[9fans] Multi-Domain-Authentication

[9fans] Multi-Domain-Authentication

[Christoph Lohmann]

Good day.

There were some rumours on IRC about a solution for Multi-Domain-Auth-
entication. Here it is: http://www.r-36.net/multidomauth.tgz [0]. The
Readme there describes in short way how it can be configured. A running
example is at desax-plan9.ath.cx (My home CPUsrv), which can authenticate
every user who has an account on 9grid.de. You can login there as
user@9grid.de and the password from 9grid.de.

The short model:
	In the authentication ticket is one part signed with the users
	private key, which now does "gridsrv" on the trusted other grid-
	node.

Sincerely,

Christoph

[0] If it is not available, that could happen because of a IP change, use
    http://www.9grid.de/~Chrissi/multidomauth.tgz

Re: [9fans] Multi-Domain-Authentication

[arisawa]

Hello,


> There were some rumours on IRC about a solution for Multi-Domain-Auth-
> entication. Here it is: http://www.r-36.net/multidomauth.tgz [0]. The
> Readme there describes in short way how it can be configured. A running
> example is at desax-plan9.ath.cx (My home CPUsrv), which can 
> authenticate
> every user who has an account on 9grid.de. You can login there as
> user@9grid.de and the password from 9grid.de.
>
> The short model:
> 	In the authentication ticket is one part signed with the users
> 	private key, which now does "gridsrv" on the trusted other grid-
> 	node.
>

I wander what happens if alice login as
alice
NOT
alice@9grid

alice can login?
if yes, what't the user name on cpu server?

Kenji Arisawa

Re: [9fans] Multi-Domain-Authentication

[arisawa]

>Anyone got other proposals?  I would like to hear and discuss
>about MDA issues very much. :)

one of other possible solutions is to simply prohibit host owners privilege
from the authdom that is not for the host.
that is, a requester using factotum:
key proto=p9sk1 dom=outside.plan9.bell-labs.com user=arisawa !password=XXXX
becomes arisawa@outside.plan9.bell-labs.com even if I don't write "grid" attribute
in my factotum.

Giving host owners privilege to the person out of your control makes things confusing.

Kenji Arisawa

Re: [9fans] Multi-Domain-Authentication

[YAMANASHI Takeshi]

> Here it is: http://www.r-36.net/multidomauth.tgz [0].

We've got another proposal on multi domain auth from tip9ug.
Our model is to modify factotum so that it assigns "user@dom"
as the uid on the server, if the server side key used to
authenticate the cpu session has "grid" attribute in them.

You only need to add your sources key to your server side
factotum to accept sources users login to your server.

The modified /sys/src/cmd/auth/factotum/p9sk1.c and
compiled factotum binary are at:
	http://www.tip9ug.jp/who/nashi/9grid/8.factotum
	http://www.tip9ug.jp/who/nashi/9grid/p9sk1.c

You might want to recompile the kernel with this new factotum.

Anyone got other proposals?  I would like to hear and discuss
about MDA issues very much. :)
--