[9fans] secstore passwords question

[9fans] secstore passwords question

[andrey mirtchovski]

hi,

are secstore passwords only changeable by the user who runs auth/secstored?
the documentation doesn't indicate otherwise and /adm/secstore is 770.

what should an administrator do when adding a new user to the secstore?
"here is your secstore password, but you can't change it"?

pointers to man pages and documentation are welcome :)

andrey

Re: [9fans] secstore passwords question

[David Presotto]

[-- Attachment #1: Type: text/plain, Size: 51 bytes --]

auth/secstore -c  changes a password.  man secstore

[-- Attachment #2: Type: message/rfc822, Size: 2510 bytes --]

From: andrey mirtchovski <mirtchov@cpsc.ucalgary.ca>
To: 9fans@cse.psu.edu
Subject: [9fans] secstore passwords question
Date: Sat, 26 Jul 2003 18:48:03 -0600 (MDT)
Message-ID: <Pine.LNX.4.44.0307261841030.17380-100000@fbsd.cpsc.ucalgary.ca>

hi,

are secstore passwords only changeable by the user who runs auth/secstored?
the documentation doesn't indicate otherwise and /adm/secstore is 770.

what should an administrator do when adding a new user to the secstore?
"here is your secstore password, but you can't change it"?

pointers to man pages and documentation are welcome :)

andrey

Re: [9fans] secstore passwords question

[andrey mirtchovski]

I was looking at secuser. Apologies.

On Sat, 26 Jul 2003, David Presotto wrote:

> auth/secstore -c  changes a password.  man secstore

Re: [9fans] secstore passwords question

[andrey mirtchovski]

Another question, of the dumb variety:

to enable ssh logins to the system I need to do an:

	aux/rsagen -t 'service=sshnet' > /mnt/factotum/ctl

however the factotum is compiled in the kernel of the auth server and is
started from the boot script in /sys/lib/sysconfig/authsrv/...

at this point there's not secstore running so there's no way to tell
factotum what the rsagen key for the machine is, so we end up with an
unusable ssh server.

should secstore be compiled in the kernel and started right before factotum
during the boot sequence (taking the secstore key from nvram)?

or am I missing something embarrassingly trivial again?

andrey

On Sat, 26 Jul 2003, David Presotto wrote:

> auth/secstore -c  changes a password.  man secstore

Re: [9fans] secstore passwords question

[boyd, rounin]

> or am I missing something embarrassingly trivial again?

could just be bad karma.

Re: [9fans] secstore passwords question

[David Presotto]

[-- Attachment #1: Type: text/plain, Size: 254 bytes --]

depends on how many machines you have.  If secstored is running on a different
machine, then factotum will call it up when it starts and download the
keys.  Otherwise, you can start secstore some time later and redirect its
output to the factotum/ctl.

[-- Attachment #2: Type: message/rfc822, Size: 3020 bytes --]

From: andrey mirtchovski <mirtchov@cpsc.ucalgary.ca>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] secstore passwords question
Date: Sat, 26 Jul 2003 19:53:26 -0600 (MDT)
Message-ID: <Pine.LNX.4.44.0307261947420.17380-100000@fbsd.cpsc.ucalgary.ca>

Another question, of the dumb variety:

to enable ssh logins to the system I need to do an:

	aux/rsagen -t 'service=sshnet' > /mnt/factotum/ctl

however the factotum is compiled in the kernel of the auth server and is
started from the boot script in /sys/lib/sysconfig/authsrv/...

at this point there's not secstore running so there's no way to tell
factotum what the rsagen key for the machine is, so we end up with an
unusable ssh server.

should secstore be compiled in the kernel and started right before factotum
during the boot sequence (taking the secstore key from nvram)?

or am I missing something embarrassingly trivial again?

andrey

On Sat, 26 Jul 2003, David Presotto wrote:

> auth/secstore -c  changes a password.  man secstore

Re: [9fans] secstore passwords question

[andrey mirtchovski]

On Sat, 26 Jul 2003, David Presotto wrote:

> depends on how many machines you have.  If secstored is running on a different
> machine, then factotum will call it up when it starts and download the
> keys.  Otherwise, you can start secstore some time later and redirect its
> output to the factotum/ctl.

redirecting works, thanx...

one more question: are the standalone secstore servers in use
fossil or kfs machines, or are they connected to a file server for
everything but the secstore?

andrey

Re: [9fans] secstore passwords question

[David Presotto]

[-- Attachment #1: Type: text/plain, Size: 208 bytes --]

Our secstore server is still using a kfs, mostly because I've been too lazy
to switch it over.  It doesn't use a file server because the database is
open to dictionary attack even though the protocol isn't.

[-- Attachment #2: Type: message/rfc822, Size: 2813 bytes --]

From: andrey mirtchovski <mirtchov@cpsc.ucalgary.ca>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] secstore passwords question
Date: Sat, 26 Jul 2003 22:23:00 -0600 (MDT)
Message-ID: <Pine.LNX.4.44.0307262217230.17380-100000@fbsd.cpsc.ucalgary.ca>

On Sat, 26 Jul 2003, David Presotto wrote:

> depends on how many machines you have.  If secstored is running on a different
> machine, then factotum will call it up when it starts and download the
> keys.  Otherwise, you can start secstore some time later and redirect its
> output to the factotum/ctl.

redirecting works, thanx...

one more question: are the standalone secstore servers in use
fossil or kfs machines, or are they connected to a file server for
everything but the secstore?

andrey