From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: Date: Wed, 5 Oct 2005 14:48:20 -0400 From: Russ Cox To: Fans of the OS Plan 9 from Bell Labs <9fans@cse.psu.edu> Subject: Re: [9fans] config wisdom? (factotum? cmdline flags? ctl file?) In-Reply-To: <200510051708.j95H8de10107@zamenhof.cs.utwente.nl> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <200510051708.j95H8de10107@zamenhof.cs.utwente.nl> Topicbox-Message-UUID: 951c751e-ead0-11e9-9d60-3106f5b1d025 You should use factotum to hold keys. key proto=3Dpass service=3D802.1x user? realm? !password? Ideally you wouldn't use proto=3Dpass but I don't know enough about 802.1x to know whether that's easy. If you get a key from factotum and you are sure that it is incorrect, I think it would be okay to try to delkey it before asking factotum again. Maybe there should be a disable control message to mark the keys disabled like factotum already does for found-to-be-bad p9sk1 keys. But delkey is fine to start and we'll see if that's useful. To get the realm out, you'll want to modify auth_userpasswd to return the AuthRpc* (perhaps inside the UserPasswd*) instead of auth_freerpc'ing it. Then you can call auth_attr to get a list of all the public attributes for the key, and _strfindattr to find the realm. That only answers the question of where to get the keys. It doesn't fully answer the question of which one to use. A user with keys for multiple realms may give factotum multiple keys, in which case the intended-canonical approach is to give your program a -k keyspec option like cpu(1) has and pass that to factotum when you start the protocol: auth_userpasswd(auth_getkey, "proto=3Dpass service=3D802.1x user? realm? !password? %s", keyspec); So if the user says -k 'realm=3Dnj9620' then you get the first key that matches that. And if you don't say -k then you get the first key. But if the user wanted to mark the keys with the easier-to-remember 'location=3Dwork' and use that with -k, that would be okay too. -k doesn't care. Now the question is how do you find a -k option. At boot time, I think it's reasonable to invoke it with a -k argument taken from plan9.ini if one is specified. (I assume you have to change /boot anyway). This would only be necessary when the user has multiple 802.1x keys in his factotum. Russ