[9fans] security model - Plan9

This is a discussion on [9fans] security model - Plan9 ; I intsalled combined cpu/auth server I need some explanatories for plan9 security model, because I have some troubles with undestanding dependences between factotum,secstore and keyfs. First I don't undestand why I must run auth/secstored on my auth server. In fact ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: [9fans] security model

  1. [9fans] security model

    I intsalled combined cpu/auth server
    I need some explanatories for plan9 security model, because I have
    some troubles with undestanding dependences between factotum,secstore
    and keyfs.

    First I don't undestand why I must run auth/secstored on my auth
    server. In fact keyfs provide to me interface to keys at nvram, and
    secstore provide to me interface to keys at nvram...

    Second I don't undestand what means "password" (after "secstore key")
    in auth/wrkey dialog. System password? Who is a "system password"?

    Third I think that I must to add all my permanent auth-server users
    (users with remote terminals) of my "auth domain" to secstore on
    auth-server. But cpu-server users of THIS cpu-server I must add to
    factotum too. I must copy some keys from secstore to factotum at boot
    time if I want to grant access to both auth and cpu servers. Am I
    right?

    Forth why noany ask me to password to access to secstore at boot time?

    Thanks

    --
    Phil Kulin

  2. Re: [9fans] security model

    i'll take a stab at this.

    On Thu Feb 1 08:34:58 EST 2007, schors@gmail.com wrote:
    > I intsalled combined cpu/auth server
    > I need some explanatories for plan9 security model, because I have
    > some troubles with undestanding dependences between factotum,secstore
    > and keyfs.
    >
    > First I don't undestand why I must run auth/secstored on my auth
    > server.


    it is not required. secstore provides secure storage for users. also you
    don't need to run secstore on the auth server, but for most people
    that's where it makes sense.

    > In fact keyfs provide to me interface to keys at nvram, and


    keyfs provides an interface to /adm/keys*. nvram is something different.
    on a cpu server, nvram stores the hostowner, and the hostowner's password
    (secret) and a few other things so the machine can boot without operator
    intervention.

    > secstore provide to me interface to keys at nvram...


    no. secstore is secure storage for users. however, factotum will consult
    secstore for you and try to load keys from the secstore file called
    "factotum". you can store anything you'd like in secstore.

    >
    > Second I don't undestand what means "password" (after "secstore key")
    > in auth/wrkey dialog. System password? Who is a "system password"?


    secstore requires a password before it will allow access. in this case factotum
    is trying to to retrive the file "factotum" on your behalf.

    >
    > Third I think that I must to add all my permanent auth-server users
    > (users with remote terminals) of my "auth domain" to secstore on
    > auth-server.


    secstore storage isn't required.

    > But cpu-server users of THIS cpu-server I must add to
    > factotum too.


    factotum is a proxy, not permanant storage. factotum is like ssh-agent, but it
    works for all (okay, most) of the authentication types plan 9 requires.
    the actual secrets go in /adm/keys. see auth(8).

    > I must copy some keys from secstore to factotum at boot
    > time if I want to grant access to both auth and cpu servers. Am I
    > right?


    nope. factotum is run a login time. the factotum interacts with the user
    and secstore to compile a list of keys to hand over to various servers as
    your proxy.

    >
    > Forth why noany ask me to password to access to secstore at boot time?


    bringing it all back home. i assume this is on the auth server. the auth server
    is a cpu server. the assumption is that there is physical security of this box.
    the hostowner and key are kept in nvram. if you are not comfortable with this
    (and you can live with the auth server being down until you're at the console
    to enter the hostowner and password), you don't need an nvram file and you
    can wipe it clean on a pc with
    dd -if /dev/zero -of /dev/$disk/nvram -count 1

    - erik

  3. Re: [9fans] security model

    > I intsalled combined cpu/auth server
    > I need some explanatories for plan9 security model, because I have
    > some troubles with undestanding dependences between factotum,secstore
    > and keyfs.
    >
    > First I don't undestand why I must run auth/secstored on my auth
    > server. In fact keyfs provide to me interface to keys at nvram, and
    > secstore provide to me interface to keys at nvram...


    there isn't any need to run secstored. they do quite different things,
    though.

    secstored securely stores files on behalf of users, in particular a
    file "factotum" that holds keys that user wants loaded into the user's
    factotum on login. of course one of those users could be a system
    user (eg, "bootes").

    you need auth/keyfs though, to hold the per-user shared secrets used
    to authenticate them to a plan 9 domain. it manages /adm/keys.

    > Second I don't undestand what means "password" (after "secstore key")
    > in auth/wrkey dialog. System password? Who is a "system password"?


    it's the shared secret that allows one plan 9 server to authenticate itself to another.
    it also encrypts the keys file. the secstore key is a separate key used by secstored.

    > Third I think that I must to add all my permanent auth-server users
    > (users with remote terminals) of my "auth domain" to secstore on
    > auth-server.


    only if you'd like them to use secstore.

    : But cpu-server users of THIS cpu-server I must add to
    > factotum too.


    no, there's a speaks-for relationship configured by /lib/ndb/auth.
    see the section on Authentication Database in authsrv(6).

    >I must copy some keys from secstore to factotum at boot
    > time if I want to grant access to both auth and cpu servers. Am I
    > right?


    no. there's no need for users to run factotum; if they don't, they'll be prompted
    every time they need to authenticate to something. if they run factotum, and the key
    isn't already in factotum (eg, from secstore), they'll be prompted once.

    > Forth why noany ask me to password to access to secstore at boot time?


    it got the password from the place that wrkey stored it.


  4. Re: [9fans] security model

    erik quanstrom writes:

    > i'll take a stab at this.
    >
    > On Thu Feb 1 08:34:58 EST 2007, schors@gmail.com wrote:

    ....
    >> First I don't undestand why I must run auth/secstored on my auth
    >> server.

    >
    > it is not required. secstore provides secure storage for users. also you
    > don't need to run secstore on the auth server, but for most people
    > that's where it makes sense.

    ....

    drawterm (on linux, at least) always tries to contact secstore on the
    authserver during startup. So it may not be *required* to run
    secstore there, but I guess doing otherwise is not feasible.

    Regards,

    Jorge-León

  5. Re: [9fans] security model

    it times out, reasonably quickly on the systems i've used.
    it then falls back to talking directly to an auth server.

  6. Re: [9fans] security model

    I thought drawterm only contacted a secstore server if given the address of the
    server to attach to (via the -s arg).

    Unfortunately I am not in a position to use the source at
    present so I only comment from memory.

    -Steve

  7. Re: [9fans] security model

    i was too lazy to fetch the source but tried just
    running it instead with only -a and -c options, and it
    made contact with the secstore at the -a address.

+ Reply to Thread