[9fans] plain passwords and keyfs

[9fans] plain passwords and keyfs

[Enrique Soriano Salvador]

Why does keyfs serve the users password in plain text on the file
/mnt/keys/user/secret ?

I know that the man in front of the
cpu/auth server is the only one that can see the users passwords...  but
it can be dangerous for users that have the same
password for different systems (unix,
win, plan9 ...)

{ I am changing my Unix passwords
in this very moment, so nemo and gorka can now see my password-for-all
in plain text!!! :) }

As far as I know, in other systems (i.e. unix) the admin cannot  see the
users passwords (of course, he can try to crack the /etc/shadow file or
to make other malicious acts)

I am sure that there is a design related
explanation for that...

Thanks!

Q.

Re: [9fans] plain passwords and keyfs

[Charles Forsyth]

[-- Attachment #1: Type: text/plain, Size: 275 bytes --]

the Plan 9 password is scrambled, into key not secret.
secret is used for access to other systems.
i don't think you must set it.

it is in plain text because it's hard to say which
particular scrambling algorithm, if any,
will be used to talk to those other systems.

[-- Attachment #2: Type: message/rfc822, Size: 3083 bytes --]

From: Enrique Soriano Salvador <esoriano@lsub.org>
To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu>
Subject: [9fans] plain passwords and keyfs
Date: Fri, 23 Jul 2004 15:14:56 +0200
Message-ID: <1090588496.13043.40.camel@ronin.dat.escet.urjc.es>

Why does keyfs serve the users password in plain text on the file
/mnt/keys/user/secret ?

I know that the man in front of the
cpu/auth server is the only one that can see the users passwords...  but
it can be dangerous for users that have the same
password for different systems (unix,
win, plan9 ...)

{ I am changing my Unix passwords
in this very moment, so nemo and gorka can now see my password-for-all
in plain text!!! :) }

As far as I know, in other systems (i.e. unix) the admin cannot  see the
users passwords (of course, he can try to crack the /etc/shadow file or
to make other malicious acts)

I am sure that there is a design related
explanation for that...

Thanks!

Q.

Re: [9fans] plain passwords and keyfs

[Wes Kussmaul]

> it is in plain text because it's hard to say which
> particular scrambling algorithm, if any,
> will be used to talk to those other systems.

Imagine if we were discussing a building, and the building codes specified
that since physical key standards vary, all entrances would have doormats
under which one could find a key that opens the door.

The problem comes from the naivete of IT standards bodies about matters of
authority. City Hall must be behind the standards, and must see that they
are enforced.

Wes Kussmaul

Re: [9fans] plain passwords and keyfs

[andrey mirtchovski]

> Imagine if we were discussing a building, and the building codes specified
> that since physical key standards vary, all entrances would have doormats
> under which one could find a key that opens the door.
>

buildings generally have a residential manager who has the master key
to every apartment.  in their case that's either gorka or nemo, not
everybody (as would be the case in your doormat analogy.

we're talking about a rental property after all. :)

Re: [9fans] plain passwords and keyfs

[Skip Tavakkolian]

>> it is in plain text because it's hard to say which
>> particular scrambling algorithm, if any,
>> will be used to talk to those other systems.
>
> Imagine if we were discussing a building, and the building codes specified
> that since physical key standards vary, all entrances would have doormats
> under which one could find a key that opens the door.
>
> The problem comes from the naivete of IT standards bodies about matters of
> authority. City Hall must be behind the standards, and must see that they
> are enforced.
>
> Wes Kussmaul

Physically secure the console.

Re: [9fans] plain passwords and keyfs

[andrey mirtchovski]

> So 'root' on plan9 is anyone with access to the auth console.
>
> Good to know. ;)

that's always been the case.  see the "Special Users" section of the
"Plan 9 from Bell Labs" paper (9.{html,ps,pdf})...

with the tiny difference that the file server it describes can't run
user processes, of course :)

Re: [9fans] plain passwords and keyfs

[Wes Kussmaul]

> we're talking about a rental property after all. :)

I know what you mean. But in the physical world commercial landlords have to
be even more careful about building codes than owner/occupants.

Re: [9fans] plain passwords and keyfs

[Bruce Ellis]

if i can access a "secure" console i can steal an equally insecure disk.
or simply grab all the backups.
if someone breaks into my office they go to jail (it's happened).

brucee

Sam wrote:
> So 'root' on plan9 is anyone with access to the auth console.
>
> Good to know. ;)

Re: [9fans] plain passwords and keyfs

[Sam]

So 'root' on plan9 is anyone with access to the auth console.

Good to know. ;)

Re: [9fans] plain passwords and keyfs

[Steve Simon]

I stand corrected.

-Steve

Re: [9fans] plain passwords and keyfs

[Charles Forsyth]

[-- Attachment #1: Type: text/plain, Size: 626 bytes --]

it's for the pop3 server side for non-plan9 clients
to collect mail by pop3 from a plan 9 mail service
using md5 authentication (hash a challenge using a secret),
for instance.  the protocol requires the server to know
the secret, not just a hash of it.

as it happens, factotum is in the pop3 server loop
on the server, but it doesn't access the secret directly.
that's left to authsrv, because it has access to keyfs.
either way, something on a server must store the real
secret; this way, it's only stored on an auth server,
which is potentially better protected and might only do auth serving
(for instance).

[-- Attachment #2: Type: message/rfc822, Size: 2273 bytes --]

From: "Steve Simon" <steve@quintile.net>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] plain passwords and keyfs
Date: Sat, 24 Jul 2004 14:48:31 +0100
Message-ID: <25eaf31495573cf9d46858cf0222fc62@quintile.net>

Surely the pop3 password in keyfs is now historic
(and could be deleted) given that we now have factotum?

-Steve

Re: [9fans] plain passwords and keyfs

[Steve Simon]

Surely the pop3 password in keyfs is now historic
(and could be deleted) given that we now have factotum?

-Steve

Re: [9fans] plain passwords and keyfs

[Charles Forsyth]

[-- Attachment #1: Type: text/plain, Size: 670 bytes --]

if you don't set a pop3 password in keyfs there won't be one in the clear (in `secret').
plan 9 itself doesn't need that password except to support pop3 clients
(and similar).  if you don't use pop3 you don't need it.
the administrator of the auth server can still shuffle the contents of the plan 9 `key'
files to masquerade for instance but cannot see the original plain text key.
thus your secret is safe unless it's in `secret',
because `key' doesn't contain the original key.

in any case, the casual snooping possible with Unix/Linux's `root' is a little
more tedious to do on Plan 9, and immutable logs in changeuser/keyfs
might discourage it further.

[-- Attachment #2: Type: message/rfc822, Size: 2899 bytes --]

From: Enrique Soriano <esoriano@lsub.org>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] plain passwords and keyfs
Date: Fri, 23 Jul 2004 19:46:57 +0200
Message-ID: <4AC740C7-DCD0-11D8-89AF-0003931DE5D4@lsub.org>


El 23/07/2004, a las 18:10, Charles Forsyth escribió:

> the Plan 9 password is scrambled, into key not secret.
> secret is used for access to other systems.
> i don't think you must set it.

I used auth/changeuser to add the users (I didn't use directly the
keyfs filesystem).

> it is in plain text because it's hard to say which
> particular scrambling algorithm, if any,
> will be used to talk to those other systems.

Thanks.

Q.

Re: [9fans] plain passwords and keyfs

[Enrique Soriano]

El 23/07/2004, a las 18:10, Charles Forsyth escribió:

> the Plan 9 password is scrambled, into key not secret.
> secret is used for access to other systems.
> i don't think you must set it.

I used auth/changeuser to add the users (I didn't use directly the
keyfs filesystem).

> it is in plain text because it's hard to say which
> particular scrambling algorithm, if any,
> will be used to talk to those other systems.

Thanks.

Q.