From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <9bb37ac32882831072549bea8c110a71@quanstro.net> To: 9fans@9fans.net From: erik quanstrom Date: Tue, 6 May 2008 10:08:02 -0400 In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] Factotum Topicbox-Message-UUID: 9fd76bb4-ead3-11e9-9d60-3106f5b1d025 >> >> i'd like to see a way of asking factotum "please save your keys to secstore", >> although there's some difficulty getting it right, as there are >> potentially many factotums >> to one secstore, or even worse, several secstores. >> > > Plumbing? May not help with multiple secstores and/or factotums but > having multiples of these seems like a bother. Should there be some > way to safely consolidate the services? Or am I just being security > naive? > > -eric one would generally have multiple factotums if logged into two terminals at the same time. the cpu hostowner has one factotum per cpu server. coraid, for example, has ~5 main cpu servers. one would generally have one secstore per authentication domain. i can't reasonablly merge my home secstore server and the one at work, even if the network were perfectly reliable. that being said, i don't think that there really is a problem if the process of moving keys from factotum to secstore were manually driven, as in echo dumpkeys secstore.example.com>/mnt/factotum/ctl another solution would be a command line tool that generates and prints the long-term key so it can be manually intered into secstore. i like this solution better because it keeps the information flow unidirectional. one can trust a factotum too much. - erik