drawterm and factotum with no role attribute

9front - general discussion about 9front
 help / color / mirror / Atom feed

From: Romano <unobe@cpan.org>
To: 9front@9front.org
Subject: drawterm and factotum with no role attribute
Date: Sat, 21 Nov 2020 00:35:55 -0800	[thread overview]
Message-ID: <F0F431BFA4A73FCFDAC29257BAF52B1C@smtp.pobox.com> (raw)

This perhaps has been answered elsewhere, but I haven't been able to
find it.  I could still be misunderstanding something, but I think
factotum is not documented correctly, or there's a bug in drawterm or
factotum.

In my lib/profile, I had been starting auth/factotum because upon
drawterm'ing in to the system, I didn't see any of my factotum
credentials listed in the output of 'cat /mnt/factotum/ctl', except
for two for the file server (dp9ik and 9psk1).  I looked at different
documentation and websites to determine if I was missing something
simple, and nothing came up about why I would have to start factotum
again in my lib/profile.  I finally decided to cat /mnt/factotum/log,
which shouled a bunch of:

1: no key matches proto=p9sk1 role=server dom?   
1: failure no key matches proto=p9sk1 role=server dom? 
1: no key matches proto=dp9ik role=server dom?   
1: failure no key matches proto=dp9ik role=server dom? 
3: no key matches proto=p9sk1 role=server dom?   
3: failure no key matches proto=p9sk1 role=server dom? 
3: no key matches proto=dp9ik role=server dom?   
3: failure no key matches proto=dp9ik role=server dom? 
4: implicit close due to second start; old attr 'proto=dp9ik role=client dom=9front'

I had a 'key proto=dp9ik dom=9front ...' line in my factotum, and
according to the factotum(4) documentation, that should have sufficed:

          Any key may have a role attribute for restricting how it can
          be used.  If this attribute is missing, the key can be used
          in any role.  The possible values are:

          client
               for authenticating outbound calls

          server
               for authenticating inbound calls

          speakfor
               for authenticating processes whose user id does not
               match factotum's.

I added the specific role= for both 'client' and 'server' (so two
separate line entries in factotum), and that allowed me to
successfully login and to have /mnt/factotum/ctl show all my secstore
factotum lines.

Has anyone come across this themselves?  Am I misunderstanding the
documentation?  Shouldn't 'key proto=dp9ik dom=9front ...' without a
role attribute suffice?

                 reply	other threads:[~2020-11-21  8:36 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=F0F431BFA4A73FCFDAC29257BAF52B1C@smtp.pobox.com \
    --to=unobe@cpan.org \
    --cc=9front@9front.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).