Re: [9fans] security model

[erik quanstrom <quanstro@coraid.com>]

second try... 

i'll take a stab at this.

On Thu Feb  1 08:34:58 EST 2007, schors@gmail.com wrote:
> I intsalled  combined cpu/auth server
> I need some explanatories for plan9 security model, because I have
> some troubles with undestanding dependences between factotum,secstore
> and keyfs.
> 
> First I don't undestand why I must run auth/secstored on my auth
> server. 

it is not required.  secstore provides secure storage for users. also you
don't need to run secstore on the auth server, but for most people
that's where it makes sense.

> In fact keyfs provide to me interface to keys at nvram, and

keyfs provides an interface to /adm/keys*.  nvram is something different.
on a cpu server, nvram stores the hostowner, and the hostowner's password
(secret) and a few other things so the machine can boot without operator
intervention.  

> secstore provide to me interface to keys at nvram...

no.  secstore is secure storage for users.  however, factotum will consult
secstore for you and try to load keys from the secstore file called
"factotum".  you can store anything you'd like in secstore.

> 
> Second I don't undestand what means "password" (after "secstore key")
> in auth/wrkey dialog. System password? Who is a "system password"?

secstore requires a password before it will allow access.  in this case factotum
is trying to to retrive the file "factotum" on your behalf.

> 
> Third I think that I must to add all my permanent auth-server users
> (users with remote terminals) of my "auth domain" to secstore on
> auth-server. 

secstore storage isn't required.

> But cpu-server users of THIS cpu-server I must add to
> factotum too. 

factotum is a proxy, not permanant storage.  factotum is like ssh-agent, but it
works for all (okay, most) of the authentication types plan 9 requires. 
the actual secrets go in /adm/keys.  see auth(8).

>  I must copy some keys from secstore to factotum at boot
> time if I want to grant access to both auth and cpu servers. Am I
> right?

nope.  factotum is run a login time.  the factotum interacts with the user
and secstore to compile a list of keys to hand over to various servers as
your proxy.

> 
> Forth why noany ask me to password to access to secstore at boot time?

bringing it all back home.  i assume this is on the auth server.  the auth server
is a cpu server.  the assumption is that there is physical security of this box.
the hostowner and key are kept in nvram.  if you are not comfortable with this
(and you can live with the auth server being down until you're at the console
to enter the hostowner and password), you don't need an nvram file and you
can wipe it clean on a pc with
	dd -if /dev/zero -of /dev/$disk/nvram -count 1

- erik