Re: [9fans] inferno/pop secrets

9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed

From: "Russ Cox" <rsc@swtch.com>
To: "Fans of the OS Plan 9 from Bell Labs" <9fans@cse.psu.edu>
Subject: Re: [9fans] inferno/pop secrets
Date: Tue,  3 Apr 2007 07:57:01 -0400	[thread overview]
Message-ID: <ee9e417a0704030457q4d8eb5c8k80ef879a7053587b@mail.gmail.com> (raw)
In-Reply-To: <8977c47617d8e422a0d383a4c2a311dd@quintile.net>

On 4/3/07, Steve Simon <steve@quintile.net> wrote:
> I understand how p9sk1 auth works but have never quite understood how
> the inforno/pop password is distributed - this is used for quite a few
> protocols plan9 serves - imap, pop, vnc (server) inferno, httpd etc.
>
> It seems to me that all these servers would need to run in the namespace of
> auth/keyfs so they can read /mnt/keys/$user/secret to run their auth.
>
> If these servers are to run on a seperate cpu server rather than the auth server
> itself then this namespace must be securly exported - how is this done?
>
> This piece of the jigsaw doesn't fit in my brain.

The servers don't get to see the raw password.
Instead they offload the authentication parts of their
respective protocols to the auth server.

This means that the auth server (auth/authsrv) knows
all the various password-based protocols.  All the protocols
start off looking like a standard p9sk1 ticket request
but use a different op code and sometimes omit the
user field.  The different op code tells the auth server to
run a protocol-specific conversation (usually some form
of challenge response) before replying with usable tickets.
See authsrv(6).

Now that we have factotum, the apps actually offload
to factotum, which offloads the server side password
computations to auth/authsrv.

No one sees the plaintext password except auth/authsrv.

Russ

next prev parent reply	other threads:[~2007-04-03 11:57 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-04-03 11:18 Steve Simon
2007-04-03 11:26 ` Federico G. Benavento
2007-04-03 11:57 ` Russ Cox [this message]
2007-04-03 12:21   ` Steve Simon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ee9e417a0704030457q4d8eb5c8k80ef879a7053587b@mail.gmail.com \
    --to=rsc@swtch.com \
    --cc=9fans@cse.psu.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).