From: Russ Cox <russcox@gmail.com>
To: Steve Simon <steve.simon@snellwilcox.com>
Cc: 9fans@cse.psu.edu
Subject: [9fans] Re: protocol botch
Date: Mon, 19 Apr 2004 13:41:10 -0400 [thread overview]
Message-ID: <ED452C90.AE2BE0B@mail.gmail.com> (raw)
In-Reply-To: <a89593af0d6f07aa1888bf8319148ebe@snellwilcox.com>
The story is this. I'm CC'ing 9fans so that it
ends up in the archives for anyone else
who has trouble.
Auth/keyfs serves the keys from /adm/keydb.
It consults nvram to learn the encryption key
for the database (it uses the p9sk1 key for
bootes to do this), but that is all. Bootes has
its own entry in the key database that had better
have the same key as in the nvram.
Factotum initializes itself using nvram, either
pulling out the p9sk1 key or a secstore key (and
then grabbing a whole file of keys from secstore).
The p9sk1 key for bootes then lives in many places:
1. it is in the nvram on the auth server machine,
used to encrypt the auth db.
2. it is listed in bootes's entry in the key db.
3. it is listed in the secstore file.
4. it is in the nvram of any machine that doesn't use secstore.
5. either via #3 or #4, it gets loaded into the server factotum.
If #1 is not right, auth/keyfs will not be able to decrypt the db.
It is up-to-you to keep #2 through #4 in sync.
Auth/debug checks that the password you type
into auth/debug matches what is in the auth db (#2 above).
It doesn't check the others. In particular, it doesn't
check what ends up in factotum, which would indirectly
check #3 and #4. It could, but it doesn't.
In order for cpu to work between two machines, the
factotums on the two machines (#5) must agree with the
auth server (#2) about the passwords in question.
The big-hammer approach to making this work is to
go to the auth server and run "auth/changeuser bootes"
and "auth/changeuser glenda" and make extra
sure that you type the passwords correctly.
Then reset the keys in factotum using
echo 'key proto=p9sk1 user=whoever dom=my.dom.net \
!password=my-password' >/mnt/factotum/ctl
on the terminal and the cpu server (setting the right user
and password combo on each). Now you should have
reasonable confidence that the auth db and the two
factotums are in sync, and cpu should work.
The factotum debug logs you've been posting show that
all is well until factotum contacts the auth server, at which
point you get a protocol botch. This protocol botch happens
because the factotum and the auth server are speaking at
each other using different encryption keys, so each appears
to be speaking random garbage to the other.
Looking at the logs you've posted, the first botch happens
when the client hands the ticket to the cpu server, suggesting
that the client and the auth server agree about the client
password, but the auth server and the cpu server do not
agree about the server password, so that would be the first
password I tried resetting.
Russ
parent reply other threads:[~2004-04-19 17:41 UTC|newest]
Thread overview: expand[flat|nested] mbox.gz Atom feed
[parent not found: <a89593af0d6f07aa1888bf8319148ebe@snellwilcox.com>]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ED452C90.AE2BE0B@mail.gmail.com \
--to=russcox@gmail.com \
--cc=9fans@cse.psu.edu \
--cc=steve.simon@snellwilcox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).