From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: RE: [9front] The last CD distribution
Date: Sat, 4 Jun 2016 16:13:43 +0200 [thread overview]
Message-ID: <262cd60a53bcb365c275b3153c090ba8@felloff.net> (raw)
In-Reply-To: <201606040559.u545xkD6026946@mailmsa12.mozu.eo.k-opti.ad.jp>
> Yes, I`ve read that document, but still fails.
> When I dispatched the command on my pc64 auth server(=file/cpu server) of
> passwd like:
> titan: passwd kokamoto
> then I got
> Plan9 password: <password input>
> Passwd: AS protocol botch.
what command did you dispatch here?
lets break it down systematically please.
authentication with p9sk1 or dp9ik have 3 parties involved:
- the client
- the server
- the AS (authentication server)
the server has its hostowner key, which is derived from
hostowner user name and the password. it is loaded into
factotum from nvram on boot or secstore or manually entered
when it boots.
the client is the same, it has its own hostowner user
and password but usually dosnt prompt for it on boot.
when you need to authenticate, factotum will prompt for
username and password if it doesnt have the key already.
the client doesnt need to know the servers key, and
the server doesnt need to know the clients key.
the authentication server needs to have the keys for
both client and server in its keydb.
nothing has changed between p9sk1 and dp9ik in that
regard. what changed is that dp9ik uses new 128 bit
aes key instead of 56 bit des key.
nvram and keydb can store both keys at the same time.
keydb however needs to be converted to aes format to
be able to store the new keys. auth/convkeys will just
change the format, but will not set valid aes keys for
the users.
so the first step is to convert keydb on the auth server
to the aes format.
if your auth server uses nvram to decrypt the keydb, you
should also use auth/wrkey so it will be able to decrypt
the new keydb after reboot.
keyfs needs to be restarted after converstion... reboot
the AS.
then, set new passwords with eigther auth/changeuser
or passwd.
the passwd method will fail when the -N flag to authsrv
is set but there are no aes keys set for the user yet!
maybe this is causing the trouble. in that case, you can
use auth/changeuser on the authserver directly with /mnt/keys
in your namespace or temporarily remove the -N flag from
/rc/bin/service.auth/tcp567
once the authserver has both keys for the client and the
server, you can attempt updating nvrams and secstores of
your file and cpu servers and terminals.
--
cinap
next prev parent reply other threads:[~2016-06-04 14:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-03 8:14 岡本健二
2016-06-03 11:02 ` [9front] " cinap_lenrek
2016-06-03 12:16 ` cinap_lenrek
2016-06-03 14:49 ` stanley lieber
2016-06-04 5:59 ` 岡本健二
2016-06-04 6:16 ` 岡本健二
2016-06-04 14:13 ` cinap_lenrek [this message]
2016-06-05 0:20 ` 岡本健二
2016-06-05 0:26 ` 岡本健二
2016-06-05 0:37 ` kokamoto
2016-06-05 1:43 ` cinap_lenrek
2016-06-05 7:49 ` kokamoto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=262cd60a53bcb365c275b3153c090ba8@felloff.net \
--to=cinap_lenrek@felloff.net \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).