Size: 2801 bytes --]

From: "Steve Simon" <steve@quintile.net>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] security model
Date: Thu, 1 Feb 2007 22:58:22 +0000
Message-ID: <2d65c0c25a6c6b4fc69da601e3ff8065@quintile.net>

I thought drawterm only contacted a secstore server if given the address of the
server to attach to (via the -s arg).

Unfortunately I am not in a position to use the source at
present so I only comment from memory.

-Steve

Re: [9fans] security model

[erik quanstrom]

On Thu Feb  1 13:39:00 EST 2007, schors@gmail.com wrote:
> 2007/2/1, erik quanstrom <quanstro@coraid.com>:
> All has appeared simply. When I have read through precise answers, I
> have methodically looked all dependent files. /adm/keys* have
> permissions owned by user admin (installation process?). I removes and
> recreates that files as I find at file-server instruction.

these files need to be owned by the hostowner of the auth server.

> 
> All works right now.  And I at last have understood as it works.
> 

great.


> All equally has not understood. Whether it is possible to describe
> more in detail these two passwords (secstore key and password) and
> their value? Who for whom and when follows in the subsequent
> situations.

this confuses me a bit, too.  the key is the user name and the key
is the password.  the reason for this is secstore is written in very general 
terms.  in practice, the keys are generally user names.

- erik

> 
> -- 
> Да будет осиян звездой момент нашей переписки!
> Phil Kulin

Re: [9fans] security model

[Phil Kulin]

2007/2/1, erik quanstrom <quanstro@coraid.com>:

Many regards for you answers. I review manuals more closely with
referenses on this thread and understanding source of my problems.

I created keys, nvram keys, reboot and use auth/changeuser bootes and
reboot again. So, after reboot, I start vncs. But, my vnc client
failes to authorise on plan9 server. I tried again and again. I used
different variants and google searching. I tried to compare with the
documentation to the situation. I was confused with this behaviour.

All has appeared simply. When I have read through precise answers, I
have methodically looked all dependent files. /adm/keys* have
permissions owned by user admin (installation process?). I removes and
recreates that files as I find at file-server instruction.

All works right now.  And I at last have understood as it works.

> > Second I don't undestand what means "password" (after "secstore key")
> > in auth/wrkey dialog. System password? Who is a "system password"?
> secstore requires a password before it will allow access.  in this case factotum
> is trying to to retrive the file "factotum" on your behalf.

All equally has not understood. Whether it is possible to describe
more in detail these two passwords (secstore key and password) and
their value? Who for whom and when follows in the subsequent
situations.

-- 
Да будет осиян звездой момент нашей переписки!
Phil Kulin

Re: [9fans] security model

[erik quanstrom]

second try... 

i'll take a stab at this.

On Thu Feb  1 08:34:58 EST 2007, schors@gmail.com wrote:
> I intsalled  combined cpu/auth server
> I need some explanatories for plan9 security model, because I have
> some troubles with undestanding dependences between factotum,secstore
> and keyfs.
> 
> First I don't undestand why I must run auth/secstored on my auth
> server. 

it is not required.  secstore provides secure storage for users. also you
don't need to run secstore on the auth server, but for most people
that's where it makes sense.

> In fact keyfs provide to me interface to keys at nvram, and

keyfs provides an interface to /adm/keys*.  nvram is something different.
on a cpu server, nvram stores the hostowner, and the hostowner's password
(secret) and a few other things so the machine can boot without operator
intervention.  

> secstore provide to me interface to keys at nvram...

no.  secstore is secure storage for users.  however, factotum will consult
secstore for you and try to load keys from the secstore file called
"factotum".  you can store anything you'd like in secstore.

> 
> Second I don't undestand what means "password" (after "secstore key")
> in auth/wrkey dialog. System password? Who is a "system password"?

secstore requires a password before it will allow access.  in this case factotum
is trying to to retrive the file "factotum" on your behalf.

> 
> Third I think that I must to add all my permanent auth-server users
> (users with remote terminals) of my "auth domain" to secstore on
> auth-server. 

secstore storage isn't required.

> But cpu-server users of THIS cpu-server I must add to
> factotum too. 

factotum is a proxy, not permanant storage.  factotum is like ssh-agent, but it
works for all (okay, most) of the authentication types plan 9 requires. 
the actual secrets go in /adm/keys.  see auth(8).

>  I must copy some keys from secstore to factotum at boot
> time if I want to grant access to both auth and cpu servers. Am I
> right?

nope.  factotum is run a login time.  the factotum interacts with the user
and secstore to compile a list of keys to hand over to various servers as
your proxy.

> 
> Forth why noany ask me to password to access to secstore at boot time?

bringing it all back home.  i assume this is on the auth server.  the auth server
is a cpu server.  the assumption is that there is physical security of this box.
the hostowner and key are kept in nvram.  if you are not comfortable with this
(and you can live with the auth server being down until you're at the console
to enter the hostowner and password), you don't need an nvram file and you
can wipe it clean on a pc with
	dd -if /dev/zero -of /dev/$disk/nvram -count 1

- erik