[9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[James A. Robinson]

[-- Attachment #1: Type: text/plain, Size: 579 bytes --]

Folks,

For a multi-machine network of Plan 9 services, would it be
normal to have an authsrv machine that only runs that service,
and uses a standalone local filesystem, and then have a separate
server running dns+dhcp+tftp to PXE boot client machines.  The
latter would be backed by a 3rd machine that is the fileserver.

I'm trying to figure out the optimal way to maintain the systems
without duplicating work, and run now an auth+dns+dhcp+tftp
server appears to require maintenance of two separate filesystems
to manage the /lib/ndb/* and kernel files.


Jim

[-- Attachment #2: Type: text/html, Size: 2133 bytes --]

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[Steve Simon]

I have a single cpu/auth/dns/dhcp/tftp/file server.
and a raspberry pi terminal.

The obvious change would be to add a seperate raspberry pi as an
auth server, booting off its own sdcard (if memory serves,
the auth server needs to be up first).

If I were to do this I would probably make it backup its flash card
to an external flash card in a usb adapter every night or so
(if there are changes) to give it some protection.

This would mean there is really only one system to maintain, the auth server's,
and this static except for /sys/log and /adm on password changes.

-Steve

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[Stanley Lieber]

"James A. Robinson" <jim.robinson@gmail.com> wrote:

>Folks,
>
>For a multi-machine network of Plan 9 services, would it be
>normal to have an authsrv machine that only runs that service,
>and uses a standalone local filesystem, and then have a separate
>server running dns+dhcp+tftp to PXE boot client machines.  The
>latter would be backed by a 3rd machine that is the fileserver.
>
>I'm trying to figure out the optimal way to maintain the systems
>without duplicating work, and run now an auth+dns+dhcp+tftp
>server appears to require maintenance of two separate filesystems
>to manage the /lib/ndb/* and kernel files.
>
>
>Jim

The idea is that there is one file system shared by all the neighboring systems. The canonical Plan 9 installation comprises one disk file server and many diskless computing machines (auth servers, cpu servers, terminals).

sl

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[James A. Robinson]

[-- Attachment #1: Type: text/plain, Size: 398 bytes --]

So in a canonical installation the auth server mounts its root from the
file server?

On Tue, Nov 15, 2016 at 10:47 AM Stanley Lieber <sl@9front.org> wrote:

> The idea is that there is one file system shared by all the neighboring
> systems. The canonical Plan 9 installation comprises one disk file server
> and many diskless computing machines (auth servers, cpu servers, terminals).
>

[-- Attachment #2: Type: text/html, Size: 641 bytes --]

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[Stanley Lieber]

"James A. Robinson" <jim.robinson@gmail.com> wrote:

>So in a canonical installation the auth server mounts its root from the
>file server?
>
>On Tue, Nov 15, 2016 at 10:47 AM Stanley Lieber <sl@9front.org> wrote:
>
>> The idea is that there is one file system shared by all the
>neighboring
>> systems. The canonical Plan 9 installation comprises one disk file
>server
>> and many diskless computing machines (auth servers, cpu servers,
>terminals).
>>

Yes. You can arrange for hands-free booting by storing  the same authid/authdom/password in the nvram of both the file server and the auth server. I usually boot the auth server from a 9fat partition or a USB key, then tcp (actually, tls) mount the root file system from the file server.

sl

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[James A. Robinson]

[-- Attachment #1: Type: text/plain, Size: 928 bytes --]

Ah, ok.  I'll try that.  Thank you!


On Tue, Nov 15, 2016 at 11:05 AM Stanley Lieber <sl@9front.org> wrote:

> "James A. Robinson" <jim.robinson@gmail.com> wrote:
>
> >So in a canonical installation the auth server mounts its root from the
> >file server?
> >
> >On Tue, Nov 15, 2016 at 10:47 AM Stanley Lieber <sl@9front.org> wrote:
> >
> >> The idea is that there is one file system shared by all the
> >neighboring
> >> systems. The canonical Plan 9 installation comprises one disk file
> >server
> >> and many diskless computing machines (auth servers, cpu servers,
> >terminals).
> >>
>
> Yes. You can arrange for hands-free booting by storing  the same
> authid/authdom/password in the nvram of both the file server and the auth
> server. I usually boot the auth server from a 9fat partition or a USB key,
> then tcp (actually, tls) mount the root file system from the file server.
>
> sl
>
>

[-- Attachment #2: Type: text/html, Size: 1768 bytes --]

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[Ole-Hjalmar Kristensen]

[-- Attachment #1: Type: text/plain, Size: 1253 bytes --]

On Tue, Nov 15, 2016 at 8:05 PM, Stanley Lieber <sl@9front.org> wrote:

> "James A. Robinson" <jim.robinson@gmail.com> wrote:
>
> >So in a canonical installation the auth server mounts its root from the
> >file server?
> >
> >On Tue, Nov 15, 2016 at 10:47 AM Stanley Lieber <sl@9front.org> wrote:
> >
> >> The idea is that there is one file system shared by all the
> >neighboring
> >> systems. The canonical Plan 9 installation comprises one disk file
> >server
> >> and many diskless computing machines (auth servers, cpu servers,
> >terminals).
> >>
>
> Yes. You can arrange for hands-free booting by storing  the same
> authid/authdom/password in the nvram of both the file server and the auth
> server. I usually boot the auth server from a 9fat partition or a USB key,
> then tcp (actually, tls) mount the root file system from the file server.
>
> sl
>
>
Is this the reason that it is actually possible to boot a combined
auth/cpu/file server at all? I mean, the auth server stores /adm/keys on
the file server, right? And normally you would need to authenticate
yourself to attach to the file server, which would be kind of difficult,
since it is the auth server that is trying to access the key file...

Ole-Hj.

[-- Attachment #2: Type: text/html, Size: 1875 bytes --]

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[Stanley Lieber]

Ole-Hjalmar Kristensen <ole.hjalmar.kristensen@gmail.com> wrote:

>On Tue, Nov 15, 2016 at 8:05 PM, Stanley Lieber <sl@9front.org> wrote:
>
>> "James A. Robinson" <jim.robinson@gmail.com> wrote:
>>
>> >So in a canonical installation the auth server mounts its root from
>the
>> >file server?
>> >
>> >On Tue, Nov 15, 2016 at 10:47 AM Stanley Lieber <sl@9front.org>
>wrote:
>> >
>> >> The idea is that there is one file system shared by all the
>> >neighboring
>> >> systems. The canonical Plan 9 installation comprises one disk file
>> >server
>> >> and many diskless computing machines (auth servers, cpu servers,
>> >terminals).
>> >>
>>
>> Yes. You can arrange for hands-free booting by storing  the same
>> authid/authdom/password in the nvram of both the file server and the
>auth
>> server. I usually boot the auth server from a 9fat partition or a USB
>key,
>> then tcp (actually, tls) mount the root file system from the file
>server.
>>
>> sl
>>
>>
>Is this the reason that it is actually possible to boot a combined
>auth/cpu/file server at all? I mean, the auth server stores /adm/keys
>on
>the file server, right? And normally you would need to authenticate
>yourself to attach to the file server, which would be kind of
>difficult,
>since it is the auth server that is trying to access the key file...
>
>Ole-Hj.

Yes. File server boots and loads it's key from nvram into factotum. Auth server does the same. If both credentials match, the two machines will agree to talk to each other. The ticket is "forged" and factotum realizes it has enough information to perform the authentication without needing to consult the actual auth server.

sl

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[cinap_lenrek]

> Is this the reason that it is actually possible to boot a combined
> auth/cpu/file server at all?

no. the reason this works is that the fileserver and authserver share
the same key (authid and password) so factotum can make up auth tickets
using the key it already knows, skipping the authentication server.

this is expecially true if everything runs on a combined cpu/fs/auth,
then factotum basically talks to itself thru the 9p auth file thru the
fileserver :-)

note this also happens when you boot off a cpu server from its own
local fileserver. for a stand alone terminal with a local disk you
wont neccesarily have a key so you have to disable authentication
on your local disk fileserver in that case.

this mechanism is also usefull when your authentication server is
unreachable or offline. then you can still logon as the hostowner
of the affected machine.

the fact that the key comes from nvram is irrelevant. if it where not
there factotum will prompt for the information on boot (cpu/file
servers only).

--
cinap

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[cinap_lenrek]

you might take a look at 9front devtls and libsec. it does support
tls1.1 and tls1.2. including ecdsa, ecdhe, both variants of
chacha20-poly1305 and aes-gcm aead ciphers suits...

i updated drawterm with the code and try to keep it in sync and
should not be too difficult to port back to labs plan9.

--
cinap

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[James A. Robinson]

[-- Attachment #1: Type: text/plain, Size: 530 bytes --]

That sounds *very* useful.  Thank you!  I had 9atom installed, but was
planning to try out 9front next (probably this weekend).

Jim


On Tue, Nov 15, 2016 at 4:23 PM <cinap_lenrek@felloff.net> wrote:

> you might take a look at 9front devtls and libsec. it does support
> tls1.1 and tls1.2. including ecdsa, ecdhe, both variants of
> chacha20-poly1305 and aes-gcm aead ciphers suits...
>
> i updated drawterm with the code and try to keep it in sync and
> should not be too difficult to port back to labs plan9.
>

[-- Attachment #2: Type: text/html, Size: 926 bytes --]

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[Anthony Sorace]

I'm not sure there's a single "canonical" answer, but many installations have run the auth server off its own file system, as James originally described. It's been several years now so my memory could be fuzzy, but I believe this is what they did at the main Bell Labs installation. 

> On Nov 15, 2016, at 14:05, Stanley Lieber <sl@9front.org> wrote:
> 
> "James A. Robinson" <jim.robinson@gmail.com> wrote:
> 
>> So in a canonical installation the auth server mounts its root from the
>> file server?
>> 
>>> On Tue, Nov 15, 2016 at 10:47 AM Stanley Lieber <sl@9front.org> wrote:
>>> 
>>> The idea is that there is one file system shared by all the
>> neighboring
>>> systems. The canonical Plan 9 installation comprises one disk file
>> server
>>> and many diskless computing machines (auth servers, cpu servers,
>> terminals).
>>> 
> 
> Yes. You can arrange for hands-free booting by storing  the same authid/authdom/password in the nvram of both the file server and the auth server. I usually boot the auth server from a 9fat partition or a USB key, then tcp (actually, tls) mount the root file system from the file server.
> 
> sl
> 

Re: [9fans] Maintenance of an auth server files vs a dns+dhcp+tftp server

[Stanley Lieber]

Anthony Sorace <a@9srv.net> wrote:

>I'm not sure there's a single "canonical" answer, but many
>installations have run the auth server off its own file system, as
>James originally described. It's been several years now so my memory
>could be fuzzy, but I believe this is what they did at the main Bell
>Labs installation. 
>
>> On Nov 15, 2016, at 14:05, Stanley Lieber <sl@9front.org> wrote:
>> 
>> "James A. Robinson" <jim.robinson@gmail.com> wrote:
>> 
>>> So in a canonical installation the auth server mounts its root from
>the
>>> file server?
>>> 
>>>> On Tue, Nov 15, 2016 at 10:47 AM Stanley Lieber <sl@9front.org>
>wrote:
>>>> 
>>>> The idea is that there is one file system shared by all the
>>> neighboring
>>>> systems. The canonical Plan 9 installation comprises one disk file
>>> server
>>>> and many diskless computing machines (auth servers, cpu servers,
>>> terminals).
>>>> 
>> 
>> Yes. You can arrange for hands-free booting by storing  the same
>authid/authdom/password in the nvram of both the file server and the
>auth server. I usually boot the auth server from a 9fat partition or a
>USB key, then tcp (actually, tls) mount the root file system from the
>file server.
>> 
>> sl
>> 

The reason I used the term "canonical" is because this was the arrangement described in the Plan 9 papers. The single file system was touted as one of the central features of the system, and one of its major benefits.

Example benefit: When a diskless system crashes, there is no danger of damage being done to the file system.

sl