[9fans] inferno/pop secrets

[9fans] inferno/pop secrets

[Steve Simon]

Hi,

I understand how p9sk1 auth works but have never quite understood how
the inforno/pop password is distributed - this is used for quite a few
protocols plan9 serves - imap, pop, vnc (server) inferno, httpd etc.

It seems to me that all these servers would need to run in the namespace of
auth/keyfs so they can read /mnt/keys/$user/secret to run their auth.

If these servers are to run on a seperate cpu server rather than the auth server
itself then this namespace must be securly exported - how is this done?

This piece of the jigsaw doesn't fit in my brain.

-Steve

Re: [9fans] inferno/pop secrets

[Federico G. Benavento]

> If these servers are to run on a seperate cpu server rather than the auth server
> itself then this namespace must be securly exported - how is this done?

what about using srvfs? I remember when me and Christoph exchanged
our /net's this way.

Federico G. Benavento

---
/bin/fortune:
A dirty mind is a perpetual solace. - Air Commodore Sir Charles Kingsford Smith

Re: [9fans] inferno/pop secrets

[Russ Cox]

On 4/3/07, Steve Simon <steve@quintile.net> wrote:
> I understand how p9sk1 auth works but have never quite understood how
> the inforno/pop password is distributed - this is used for quite a few
> protocols plan9 serves - imap, pop, vnc (server) inferno, httpd etc.
>
> It seems to me that all these servers would need to run in the namespace of
> auth/keyfs so they can read /mnt/keys/$user/secret to run their auth.
>
> If these servers are to run on a seperate cpu server rather than the auth server
> itself then this namespace must be securly exported - how is this done?
>
> This piece of the jigsaw doesn't fit in my brain.

The servers don't get to see the raw password.
Instead they offload the authentication parts of their
respective protocols to the auth server.

This means that the auth server (auth/authsrv) knows
all the various password-based protocols.  All the protocols
start off looking like a standard p9sk1 ticket request
but use a different op code and sometimes omit the
user field.  The different op code tells the auth server to
run a protocol-specific conversation (usually some form
of challenge response) before replying with usable tickets.
See authsrv(6).

Now that we have factotum, the apps actually offload
to factotum, which offloads the server side password
computations to auth/authsrv.

No one sees the plaintext password except auth/authsrv.

Russ

Re: [9fans] inferno/pop secrets

[Steve Simon]

Aha, ok, all clear now,

Thanks russ.

-Steve