From: Chris Silva <ack@xmission.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] dist updates from sources.cs.bell-labs.com
Date: Mon, 28 Oct 2002 15:21:00 -0700 [thread overview]
Message-ID: <89A47F43-EAC3-11D6-BA26-0030659642C4@xmission.com> (raw)
In-Reply-To: <145d478c47c6a52b1c658b89d43618fa@plan9.bell-labs.com>
term% 8.debug
p9sk1 key: dom=outside.plan9.bell-labs.com proto=p9sk1 user=cls
cannot dial auth server: no auth server found for
outside.plan9.bell-labs.com
csquery authdom=outside.plan9.bell-labs.com auth=* failed
csquery dom=outside.plan9.bell-labs.com auth=''
dial net!!ticket failed: cs: can't translate address
term%
this is what is at the end of /lib/ndb/local:
auth=sources.cs.bell-labs.com authdom=outside.plan9.bell-labs.com
On Monday, October 28, 2002, at 02:19 PM, Russ Cox wrote:
> auth/debug is new. you have to pull to get it. ;-)
>
> put this in /sys/src/cmd/auth as debug.c and then mk 8.debug; 8.debug
>
> /*
> * Test various aspects of the authentication setup.
> */
>
> #include <u.h>
> #include <libc.h>
> #include <bio.h>
> #include <ndb.h>
> #include <auth.h>
> #include <authsrv.h>
>
> void
> usage(void)
> {
> fprint(2, "usage: auth/debug\n");
> exits("usage");
> }
>
> static char*
> readcons(char *prompt, char *def, int raw, char *buf, int nbuf)
> {
> int fdin, fdout, ctl, n, m;
> char line[10];
>
> fdin = open("/dev/cons", OREAD);
> if(fdin < 0)
> fdin = 0;
> fdout = open("/dev/cons", OWRITE);
> if(fdout < 0)
> fdout = 1;
> if(def != nil)
> fprint(fdout, "%s[%s]: ", prompt, def);
> else
> fprint(fdout, "%s: ", prompt);
> if(raw){
> ctl = open("/dev/consctl", OWRITE);
> if(ctl >= 0)
> write(ctl, "rawon", 5);
> } else
> ctl = -1;
>
> m = 0;
> for(;;){
> n = read(fdin, line, 1);
> if(n == 0){
> close(ctl);
> werrstr("readcons: EOF");
> return nil;
> }
> if(n < 0){
> close(ctl);
> werrstr("can't read cons");
> return nil;
> }
> if(line[0] == 0x7f)
> exits(0);
> if(n == 0 || line[0] == '\n' || line[0] == '\r'){
> if(raw){
> write(ctl, "rawoff", 6);
> write(fdout, "\n", 1);
> close(ctl);
> }
> buf[m] = '\0';
> if(buf[0]=='\0' && def)
> strcpy(buf, def);
> return buf;
> }
> if(line[0] == '\b'){
> if(m > 0)
> m--;
> }else if(line[0] == 0x15){ /* ^U: line kill */
> m = 0;
> if(def != nil)
> fprint(fdout, "%s[%s]: ", prompt, def);
> else
> fprint(fdout, "%s: ", prompt);
> }else{
> if(m >= nbuf-1){
> fprint(fdout, "line too long\n");
> m = 0;
> if(def != nil)
> fprint(fdout, "%s[%s]: ", prompt, def);
> else
> fprint(fdout, "%s: ", prompt);
> }else
> buf[m++] = line[0];
> }
> }
> return buf; /* how does this happen */
> }
>
> void authdialfutz(char*, char*);
> void authfutz(char*, char*);
>
> /* scan factotum for p9sk1 keys; check them */
> void
> debugfactotumkeys(void)
> {
> char *s, *dom, *proto, *user;
> int found;
> Attr *a;
> Biobuf *b;
>
> b = Bopen("/mnt/factotum/ctl", OREAD);
> if(b == nil){
> fprint(2, "cannot open /mnt/factotum/ctl");
> return;
> }
> found = 0;
> while((s = Brdstr(b, '\n', 1)) != nil){
> if(strncmp(s, "key ", 4) != 0){
> print("malformed ctl line: %s\n", s);
> free(s);
> continue;
> }
> a = _parseattr(s+4);
> free(s);
> proto = _str_findattr(a, "proto");
> if(proto==nil || strcmp(proto, "p9sk1")!=0)
> continue;
> dom = _str_findattr(a, "dom");
> if(dom == nil){
> print("p9sk1 key with no dom: %A\n", a);
> _freeattr(a);
> continue;
> }
> user = _str_findattr(a, "user");
> if(user == nil){
> print("p9sk1 key with no user: %A\n", a);
> _freeattr(a);
> continue;
> }
> print("p9sk1 key: %A\n", a);
> found = 1;
> authdialfutz(dom, user);
> _freeattr(a);
> }
> if(!found)
> print("no p9sk1 keys found in factotum\n");
> }
>
> void
> authdialfutz(char *dom, char *user)
> {
> int fd;
> Ndbtuple *nt;
> char server[Ndbvlen];
> char *addr;
>
> fd = authdial(nil, dom);
> if(fd >= 0){
> print("\tsuccessfully dialed auth server\n");
> close(fd);
> authfutz(dom, user);
> return;
> }
> print("\tcannot dial auth server: %r\n");
> nt = csgetval(nil, "authdom", dom, "auth", server);
> if(nt){
> print("\tcsquery authdom=%q auth=%s\n", dom, server);
> return;
> }
> print("\tcsquery authdom=%q auth=* failed\n", dom);
> nt = csgetval(nil, "dom", dom, "auth", server);
> if(nt){
> print("\tcsquery dom=%q auth=%q\n", dom, server);
> return;
> }
> print("\tcsquery dom=%q auth=%q\n", dom, server);
>
> fd = dial(addr=netmkaddr(server, nil, "ticket"), 0, 0, 0);
> if(fd >= 0){
> print("\tdial %s succeeded\n", addr);
> close(fd);
> return;
> }
> print("\tdial %s failed: %r\n", addr);
> }
>
> void
> authfutz(char *dom, char *user)
> {
> int fd, nobootes;
> char pw[128], prompt[128], key[DESKEYLEN], booteskey[DESKEYLEN],
> tbuf[2*TICKETLEN],
> trbuf[TICKREQLEN];
> Ticket t;
> Ticketreq tr;
>
> snprint(prompt, sizeof prompt, "\tpassword for %s@%s [hit enter to
> skip test]", user, dom);
> readcons(prompt, nil, 1, pw, sizeof pw);
> if(pw[0] == '\0')
> return;
> passtokey(key, pw);
>
> fd = authdial(nil, dom);
> if(fd < 0){
> print("\tauthdial failed(!): %r\n");
> return;
> }
>
> /* try ticket request using just user key */
> tr.type = AuthTreq;
> strecpy(tr.authid, tr.authid+sizeof tr.authid, user);
> strecpy(tr.authdom, tr.authdom+sizeof tr.authdom, dom);
> strecpy(tr.hostid, tr.hostid+sizeof tr.hostid, user);
> strecpy(tr.uid, tr.uid+sizeof tr.uid, user);
> memset(tr.chal, 0xAA, sizeof tr.chal);
> convTR2M(&tr, trbuf);
> if(_asgetticket(fd, trbuf, tbuf) < 0){
> close(fd);
> print("\t_asgetticket failed: %r\n");
> return;
> }
> convM2T(tbuf, &t, key);
> if(t.num != AuthTc){
> print("\tcannot decrypt ticket1 from auth server (bad
> t.num=0x%.2ux)\n", t.num);
> print("\tauth server and you do not agree on key for
> %s@%s\n", user, dom);
> return;
> }
> if(memcmp(t.chal, tr.chal, sizeof tr.chal) != 0){
> print("\tbad challenge1 from auth server got %.*H wanted %.*H\n",
> sizeof t.chal, t.chal, sizeof tr.chal, tr.chal);
> print("\tauth server is rogue\n");
> return;
> }
>
> convM2T(tbuf+TICKETLEN, &t, key);
> if(t.num != AuthTs){
> print("\tcannot decrypt ticket2 from auth server (bad
> t.num=0x%.2ux)\n", t.num);
> print("\tauth server and you do not agree on key for
> %s@%s\n", user, dom);
> return;
> }
> if(memcmp(t.chal, tr.chal, sizeof tr.chal) != 0){
> print("\tbad challenge2 from auth server got %.*H wanted %.*H\n",
> sizeof t.chal, t.chal, sizeof tr.chal, tr.chal);
> print("\tauth server is rogue\n");
> return;
> }
> print("\tticket request using %s@%s key succeeded\n", user, dom);
>
> /* try ticket request using bootes key */
> snprint(prompt, sizeof prompt, "\tcpu server owner for domain
> %s ", dom);
> readcons(prompt, "bootes", 0, tr.authid, sizeof tr.authid);
> convTR2M(&tr, trbuf);
> if(_asgetticket(fd, trbuf, tbuf) < 0){
> close(fd);
> print("\t_asgetticket failed: %r\n");
> return;
> }
> convM2T(tbuf, &t, key);
> if(t.num != AuthTc){
> print("\tcannot decrypt ticket1 from auth server (bad
> t.num=0x%.2ux)\n", t.num);
> print("\tauth server and you do not agree on key for
> %s@%s\n", user, dom);
> return;
> }
> if(memcmp(t.chal, tr.chal, sizeof tr.chal) != 0){
> print("\tbad challenge1 from auth server got %.*H wanted %.*H\n",
> sizeof t.chal, t.chal, sizeof tr.chal, tr.chal);
> print("\tauth server is rogue\n");
> return;
> }
>
> snprint(prompt, sizeof prompt, "\tpassword for %s@%s [hit enter to
> skip test]", tr.authid, dom);
> readcons(prompt, nil, 1, pw, sizeof pw);
> if(pw[0] == '\0'){
> nobootes=1;
> goto Nobootes;
> }
> nobootes = 0;
> passtokey(booteskey, pw);
>
> convM2T(tbuf+TICKETLEN, &t, booteskey);
> if(t.num != AuthTs){
> print("\tcannot decrypt ticket2 from auth server (bad
> t.num=0x%.2ux)\n", t.num);
> print("\tauth server and you do not agree on key for
> %s@%s\n", tr.authid, dom);
> return;
> }
> if(memcmp(t.chal, tr.chal, sizeof tr.chal) != 0){
> print("\tbad challenge2 from auth server got %.*H wanted %.*H\n",
> sizeof t.chal, t.chal, sizeof tr.chal, tr.chal);
> print("\tauth server is rogue\n");
> return;
> }
> print("\tticket request using %s@%s key succeeded\n", tr.authid, dom);
>
> Nobootes:;
>
> /* try p9sk1 exchange with local factotum to test that key is right */
>
>
> /*
> * try p9sk1 exchange with factotum on
> * auth server (assumes running cpu service)
> * to test that bootes key is right over there
> */
>
> }
>
> void
> main(int argc, char **argv)
> {
> quotefmtinstall();
> fmtinstall('A', _attrfmt);
> fmtinstall('H', encodefmt);
>
> ARGBEGIN{
> default:
> usage();
> }ARGEND
>
> if(argc != 0)
> usage();
>
> debugfactotumkeys();
> }
>
next prev parent reply other threads:[~2002-10-28 22:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-10-28 21:19 Russ Cox
2002-10-28 22:21 ` Chris Silva [this message]
-- strict thread matches above, loose matches on Subject: below --
2002-10-29 1:57 YAMANASHI Takeshi
2002-10-28 23:21 Russ Cox
2002-10-29 1:48 ` Chris Silva
2002-10-26 18:20 Russ Cox
2002-10-28 20:01 ` Chris Silva
2002-10-26 16:21 Chris Silva
2002-10-23 20:12 Russ Cox
2002-10-23 13:50 Russ Cox
2002-10-23 16:43 ` Chris Silva
2002-10-23 18:43 ` andrey mirtchovski
2002-10-23 18:52 ` Dan Cross
2002-10-23 19:01 ` andrey mirtchovski
2002-10-23 23:14 ` Chris Silva
2002-10-23 9:56 Chris Silva
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=89A47F43-EAC3-11D6-BA26-0030659642C4@xmission.com \
--to=ack@xmission.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).