From mboxrd@z Thu Jan 1 00:00:00 1970 From: Corey To: 9fans@9fans.net Date: Mon, 10 Aug 2009 03:17:26 -0700 User-Agent: KMail/1.11.4 (Linux/2.6.27-gentoo-r8; KDE/4.2.4; i686; ; ) References: <2423e34dee842afe8e50088e1150889e@quintile.net> In-Reply-To: <2423e34dee842afe8e50088e1150889e@quintile.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200908100317.26957.corey@bitworthy.net> Subject: Re: [9fans] machine key, secstore key, hostowner password Topicbox-Message-UUID: 3f78f3f8-ead5-11e9-9d60-3106f5b1d025 On Monday 10 August 2009 02:55:58 Steve Simon wrote: > The machine key _is_ the hostowners password, DES encrypted with > the hostowner's name, the details are in the code. > The hostowners password stored in nvram, and the hostowner's password stored in the authentication database served by keyfs can be set to different strings - but the documentation suggests that they should match: http://plan9.bell-labs.com/wiki/plan9/Configuring_a_Standalone_CPU_Server " REBOOT Reboot the machine. [...] It will ask for an authid, authdom, secstore key, and password. [...] Remember the password, you will need it again later when creating the 'bootes' user. " ... and later: " AUTHENTICATION SERVER CONFIGURATION Firstly, you must set the password for bootes using auth(8) and the password you just entered during bootup: auth/changeuser bootes " I'm curious if their are repercussions, and of what nature, if they do not match. > the secstore key is just that, it us useful for storing account > details that the hostowner may need - for example I keep my > sources account in hostowner's secstore so I can cpu -u bootes > to become hostowner and then do a pull. > > I have to type in the hostowner's secstore key about once a year - though > it is read from the nvram un onlock the hostowners secstore on every boot > of my cpu/auth/file server. > > I use the hostowner's key once a week or so to cpu in to do a pull or if > I need access to the server's /dev/kmesg or devices. > Cool thanks -- so, it's the machine key that is only ever used by the machine itself and never by a human being after it has been set?