From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.4 Received: (qmail 8499 invoked from network); 11 May 2023 23:51:48 -0000 Received: from 9front.inri.net (168.235.81.73) by inbox.vuxu.org with ESMTPUTF8; 11 May 2023 23:51:48 -0000 Received: from mail.posixcafe.org ([45.76.19.58]) by 9front; Thu May 11 19:50:28 -0400 2023 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=posixcafe.org; s=20200506; t=1683849076; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=5ph4Bk0JHP2CsOC7xdFqRAw+aLEAR09F4k7tiiCOP/U=; b=ERI/ggGjNBjJL0FiPLT+BIMoG88Sfxu1qUaV2B/C5ZwKomZGIlRhb1Y2thsmAC2B1094Ey hCI2diYSAK6Y+yiTSKjZudi+dZsnux78yV9tiM0QAW1tIUNvMW6HerdC1lfgPxwgwo7g6z UVaoC+IX3rr0SPR71BVEi5PEn4BMa/o= Received: from [192.168.168.200] (161-097-205-025.v4.mynextlight.net [161.97.205.25]) by mail.posixcafe.org (OpenSMTPD) with ESMTPSA id a537ec1c (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO) for <9front@9front.org>; Thu, 11 May 2023 18:51:15 -0500 (CDT) Message-ID: <59063513-556a-ed78-8382-4b858d03a076@posixcafe.org> Date: Thu, 11 May 2023 17:50:26 -0600 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.1 Content-Language: en-US To: 9front@9front.org From: Jacob Moody Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit List-ID: <9front.9front.org> List-Help: X-Glyph: ➈ X-Bullshit: firewall module Subject: [9front] [PATCH] libauthsrv, auth/wrkey: Disable p9sk1 login by default for hostowner Reply-To: 9front@9front.org Precedence: bulk By default, auth/wrkey will put a p9sk1 key in to nvram. This will cause the hostowner factotum (/srv/factotum) to load a p9sk1 key on startup. For some context, factotum will only defer to authsrv if it doesn't already have the information itself. This means that despite us shipping with authsrv having p9sk1 disabled, cpu servers will still allow logins via p9sk1 regardless for specifically hostowner. ; auth/factotum -n ; echo 'key proto=p9sk1 dom=9front user=glenda !password=...' >/mnt/factotum/ctl ; rcpu -h $myhost Will login glenda using p9sk1 regardless of the authsrv -N invocation on the auth server. This patch modifies auth/wrkey to zero the des key, with a flag to preserve the old behavior. A zerod key will cause factotum to not insert a p9sk1 key on startup, removing the ability to log in using it. diff 91ae69be3306c807ae5bfa7d1b7ced8c239f9214 uncommitted --- a//sys/include/authsrv.h +++ b//sys/include/authsrv.h @@ -175,6 +175,7 @@ NVwrite = 1<<0, /* always prompt and rewrite nvram */ NVwriteonerr = 1<<1, /* prompt and rewrite nvram when corrupt */ NVwritemem = 1<<2, /* don't prompt, write nvram from argument */ + NVwritedes = 1<<3, /* write des key for p9sk1 */ }; /* storage layout */ --- a//sys/man/8/auth +++ b//sys/man/8/auth @@ -30,6 +30,7 @@ .B auth/debug .PP .B auth/wrkey +.RB [ -e ] .PP .B auth/login [ @@ -228,7 +229,9 @@ .PP .I Wrkey prompts for a machine key, host owner, and host domain and stores them in -local non-volatile RAM. +local non-volatile RAM. By default only a dp9ik key is written, if +.BR -e +is provided a legacy p9sk1 key is also written. .PP .I Login allows a user to change his authenticated id to --- a//sys/src/cmd/auth/wrkey.c +++ b//sys/src/cmd/auth/wrkey.c @@ -3,11 +3,21 @@ #include void -main(void) +main(int argc, char **argv) { Nvrsafe safe; + int flag; - if(readnvram(&safe, NVwrite) < 0) + flag = NVwrite; + ARGBEGIN{ + case 'e': + flag |= NVwritedes; + break; + default: + fprint(2, "usage: %s [-e]\n", argv0); + exits("usage"); + }ARGEND; + if(readnvram(&safe, flag) < 0) sysfatal("error writing nvram: %r"); exits(0); } --- a//sys/src/libauthsrv/readnvram.c +++ b//sys/src/libauthsrv/readnvram.c @@ -258,7 +258,10 @@ goto Out; passtokey(&k, pass); memset(pass, 0, sizeof pass); - memmove(safe->machkey, k.des, DESKEYLEN); + if(flag&NVwritedes) + memmove(safe->machkey, k.des, DESKEYLEN); + else + memset(safe->machkey, 0, DESKEYLEN); memmove(safe->aesmachkey, k.aes, AESKEYLEN); memset(&k, 0, sizeof k); }