[9fans] machine key, secstore key, hostowner password

[9fans] machine key, secstore key, hostowner password

[Corey]

When creating a cpu/auth kernel, one needs to create a variety of
key/passwords - the machine key, the secstore key, and the hostowner password.

I _think_ I have the basics understood regarding the purpose of these, but one
thing I'm uncertain of:

Aside from the point in which they're each first set, when will they ever be
manually used again?

When I say "when will they be manually used again", I mean... will a user ever
be prompted to enter them again in order to perform some administrative action
or another?

I've yet to actually be prompted for any one of them again after the initial
setup of my cpu/auth server. I imagine at some point I will need to configure
or setup something which will require one of passwords in order to proceed?


Also, what sorts of issues arise if one were to specify non-matching hostowner
passwords, i.e. - when you first boot up after invaliding nvram, you are asked
to specify a hostowner password, then again you are asked to supply a
hostowner password when you run 'auth/changeuser <hostowner>'...

The documentation states that these are supposed to match. But what sorts
of symptoms will result if you, for instance, typo'd the auth/changeuser
<hostowner> password?


Thanks!

Re: [9fans] machine key, secstore key, hostowner password

[Corey]

On Monday 10 August 2009 02:40:17 Corey wrote:
> When creating a cpu/auth kernel, one needs to create a variety of
> key/passwords - the machine key, the secstore key, and the hostowner
> password.
>
> I _think_ I have the basics understood regarding the purpose of these, but
> one thing I'm uncertain of:
>
> Aside from the point in which they're each first set, when will they ever
> be manually used again?
>

I should add that I'm aware of when I'd need the hostowner password - it's
actually the machine key and secstore key's I'm asking about specifically.

Re: [9fans] machine key, secstore key, hostowner password

[Steve Simon]

The machine key _is_ the hostowners password, DES encrypted with
the hostowner's name, the details are in the code.

the secstore key is just that, it us useful for storing account
details that the hostowner may need - for example I keep my
sources account in hostowner's secstore so I can cpu -u bootes
to become hostowner and then do a pull.

I have to type in the hostowner's secstore key about once a year - though
it is read from the nvram un onlock the hostowners secstore on every boot
of my cpu/auth/file server.

I use the hostowner's key once a week or so to cpu in to do a pull or if
I need access to the server's /dev/kmesg or devices.

-Steve

Re: [9fans] machine key, secstore key, hostowner password

[Corey]

On Monday 10 August 2009 02:55:58 Steve Simon wrote:
> The machine key _is_ the hostowners password, DES encrypted with
> the hostowner's name, the details are in the code.
>

The hostowners password stored in nvram, and the hostowner's password
stored in the authentication database served by keyfs can be set to different
strings - but the documentation suggests that they should match:


http://plan9.bell-labs.com/wiki/plan9/Configuring_a_Standalone_CPU_Server

"
REBOOT

Reboot the machine. [...]

It will ask for an authid, authdom, secstore key, and password. [...] Remember
the password, you will need it again later when creating the 'bootes' user.
"

... and later:

"
AUTHENTICATION SERVER CONFIGURATION

Firstly, you must set the password for bootes using auth(8) and the password
you just entered during bootup:

auth/changeuser bootes
"

I'm curious if their are repercussions, and of what nature, if they do not
match.


> the secstore key is just that, it us useful for storing account
> details that the hostowner may need - for example I keep my
> sources account in hostowner's secstore so I can cpu -u bootes
> to become hostowner and then do a pull.
>
> I have to type in the hostowner's secstore key about once a year - though
> it is read from the nvram un onlock the hostowners secstore on every boot
> of my cpu/auth/file server.
>
> I use the hostowner's key once a week or so to cpu in to do a pull or if
> I need access to the server's /dev/kmesg or devices.
>

Cool thanks -- so, it's the machine key that is only ever used by the machine
itself and never by a human being after it has been set?

Re: [9fans] machine key, secstore key, hostowner password

[Steve Simon]

the hostowner is the owner of the machine, but they are also a user
on plan9 so they need an entry on the auth database. the passwords
in the auth database and the nvram must match or you will not be able
to cpu or 9fs to this box, authentication will not work.

-Steve