[9fans] terminal level authentication

[9fans] terminal level authentication

[FernanBolando]

I recently put together a small plan 9 network.

I noticed that just about anyone can access the terminal,
because it does not ask for authentication when I log in.
It will only ask for my password when access the cpu server
or import from the servers.

I am not sure if it was a mistake on my part that I might
have overlooked a step. If so can you pls tell me which steps?

Assuming I did not make a mistake during the installation.
If a user decided to make use of the terminals disks
to store data, what protects these data from other users? Ofcourse
this would be irrelevant if the terminals where made of diskless
machines which relies on the fileserver to provide the disk space.

As I understand it, Just installing the distro form the bell labs site.
The reulting machine is a standalone terminal.

If I decide to follow the configuring the cpu server in the wiki,
this will give me a cpu server.

 ,Fernan

Re: [9fans] terminal level authentication

[Russ Cox]

> I noticed that just about anyone can access the terminal,
> because it does not ask for authentication when I log in.
> It will only ask for my password when access the cpu server
> or import from the servers.

right.  the assumption has always been that if you have
physical access to the machine, you're in.

russ

Re: [9fans] terminal level authentication

[Heiko Dudzus]

Hi Fernan,

> I recently put together a small plan 9 network.
>
> I noticed that just about anyone can access the terminal,
> because it does not ask for authentication when I log in.
> It will only ask for my password when access the cpu server
> or import from the servers.
>
> I am not sure if it was a mistake on my part that I might
> have overlooked a step. If so can you pls tell me which steps?

This is right.  The resources on a standalone terminal aren't
protected from the user (=hostowner) by password (or any other
method of authentication)

(We had a discussion about this regarding notebooks some weeks before
on the 9fans list.)

Terminals are meant to boot from a fileserver and to not have the
operating system installed on local disks.  You need to authenticate
with password (perhaps via sectore key) when you boot a terminal from
fileserver.

If you do have a local installed Plan 9 system (e.g. on notebooks)
you perhaps will only want to use that for temporary use in situations
when you are unconnected to any Plan 9 authdom you have an account
for.

This all is intended by design.  These ideas are described in
http://plan9.bell-labs.com/sys/doc/9.ps and
http://plan9.bell-labs.com/sys/doc/auth.ps describes the
authentication and security infrastructures.

> Assuming I did not make a mistake during the installation.
> If a user decided to make use of the terminals disks
> to store data, what protects these data from other users? Ofcourse
> this would be irrelevant if the terminals where made of diskless
> machines which relies on the fileserver to provide the disk space.
>
> As I understand it, Just installing the distro form the bell labs site.
> The reulting machine is a standalone terminal.

yes.

> If I decide to follow the configuring the cpu server in the wiki,
> this will give me a cpu server.

yes.

Heiko