Re: [9front] The 9 Documentation Project

["Ethan Gardener" <eekee57@fastmail.fm>]

On Tue, Jul 28, 2020, at 8:10 PM, cinap_lenrek@felloff.net wrote:
> i think alot of confusion comes from the auth= atribute in the
> ip/ipnet= entry vs. auth= attribute on the authdom= entry.
...
> but once you'r booted, factotum will actually look for authdom=
> attribute in ndb to resolve the authentication server for a particular
> domain presented in the p9any handshake, and IGNORE the auth=
> attribute on a host or ipnet completely.

i don't think that particular thing got me, but thanks for the clarification. (i think you probably explained it to me in irc, years ago.)

> the protocol (omiting nonce and dh/dp9ik steps) works like this:
> 
> 0) client connects to server
> 1) server presetns a list of domains, host identities and protocols
> 2) client picks a protocol and uses the domain and find the 
> authentication
> server for the domain and does a ticket request
> 3) decrypts client part of the ticket with its own password and 
> extracts shared secret
> 4) forwards the server part of the ticket to the server
> 5) server decrypts the ticket with his own password and extracts shared 
> secret
> 6) client and server verify that they each other known the shared secret
> 7) success. optinally use shared secret to establish encrypted channel 
> (tlssrtv)
> 
> the step that bugs most people is 2), as in the protocol, only
> the authentication DOMAIN is send over the wire. finding the AS
> is the job of the CLIENT.

i think you told me all this years ago, but i still had trouble. (this is good; it's better to see it in a document rather than chat.) i think my problem was i kept getting confused about the syntax of ndb. what on earth is a "tuple" when it's not one of python's immutable lists? a key-value pair? also, i was never clear on where to put things, despite your help. there's these different sections with different names which make no sense, and it makes no sense why you can't put some netwide-default things in what appears to be the netwide-defaults section... that's what i felt, anyway.


> the issue with dns is that newbies dont have dns under their control.
> so p9auth is out. srv records is out. the only thing left what we can
> do is find ways to avoid this hack and deprecate the auth= attribute.
> maybe have dhcpd automatically determine authdom by dialing the root
> fileserver and doing the resolution of authserver on behalf of the
> client.

this! i'm pretty sure my plan 9 machines worked best when i statically set their ips. i also set them up on my natbox so it wouldn't conflict, and when it was time to reconfigure, i thought "why am i setting these twice?" and made it worse. also... i think that one time i set the ips statically is probably the time you helped me the most. ;)

dhcpd dialing the root fileserver is probably a good idea. more automatic *and* less confusing. no idea about the other two methods, i can't visualize them so easily, but if they have the same result, that's fine with me.

> in any case, i think we could avoid alot of confusion by improving
> the way of this bootstrap mechanism works.

some confusion, certainly.

something of the same sort of bootstrap problem is on the horizon of my forth. not with the network, but with defining things more than once because the regular definition isn't available until after a bootstrap definition is made. i'll figure it out.

"an adequate bootstrap is a contradiction in terms." - linus torvalds. i'm not sure about 'adequate', but substitute 'clean' and the statement works quite well.