From mboxrd@z Thu Jan  1 00:00:00 1970
User-Agent: K-9 Mail for Android
In-Reply-To: <CAHqDL__e6BCxfExv9FqnPU82Ow8Oa9q5nVgBPi-No2CpECBVYg@mail.gmail.com>
References: <CAPd04b6tULNjA5WA25Z0nSRemV38W9b4cVf2m0fFYAoH88Mkcw@mail.gmail.com>
	<814a9ee9-3cf7-453f-b6cb-0d3b10601100@email.android.com>
	<CAPd04b71MfcU+nDjyZGx9M6pYfgV3X8ysaXd=_QYDjp69ha1=g@mail.gmail.com>
	<753998c8-7595-4f6a-bb94-e45c95dd9b42@email.android.com>
	<CAHqDL__e6BCxfExv9FqnPU82Ow8Oa9q5nVgBPi-No2CpECBVYg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=UTF-8
From: Stanley Lieber <sl@9front.org>
Date: Tue, 15 Nov 2016 15:06:55 -0500
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>,
	Ole-Hjalmar Kristensen <ole.hjalmar.kristensen@gmail.com>
Message-ID: <f5877d2a-8bdc-4e52-9d36-7ae0cbbf5b79@email.android.com>
Content-Transfer-Encoding: quoted-printable
Subject: Re: [9fans] Maintenance of an auth server files vs a
	dns+dhcp+tftp	server
Topicbox-Message-UUID: ab165ae8-ead9-11e9-9d60-3106f5b1d025

Ole-Hjalmar Kristensen <ole.hjalmar.kristensen@gmail.com> wrote:

>On Tue, Nov 15, 2016 at 8:05 PM, Stanley Lieber <sl@9front.org> wrote:
>
>> "James A. Robinson" <jim.robinson@gmail.com> wrote:
>>
>> >So in a canonical installation the auth server mounts its root from
>the
>> >file server?
>> >
>> >On Tue, Nov 15, 2016 at 10:47 AM Stanley Lieber <sl@9front.org>
>wrote:
>> >
>> >> The idea is that there is one file system shared by all the
>> >neighboring
>> >> systems. The canonical Plan 9 installation comprises one disk file
>> >server
>> >> and many diskless computing machines (auth servers, cpu servers,
>> >terminals).
>> >>
>>
>> Yes. You can arrange for hands-free booting by storing  the same
>> authid/authdom/password in the nvram of both the file server and the
>auth
>> server. I usually boot the auth server from a 9fat partition or a USB
>key,
>> then tcp (actually, tls) mount the root file system from the file
>server.
>>
>> sl
>>
>>
>Is this the reason that it is actually possible to boot a combined
>auth/cpu/file server at all? I mean, the auth server stores /adm/keys
>on
>the file server, right? And normally you would need to authenticate
>yourself to attach to the file server, which would be kind of
>difficult,
>since it is the auth server that is trying to access the key file...
>
>Ole-Hj.

Yes. File server boots and loads it's key from nvram into factotum. Auth =
server does the same. If both credentials match, the two machines will ag=
ree to talk to each other. The ticket is "forged" and factotum realizes i=
t has enough information to perform the authentication without needing to=
 consult the actual auth server.

sl