9front - general discussion about 9front
 help / color / mirror / Atom feed
* drawterm and factotum with no role attribute
@ 2020-11-21  8:35 Romano
  0 siblings, 0 replies; only message in thread
From: Romano @ 2020-11-21  8:35 UTC (permalink / raw)
  To: 9front

This perhaps has been answered elsewhere, but I haven't been able to
find it.  I could still be misunderstanding something, but I think
factotum is not documented correctly, or there's a bug in drawterm or
factotum.


In my lib/profile, I had been starting auth/factotum because upon
drawterm'ing in to the system, I didn't see any of my factotum
credentials listed in the output of 'cat /mnt/factotum/ctl', except
for two for the file server (dp9ik and 9psk1).  I looked at different
documentation and websites to determine if I was missing something
simple, and nothing came up about why I would have to start factotum
again in my lib/profile.  I finally decided to cat /mnt/factotum/log,
which shouled a bunch of:

1: no key matches proto=p9sk1 role=server dom?   
1: failure no key matches proto=p9sk1 role=server dom? 
1: no key matches proto=dp9ik role=server dom?   
1: failure no key matches proto=dp9ik role=server dom? 
3: no key matches proto=p9sk1 role=server dom?   
3: failure no key matches proto=p9sk1 role=server dom? 
3: no key matches proto=dp9ik role=server dom?   
3: failure no key matches proto=dp9ik role=server dom? 
4: implicit close due to second start; old attr 'proto=dp9ik role=client dom=9front'

I had a 'key proto=dp9ik dom=9front ...' line in my factotum, and
according to the factotum(4) documentation, that should have sufficed:

          Any key may have a role attribute for restricting how it can
          be used.  If this attribute is missing, the key can be used
          in any role.  The possible values are:

          client
               for authenticating outbound calls

          server
               for authenticating inbound calls

          speakfor
               for authenticating processes whose user id does not
               match factotum's.

I added the specific role= for both 'client' and 'server' (so two
separate line entries in factotum), and that allowed me to
successfully login and to have /mnt/factotum/ctl show all my secstore
factotum lines.

Has anyone come across this themselves?  Am I misunderstanding the
documentation?  Shouldn't 'key proto=dp9ik dom=9front ...' without a
role attribute suffice?


^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2020-11-21  8:36 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-21  8:35 drawterm and factotum with no role attribute Romano

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).