From: sirjofri <sirjofri+ml-9front@sirjofri.de>
To: 9front@9front.org
Subject: Re: [9front] local auth without cpu service
Date: Thu, 27 Jun 2024 11:17:26 +0200 (GMT+02:00) [thread overview]
Message-ID: <77e4bb43-6a6e-4da5-879f-47611142e840@sirjofri.de> (raw)
In-Reply-To: <Y6cgoXjnVbDUKhyw2mufiyYff2_3lkP5ITOXtowC8xGYcDscy-gf2Zc72UgYKv09-tUx-UFiKZxedQJyWruOroR5CrLDLNhL0pK4BTGHlig=@proton.me>
Hi,
I guess there's some big misunderstanding. Factotum doesn't need secstore, not does it need any working network configuration. You can just start factotum and use it.
However, factotum needs the keys. The canonical way to feed it with keys is by using secstore, but that's not a hard dependency. Also, in the future there will be some "replacement" for secstore, for security reasons.
To keep things short, to feed factotum with keys:
auth/factotum -n # run factorum without asking secstore
echo $mykey > /mnt/factotum/ctl # key syntax the same as with secstore
Use it!
There's one thing to note: factorum expects keys one write at a time. That means you can't just cat your secrets from a file that easily, but you can drop a "read -m" between it:
cat mysecrets | read -m > /mnt/factotum/ctl
(I think it was read with -m).
Your mysecrets file should be encrypted in a way, or otherwise secured.
sirjofri
27.06.2024 09:18:33 alex <alex9-ml@proton.me>:
> Hello,
>
> I would like to use factotum on my notebook, without running a cpu service on it (since it is the only 9front device in my network at the moment).
>
> At the moment I don't understand all the dependencies, but when I understand the fqa correctly, I think it is something like this:
>
> - edit /lib/ndb/local, so the local system will be used as auth (setting "auth" and "authdom" matching to "sys", "ipnet" and "dom")
> - setting nvram in plan9.ini (in the fqa it states: "nvram=#S/YOURDRIVE/nvram", so I've added "nvram=#S/sdE1/nvram", but I'm not sure whether it should read "nvram=local!/dev/sdE1/nvram", since "ls #S" is showing glenda's home dir and nobootprompt in plan9.ini has the value "local!/dev/sdE1/fscache")
> - running auth/wrkey (for making use of the nvram?)
> - adding user to the auth server ("auth/keyfs" and "auth/changeuser glenda")
> - set up secstored ("mkdir /adm/secstore" and "chmod 770 /adm/secstore")
> - start secstored at boot time ("echo auth/secstored > /cfg/$sysname/termrc")
> - adding glenda to secstore (auth/secstore glenda")
> - using secstore with ipso
>
> I can't use ipso ("secstore read failed - bad password?"), but I think, I know why that is.. I've set no secstore password in auth/wrkey, but I've added glenda to secstore setting a password). Are these steps correct in principle? Can I redo my first auth/wrkey prompts?
>
> Thank you very much in advance!
>
> Best regards,
> Alex
prev parent reply other threads:[~2024-06-27 9:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-27 7:16 alex
2024-06-27 9:17 ` sirjofri [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=77e4bb43-6a6e-4da5-879f-47611142e840@sirjofri.de \
--to=sirjofri+ml-9front@sirjofri.de \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).