On Tue, May 06, 2008 at 01:10:12PM +0100, rog@vitanuova.com wrote:
> i haven't used the inferno 9auth stuff to log in as more
> than one user, hence i guess i wouldn't have tickled that bug.
> 
> what does 'cat /mnt/factotum/ctl' report after adding the key for user=nwf?

I'm really confused now; I'm going to forward this to 9fans in hopes that
somebody can explain.  [For those of you now joining the conversation, the
original, off-list thread was started because Inferno's factotum and infauth
wouldn't let me play the first dance here; the second 9cpu, with -k
'user=bootes' still logged me in as nwf without prompting for a key.]

On my Plan 9 terminal, if I run

term% echo delkey > /mnt/factotum/ctl
term% cpu -h sea.cs.jhu.edu -k 'user=nwf'
[add key dance]
cpu% exit
term% cpu -h sea.cs.jhu.edu -k 'user=bootes'
[add key dance]
sea# exit
term% cat /mnt/factotum/ctl
key proto=p9sk1 dom=acm.jhu.edu user=nwf password!
key proto=p9sk1 dom=acm.jhu.edu user=bootes password!

This is as I expect.  But if I reverse the order of the cpu commands, I
don't get asked for nwf@'s password.  If I then try to log in as another
real user on the system, I get asked for that user's password.

term% echo delkey > /mnt/factotum/ctl
term% cpu -h sea.cs.jhu.edu -k 'user=bootes'
[add key dance]
sea#
term% cpu -h sea.cs.jhu.edu -k 'user=nwf'
[no key dance is necessary]
cpu%
term% cpu -h sea.cs.jhu.edu -k 'user=me'
!Adding key: dom=acm.jhu.edu proto=p9sk1 user=me
[I don't know me@'s password, so I abort by pressing Del.]
cpu: can't authenticate: sea.cs.jhu.edu: auth_proxy rpc write:
p9sk1@acm.jhu.edu: '/factotum' file does not exist.
term% cat /mnt/factotum/ctl
key proto=p9sk1 dom=acm.jhu.edu user=bootes password!

sea's /lib/ndb/auth contains the usual speaksfor relationship:
  hostid=bootes uid=!sys uid=!adm uid=*

sea's /lib/keys.who contains:
  bootes|bootes host owner|bootes|JHUACM|officers@acm.jhu.edu|officers@acm.jhu.edu
  nwf|nwf|Nathaniel Wesley Filardo|JHUACM|nwf@acm.jhu.edu|officers@acm.jhu.edu
  me||Venkatesh Srinivas|JHUACM|me@acm.jhu.edu|officers@acm.jhu.edu

sea's /lib/users contains:
  adm:adm:adm:sys,bootes
  glenda:glenda:glenda:
  bootes:bootes::
  me:me::
  nwf:nwf::
  sys:sys::glenda,me,nwf,bootes

My username on my terminal is nwf.

The question is: why don't I have to present a password to log in as nwf@
after I have logged in as bootes?  Why doesn't this explanation hold for
me@?

Thanks much.
--nwf;