From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <40e07c1a54fd2fc2f8a4e5a9325da51f@9fs.org> To: 9fans@cse.psu.edu Subject: Re: [9fans] possible way to have the secstore on the cpu server From: nigel@9fs.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="upas-zmkpcvtkzkzdbcfcibyzmzwvpj" Date: Mon, 17 Jun 2002 11:25:32 +0100 Topicbox-Message-UUID: b0b55918-eaca-11e9-9e20-41e7f4b1d025 This is a multi-part message in MIME format. --upas-zmkpcvtkzkzdbcfcibyzmzwvpj Content-Disposition: inline Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit At the point factotum starts on the cpu server, there is no secstore service running, because cpurc has not yet run to start it. Thus, in cpurc, after I have started the secstore service, I want to do auth/secstore -G factotum | read -m >/mnt/factotum/ctl to load the secstore into the already running factotum. This will prompt for the secstore password, which is a pain if I want to reboot the cpu server remote. So, I grafted the nvram key loading code from factotum into secstore under the option -N. The relevant bit of cpurc is: dossrv @{ rfork n mount -c /srv/dos /n/9fat /dev/sdC0/9fat bind /n/9fat/secstore /adm/secstore auth/secstored echo secstored running auth/secstore -N -G factotum | read -m >/mnt/factotum/ctl echo keys loaded } Now if there is a clever way to get factotum to reload itself from secstore I would use that, but I don't think there is. --upas-zmkpcvtkzkzdbcfcibyzmzwvpj Content-Type: message/rfc822 Content-Disposition: inline Received: from 9fs.org ([192.168.100.103]) by 9fs.org; Sat Jun 15 16:35:14 BST 2002 Received: from mail.cse.psu.edu ([130.203.4.6]) by 9fs.org; Sat Jun 15 16:35:13 BST 2002 Received: from psuvax1.cse.psu.edu (psuvax1.cse.psu.edu [130.203.4.6]) by mail.cse.psu.edu (CSE Mail Server) with ESMTP id C48F819A57; Sat, 15 Jun 2002 11:35:08 -0400 (EDT) Delivered-To: 9fans@cse.psu.edu Received: from plan9.cs.bell-labs.com (ampl.com [204.178.31.2]) by mail.cse.psu.edu (CSE Mail Server) with SMTP id 3BE0019A57 for <9fans@cse.psu.edu>; Sat, 15 Jun 2002 11:34:39 -0400 (EDT) Message-ID: From: presotto@plan9.bell-labs.com To: 9fans@cse.psu.edu Subject: Re: [9fans] possible way to have the secstore on the cpu server MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="upas-jhfsrrdrdfyskqzljabvkkliha" Sender: 9fans-admin@cse.psu.edu Errors-To: 9fans-admin@cse.psu.edu X-BeenThere: 9fans@cse.psu.edu X-Mailman-Version: 2.0.11 Precedence: bulk Reply-To: 9fans@cse.psu.edu List-Id: Fans of the OS Plan 9 from Bell Labs <9fans.cse.psu.edu> List-Archive: Date: Sat, 15 Jun 2002 11:34:38 -0400 This is a multi-part message in MIME format. --upas-jhfsrrdrdfyskqzljabvkkliha Content-Disposition: inline Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Also, I'm confused. Factotum already did read the nvram key, we rely on it here for exactly what you use if for. What did you have to add? --upas-jhfsrrdrdfyskqzljabvkkliha Content-Type: message/rfc822 Content-Disposition: inline Received: from plan9.cs.bell-labs.com ([135.104.9.2]) by plan9; Sat Jun 15 10:06:16 EDT 2002 Received: from mail.cse.psu.edu ([130.203.4.6]) by plan9; Sat Jun 15 10:06:15 EDT 2002 Received: from psuvax1.cse.psu.edu (psuvax1.cse.psu.edu [130.203.4.6]) by mail.cse.psu.edu (CSE Mail Server) with ESMTP id 0B21E199B7; Sat, 15 Jun 2002 10:06:09 -0400 (EDT) Delivered-To: 9fans@cse.psu.edu Received: from 9fs.org (cotswold.demon.co.uk [194.222.75.186]) by mail.cse.psu.edu (CSE Mail Server) with SMTP id D215C199B7 for <9fans@cse.psu.edu>; Sat, 15 Jun 2002 10:05:04 -0400 (EDT) Message-ID: <0538a1a8b42ab0f0bb459fc5e0ed97a9@9fs.org> From: nigel@9fs.org To: 9fans@cse.psu.edu Subject: Re: [9fans] possible way to have the secstore on the cpu server MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Sender: 9fans-admin@cse.psu.edu Errors-To: 9fans-admin@cse.psu.edu X-BeenThere: 9fans@cse.psu.edu X-Mailman-Version: 2.0.11 Precedence: bulk Reply-To: 9fans@cse.psu.edu List-Id: Fans of the OS Plan 9 from Bell Labs <9fans.cse.psu.edu> List-Archive: Date: Sat, 15 Jun 2002 15:02:51 +0100 Good points all. Presotto had said a dictionary attack was possible if the service ran on the cpu server and I can't see it. Anyhow I've implemented it all, and perhaps will drop it all in the wiki at some point. One addition is a mod to secstore so it reads the nvram key rather than prompting for one. This allows cpurc to load the cpu servers's factotum with extra keys like the SSL ones. Secstore is cool; it takes my mind off the awful VGA support. --upas-jhfsrrdrdfyskqzljabvkkliha-- --upas-zmkpcvtkzkzdbcfcibyzmzwvpj--