From: "Russ Cox" <rsc@swtch.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] Hopefully, one last problem
Date: Fri, 11 May 2007 07:58:56 -0400 [thread overview]
Message-ID: <20070511115855.A3FDC1E8C3A@holo.morphisms.net> (raw)
In-Reply-To: <12B1C5E5-815A-40DD-BFB7-957B5BA1C37A@tinker.com>
> OK, that was not the problem. I have done auth/wrkey
> twice and taken care not to mistype the password and the
> secstore key. I have rebooted more times than I can count.
> I have run auth/changeuser bootes and auth/changeuser kim
> and made sure that I keyed the passwords in correctly. I
> have rebooted some more. I still have the same problem.
>
> I suspicion that the problem is somewhere else.
>
> What components are involved in handling this remote login?
>
> Do they log anything?
>
> Can I make them log more?
>
> Which piece of software is issuing the message:
>
> cpu: server lies got 39dd60dfe7adb072.1510726563 want
> 9b3644fcb26b1a66.0: cs gave empty translation list
>
> I would actually like to track this down myself but I seem
> to keep hitting brick walls.
* Logs
The auth server logs to /sys/log/auth.
You can make the cpu server factotum log by
echo debug >/mnt/factotum/ctl
cat /mnt/factotum/log
* Things to try
On the cpu server, run auth/debug.
Try to authenticate as bootes instead
of as kim using drawterm.
On the cpu server, in a new window, run
auth/factotum
cpu -h cpu-server-name
and try to log in as kim.
Do the same as bootes.
Try auth/wrkey and
type the bootes password as the secstore key too.
(I wonder if some program is reading the wrong field.)
* What's going on
Drawterm is printing the message "server lies".
It turns out that code is not quite right, but it's close
enough for the moment. The auth protocol is
p9any+p9sk1, described in authsrv(6).
Drawterm connects to the auth server, gets a ticket
pair, one encrypted with kim's password and one
with bootes's password. The tickets are slightly
different but they both contain the same random
key that will be the shared secret between drawterm
and the cpu server once the protocol finishes.
Drawterm decrypts the one encrypted with kim's password
to get the shared key. It sends the bootes-encrypted
ticket to the cpu server along with a random challenge string.
The cpu server is supposed to decrypt the bootes-encrypted
ticket, get the shared secret, and then use it to encrypt
the challenge string and send it back to drawterm.
When this works, drawterm now knows that the remote
side knows the shared secret. The encrypted secret that
drawterm gets back does not decrypt properly, hence
the "server lies". (If it had been okay, then drawterm
would have encrypted a random challenge from the server
to prove that it knew the key too, and then we'd be done.)
But the fact that the protocol got as far as it did
means that drawterm was able to decrypt the kim-encrypted
ticket that the auth server created. So drawterm and the
auth server agree about kim's password. But the cpu
server was unable to decrypt the bootes-encrypted ticket,
meaning that the auth server and the cpu factotum disagree
about bootes's password.
(In fact the cpu server recognized that it couldn't
decrypt the ticket and gave up before sending the
challenge response, instead printing an error message.
But drawterm interprets the error message as the
response and sure enough it doesn't decrypt well.
That's a separate problem. Seeing the error message
wouldn't really help. It would be
cpu: srvauth: protocol failure
which doesn't shed any additional light.)
If you drawterm in as bootes instead of as kim, then
seeing how far this process gets will check whether
the auth server agrees with the password you typed
in for bootes.
Russ
next prev parent reply other threads:[~2007-05-11 11:58 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-10 15:53 Kim Shrier
2007-05-10 15:57 ` Federico Benavento
2007-05-10 18:04 ` Kim Shrier
2007-05-10 20:12 ` Russ Cox
2007-05-11 2:05 ` Kim Shrier
2007-05-11 11:58 ` Russ Cox [this message]
2007-05-12 23:28 ` Kim Shrier
2007-05-10 20:23 ` erik quanstrom
2007-05-10 21:04 ` Russ Cox
2007-05-10 15:58 ` Russ Cox
2007-05-10 18:04 ` Kim Shrier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070511115855.A3FDC1E8C3A@holo.morphisms.net \
--to=rsc@swtch.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).