9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed
* Re: [9fans] factotum/ssh issue
@ 2002-11-11 16:56 Russ Cox
  2002-11-11 17:29 ` Sam
  0 siblings, 1 reply; 4+ messages in thread
From: Russ Cox @ 2002-11-11 16:56 UTC (permalink / raw)
  To: 9fans

> I have a minor nitpick, though.  When I ssh'd into a unix
> box for the first time I was prompted to add the key
> (not real security, but good enough for me), then I was
> asked for the password to the machine.  My trigger happy finger
> decided to hit enter, thereby entering a nil password
> and failing to authenticate.  Further attempts to
> ssh into the machine failed because factotum stored the
> incorrect password.  I needed to become accustomed to
> key management with factotum anyway, but it still seems improper
> to store the password if password authentication fails.

I agree.  This has bugged me for a while, but I'm
just not sure what to do.  If authentication fails,
should the key be silently removed from the key store?
Maybe, but I think that would be just as surprising.

> I looked at removing the server key if ssh password authentication
> fails, but there doesn't seem to be an rpc mechanism in factotum
> to do this.

Nothing is stopping the application from doing
	echo delkey whatever >/mnt/factotum/ctl

There are lots of little things about factotum that
bug me.

Russ



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [9fans] factotum/ssh issue
@ 2002-11-11 15:36 Skip Tavakkolian
  0 siblings, 0 replies; 4+ messages in thread
From: Skip Tavakkolian @ 2002-11-11 15:36 UTC (permalink / raw)
  To: 9fans

(Just a thought!)
What if the client process propagated the final part of the
negotiations to the client factotum, identifying it as 'failed' or
'succeeded'.  When the client factotum receives a 'failed', it could
insert a new attribute (maybe 'needkey=').  into that tuple.  Then
when client factoum gets a 'start' again, user would be prompted,
perhaps with the public attributes of the existing tuple as default.
The reason to use a new attribute instead of 'confirm=' is to make the
distinction of providing defaults or not.

> I have a minor nitpick, though.  When I ssh'd into a unix
> box for the first time I was prompted to add the key
> (not real security, but good enough for me), then I was
> asked for the password to the machine.  My trigger happy finger
> decided to hit enter, thereby entering a nil password
> and failing to authenticate.  Further attempts to
> ssh into the machine failed because factotum stored the
> incorrect password.  I needed to become accustomed to
> key management with factotum anyway, but it still seems improper
> to store the password if password authentication fails.



^ permalink raw reply	[flat|nested] 4+ messages in thread
* [9fans] factotum/ssh issue
@ 2002-11-11 14:43 Sam
  0 siblings, 0 replies; 4+ messages in thread
From: Sam @ 2002-11-11 14:43 UTC (permalink / raw)
  To: 9fans

Hola,

We finally stopped working long enough to upgrade
to 4e last week and I have to admit, the first
time I was auto-login'd to a remote unix box
after having stored the key in factotum I was
exuberant.

I have a minor nitpick, though.  When I ssh'd into a unix
box for the first time I was prompted to add the key
(not real security, but good enough for me), then I was
asked for the password to the machine.  My trigger happy finger
decided to hit enter, thereby entering a nil password
and failing to authenticate.  Further attempts to
ssh into the machine failed because factotum stored the
incorrect password.  I needed to become accustomed to
key management with factotum anyway, but it still seems improper
to store the password if password authentication fails.

I looked at removing the server key if ssh password authentication
fails, but there doesn't seem to be an rpc mechanism in factotum
to do this.

Cheers,

Sam




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2002-11-11 17:29 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-11-11 16:56 [9fans] factotum/ssh issue Russ Cox
2002-11-11 17:29 ` Sam
  -- strict thread matches above, loose matches on Subject: below --
2002-11-11 15:36 Skip Tavakkolian
2002-11-11 14:43 Sam

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).