From: cinap_lenrek@felloff.net
To: 9front@9front.org
Subject: Re: [9front] The 9 Documentation Project
Date: Tue, 28 Jul 2020 21:10:51 +0200 [thread overview]
Message-ID: <DF2B94EBCEB1C76367B50A981B7E2A11@felloff.net> (raw)
In-Reply-To: <e8875c95-9c54-485b-93cd-106a38fd10b3@www.fastmail.com>
i think alot of confusion comes from the auth= atribute in the
ip/ipnet= entry vs. auth= attribute on the authdom= entry.
the auth= attribute from ip/ipnet is actually only used by terminals
that netboot! it is an attribute that the dhcp server will put in
a special option to ship it to the client so the client can dial
the authentication server to authenticate against the (root)
fileserver before having access to ndb.
but once you'r booted, factotum will actually look for authdom=
attribute in ndb to resolve the authentication server for a particular
domain presented in the p9any handshake, and IGNORE the auth=
attribute on a host or ipnet completely.
the protocol (omiting nonce and dh/dp9ik steps) works like this:
0) client connects to server
1) server presetns a list of domains, host identities and protocols
2) client picks a protocol and uses the domain and find the authentication
server for the domain and does a ticket request
3) decrypts client part of the ticket with its own password and extracts shared secret
4) forwards the server part of the ticket to the server
5) server decrypts the ticket with his own password and extracts shared secret
6) client and server verify that they each other known the shared secret
7) success. optinally use shared secret to establish encrypted channel (tlssrtv)
the step that bugs most people is 2), as in the protocol, only
the authentication DOMAIN is send over the wire. finding the AS
is the job of the CLIENT.
theres also a trick: if you use a dns domain name as the authdom,
then you can register an A/AAAA record for p9auth.$authdom and factotum;
if it can't find authdom= attribute in ndb; will attempt to contact
p9auth.$authdom instead as the auth server. then the client doesnt
need to add a authdom= entry in its ndb!
kerberos solves this with SRV records.
the error that happens is that people miss the authdom= attribute, and
assume the authentication server is per network. no. it is not. it is
just a bootstrap mechanism! and the real mechanism is apparently not
well known to many people.
the issue with dns is that newbies dont have dns under their control.
so p9auth is out. srv records is out. the only thing left what we can
do is find ways to avoid this hack and deprecate the auth= attribute.
maybe have dhcpd automatically determine authdom by dialing the root
fileserver and doing the resolution of authserver on behalf of the
client.
or we could ship all the authdoms= from ndb in a dhcp option.
maybe factotum itself could provide a hint over p9any protocol?
like we have the service factotum look into ndb and provide a list of
hints of the external addresses of the authservers for each key?
in any case, i think we could avoid alot of confusion by improving
the way of this bootstrap mechanism works.
--
cinap
next prev parent reply other threads:[~2020-07-28 19:10 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 9:09 sirjofri+ml-9front
2020-07-27 9:56 ` [9front] " hiro
2020-07-27 15:10 ` Amavect
2020-07-27 15:54 ` Stanley Lieber
2020-07-27 15:58 ` ori
2020-07-27 17:01 ` William Gunnells
2020-07-27 17:29 ` Stanley Lieber
2020-07-27 18:09 ` William Gunnells
2020-07-27 20:01 ` ori
2020-07-27 21:22 ` Ethan Gardener
2020-07-28 19:10 ` cinap_lenrek [this message]
2020-07-29 22:36 ` Ethan Gardener
2020-07-27 22:06 ` Anthony Martin
2020-07-27 22:21 ` Stanley Lieber
2020-07-27 23:46 ` ori
2020-07-27 22:17 ` Stanley Lieber
2020-07-27 22:47 ` Kurt H Maier
2020-07-27 23:50 ` ori
2020-07-28 4:56 ` sirjofri+ml-9front
2020-07-28 10:18 ` hiro
2020-07-28 11:27 ` sirjofri+ml-9front
2020-07-28 12:14 ` hiro
2020-07-28 13:08 ` sirjofri+ml-9front
2020-07-28 14:16 ` hiro
2020-07-28 15:01 ` Stanley Lieber
2020-07-28 15:12 ` ori
2020-07-28 15:46 ` Stanley Lieber
2020-07-28 17:25 ` hiro
2020-07-28 17:37 ` ori
2020-07-28 17:43 ` Kurt H Maier
2020-07-28 15:11 ` ori
2020-07-28 11:29 ` sirjofri+ml-9front
2020-07-29 17:10 ` ori
2020-07-30 1:02 ` sl
2020-07-28 9:48 ` hiro
2020-07-30 18:12 ` magma698hfsp273p9f
2020-07-30 18:48 ` kvik
2020-07-30 18:54 ` ori
2020-07-30 19:28 ` Eckard Brauer
2020-07-30 19:59 ` Romano
2020-07-31 13:44 ` kvik
2020-07-31 13:51 ` Stanley Lieber
2020-08-01 15:42 ` Ethan Gardener
2020-07-30 19:15 ` Kurt H Maier
2020-07-31 10:59 ` Ethan Gardener
2020-08-03 18:50 ` magma698hfsp273p9f
2020-08-04 17:13 ` Ethan Gardener
[not found] <98A6B5A900B5E1660221CE63074D0920@ewsd.inri.net>
2020-07-30 2:14 ` ori
2020-07-30 3:06 ` Stanley Lieber
2020-07-30 3:12 ` Michael Misch
2020-07-30 8:19 ` hiro
2020-07-30 8:58 ` Kurt H Maier
2020-07-30 12:03 ` Ethan Gardener
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DF2B94EBCEB1C76367B50A981B7E2A11@felloff.net \
--to=cinap_lenrek@felloff.net \
--cc=9front@9front.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).