Re: [9fans] Drawterm and security

[Skip Tavakkolian <9nut@9netics.com>]

With drawterm, everything is running on the cpu, and drawterm
is just 'exportfs'ing your local namespace (for things like keyboard,
mouse, etc.) I'm guessing that YOUR factotum (your authentication
agent) is not running.  I've attached dt_factotum, which I
got from geoff.  You run it on the cpu (in you're drawterm session),
once you've successfully drawterm'ed in.

term% cat $home/bin/rc/dt_factotum
#!/bin/rc

if (! test -f /srv/factotum.$user)
	auth/factotum -s factotum.$user
mount -b /srv/factotum.$user /mnt

> I'm about to drive my fist through the monitor.  I think
> I'm generally a fairly intelligent person and I generally
> understand the Plan9 paper on security, but I'm having
> a serious disconnect between that and how it's implemented
> in practice.  Last night I was successfully connected between
> a Linux box and my Plan9 file/cpu server with drawterm.
> This morning I realized that I was unable to authenticate
> to sources from the fs/cpu server so started to try to
> fix my /lib/ndb/local to address the problem.  Nothing
> seemed to work and worse yet, now drawterm is broken with
> the infamous "cannot authenticate with p9" message even when
> returning to the same /lib/ndb/local.  What exactly are the
> necessary and sufficient conditions for making drawterm work
> and likewise for access to sources?  auth/debug appears to be
> fine and /sys/log/auth also seems fine.  I'm assuming that the
> auth=sources... line must be there.  Does it break things to
> have additional auth=bootes and authdom=home in the section
> that describes the local net?  factotum is the only piece of
> the current security system that hasn't seemed like black
> magic to me.  Any wisdom is welcome.  Even a recipe would
> be welcome at this point.
>
> Brian L. Stuart