From: Russ Cox <rsc@swtch.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu>
Subject: Re: [9fans] config wisdom? (factotum? cmdline flags? ctl file?)
Date: Wed, 5 Oct 2005 14:48:20 -0400 [thread overview]
Message-ID: <ee9e417a0510051148u1d6335a0j2900f28b9092f6b4@mail.gmail.com> (raw)
In-Reply-To: <200510051708.j95H8de10107@zamenhof.cs.utwente.nl>
You should use factotum to hold keys.
key proto=pass service=802.1x user? realm? !password?
Ideally you wouldn't use proto=pass but I don't know
enough about 802.1x to know whether that's easy.
If you get a key from factotum and you are sure that it is
incorrect, I think it would be okay to try to delkey it before
asking factotum again. Maybe there should be a disable
control message to mark the keys disabled like factotum
already does for found-to-be-bad p9sk1 keys. But delkey
is fine to start and we'll see if that's useful.
To get the realm out, you'll want to modify auth_userpasswd
to return the AuthRpc* (perhaps inside the UserPasswd*)
instead of auth_freerpc'ing it. Then you can call auth_attr
to get a list of all the public attributes for the key,
and _strfindattr to find the realm.
That only answers the question of where to get the keys.
It doesn't fully answer the question of which one to use.
A user with keys for multiple realms may give factotum
multiple keys, in which case the intended-canonical approach
is to give your program a -k keyspec option like cpu(1) has
and pass that to factotum when you start the protocol:
auth_userpasswd(auth_getkey,
"proto=pass service=802.1x user? realm? !password? %s",
keyspec);
So if the user says -k 'realm=nj9620' then you get the
first key that matches that. And if you don't say -k then
you get the first key. But if the user wanted to mark the
keys with the easier-to-remember 'location=work' and
use that with -k, that would be okay too. -k doesn't care.
Now the question is how do you find a -k option. At boot
time, I think it's reasonable to invoke it with a -k argument
taken from plan9.ini if one is specified. (I assume you have
to change /boot anyway). This would only be necessary
when the user has multiple 802.1x keys in his factotum.
Russ
next prev parent reply other threads:[~2005-10-05 18:48 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-05 17:08 Axel Belinfante
2005-10-05 18:48 ` Russ Cox [this message]
2005-10-06 8:02 ` Axel Belinfante
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ee9e417a0510051148u1d6335a0j2900f28b9092f6b4@mail.gmail.com \
--to=rsc@swtch.com \
--cc=9fans@cse.psu.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).