From: "Russ Cox" <rsc@plan9.bell-labs.com>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] backwards-incompatible changes
Date: Tue, 25 Mar 2003 20:35:47 -0500 [thread overview]
Message-ID: <afc7ed7a0d14d1fe58378ef022c42117@plan9.bell-labs.com> (raw)
A few more notes.
If you're running a straight terminal out of the box,
the only point that affects you is the SSH client key
renaming.
To be more explicit about how to make the RSA changes:
* If you use SSH to connect to other systems using an RSA key,
right now you have a key
key ek=dd n=e5306cf4e... proto=sshrsa size=1024 !dk? !p? !q? !kp? !kq? !c2?
in your own personal factotum. You need to
s/proto=sshrsa/proto=sshrsa proto=rsa service=ssh/.
Keeping "proto=sshrsa" means the key will keep working now.
Adding "proto=rsa service=ssh" means the key will work later.
* If you run TLS servers, your server factotum contains a key like:
key ek=dd n=e5306cf4e... proto=sshrsa size=1024 !dk? !p? !q? !kp? !kq? !c2?
You need to s/proto=sshrsa/proto=sshrsa proto=rsa service=tls/.
Same explanation, except note the different service tag.
You may be loading the key into factotum with
auth/secretpem key.pem >/mnt/factotum/ctl
Instead, use
auth/pemdecode 'RSA PRIVATE KEY' key.pem |
auth/asn12rsa -t 'service=tls' >key.rsa
and then you can load the key with
cat key.rsa >/mnt/factotum/ctl
or add key.rsa to your server's factotum secstore file.
* If you run an SSH server, you generated a host key long ago
with aux/ssh_genkey. It is stored in /sys/lib/ssh/hostkey.secret.
You need to convert it into standard factotum RSA format and
load it into factotum:
cd /sys/lib/ssh
awk '{
printf("key proto=rsa service=sshserve ");
printf("size=%s ek=%s !dk=%s n=%s !p=%s !q=%s !kp=%s !kq=%s !c2=%s\n",
$1, $2, $3, $4, $5, $6, $7, $8, $9);
}' hostkey.secret >hostkey.rsa
chmod 600 hostkey.rsa
If you load your server's factotum key ring via secstore, add
the contents of hostkey.rsa to the factotum file. If you don't,
then you should add
cat /sys/lib/ssh/hostkey.rsa >/mnt/factotum/ctl
to your cpurc to hand the key to factotum.
===
I'll put the changed sources out soon, but will not install
the binaries until tomorrow evening. The rsa(8) tools are
supposed to be more regular and easier to understand
than the ad hoc collection we had before. I apologize for the
fact that they are changing. Hopefully it's a small short-term
inconvenience for a long-term gain.
Russ
next reply other threads:[~2003-03-26 1:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-26 1:35 Russ Cox [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-03-25 21:58 Russ Cox
2003-03-26 1:43 ` Dan Cross
2003-03-26 1:53 ` Russ Cox
2003-03-26 2:09 ` Dan Cross
2003-03-26 2:20 ` Russ Cox
2003-03-26 2:34 ` Geoff Collyer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=afc7ed7a0d14d1fe58378ef022c42117@plan9.bell-labs.com \
--to=rsc@plan9.bell-labs.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).