From: "Russ Cox" <rsc@plan9.bell-labs.com>
To: 9fans@cse.psu.edu
Subject: [9fans] backwards-incompatible changes
Date: Tue, 25 Mar 2003 16:58:45 -0500 [thread overview]
Message-ID: <272f30affaea63d326103dc12299cace@plan9.bell-labs.com> (raw)
There are two backwards incompatible changes
that will appear on sources tomorrow. If you prepare
for them, nothing will break when you do the pull.
First, namespace files now have a `.' syntax to include
other files. /lib/namespace will include /lib/namespace.$sysname.
Thus, namespace.$sysname will become additions to the
default name space rather than replacing it. To prepare for
this change, add the line ``clear'' to the top of any
namespace.$sysname files you have. The old code
will ignore it, and the new code will do rfork(RFCNAMEG)
when it sees it. Once you are running the new code
everywhere, you can trim your namespace.$sysname
files considerably.
Second, the handling of rsa keys is redone. The new
tools are already out -- see rsa(8).
There will be a new ssh client that looks for keys
identified by
proto=rsa service=ssh
rather than
proto=sshrsa
If you put both tags on the key, that will work with
either ssh. Once you've switched, you can remove
the proto=sshrsa tag.
There will be a new sshserve that uses factotum
to hold the host key, identified by
proto=rsa service=sshserve
You can convert with
awk '{
printf("key proto=rsa service=sshserve owner=* ");
printf("size=%s ek=%s !dk=%s n=%s !p=%s !q=%s !kp=%s !kq=%s !c2=%s\n",
$1, $2, $3, $4, $5, $6, $7, $8, $9);
}' /sys/lib/ssh/hostkey.secret
After the switch you can delete hostkey.secret.
TLS will look for keys identified by
proto=rsa service=tls
rather than
proto=sshrsa
As with the ssh client, if you put both tags on the key,
it will work with old and new.
Also, and not an incompatibility, there is a new factotum
that knows about an ``owner'' tag to specify who can use
the key. owner=* means anyone, otherwise you give
a list owner=rsc owner=presotto etc. This way, you can
publish, in bootes's factotum, the SSH host key and
TLS key, and then services using them can run as none.
Summary:
- add "clear" to the top of your namespace.$sysname files
- add "proto=rsa service=ssh" to your ssh client keys
- add your ssh host key to factotum
- add "proto=rsa service=tls" to your tls server keys
Russ
next reply other threads:[~2003-03-25 21:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-25 21:58 Russ Cox [this message]
2003-03-26 1:43 ` Dan Cross
2003-03-26 1:53 ` Russ Cox
2003-03-26 2:09 ` Dan Cross
2003-03-26 2:20 ` Russ Cox
2003-03-26 2:34 ` Geoff Collyer
2003-03-26 1:35 Russ Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=272f30affaea63d326103dc12299cace@plan9.bell-labs.com \
--to=rsc@plan9.bell-labs.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).