Plan 9 from Bell Labs’s /usr/web/sources/contrib/rog/infauth/README

Copyright © 2021 Plan 9 Foundation.
Distributed under the MIT License.
Download the Plan 9 distribution. 


These files provide an updated authentication framework for Inferno.
They are not part of the standard distribution, and may not become
so, but for anyone that may find them useful, here they are.

The main changes are to allow keys to be stored securely.
The 9cpu command. which relies on the changes,
makes a cpu connection to a plan 9 box.

I have set things up so that before the window manager is started,
Inferno asks for a password, which is then used to decrypt
a file containing the secret keys, which are passed to factotum.
This is not totally secure, but it's a lot better than keeping the
keys in the clear all the time. I do things this way so that I don't
necessarily have to contact a secstore server - I store
the entire distribution on a USB memory stick.

INSTALLATION

I assume you've got a current Inferno distribution, and
an environment variable $I holding its root directory.

1) unpack the files in the Inferno root directory.
	% cd $I
	% gzip < /n/sources/contrib/rog/infauth/infauth.tgz | tar xv

2) create an encrypted file storing factotum's keys:
2.1) get the factotum keys you need, e.g.
	% secstore -G factotum > $I/keyring/factotum

2.2) add any inferno keys you need - authcvt converts from a old-style inferno
file to a form that can be stored in factotum. getauthinfo -F prints the key
that it receives in a similar fashion.
	% emu -r $I sh
	; authcvt $home/keyring/somekey >> /keyring/factotum
	# or:
	; getauthinfo -F -s mylocalauthsigner.com -u rog >> /keyring/factotum
	password:
	; 
2.2) encrypt them:
	; cd /keyring
	; crypt -k your_secret_key < factotum > factotum.cr
	; rm factotum

3) add any appropriate auth server entries to ndb:
	; >> /lib/ndb/local echo '
	auth=sources.cs.bell-labs.com authdom=outside.plan9.bell-labs.com
	auth=sources.cs.bell-labs.com authdom=insideout.plan9.bell-labs.com
	authdom=vitanuova.com auth=plan9.vitanuova.com
	authdom=outside.plan9.bell-labs.com auth=sources.cs.bell-labs.com'

4) add the following lines to /lib/wmsetup:
	bind -b '#^' /chan
	winsrv
  (alternatively copy /lib/wmsetup.new to /lib/wmsetup
	; cp /lib/wmsetup.new /lib/wmsetup

3) run emu
	% emu -r $I

You should be prompted for your password, which will be used to decrypt
the factotum.cr file.  If you wish to obtain the keys from secstore,
change /lib/sh/profile accordingly.  (genlogon is a new program that
prompts for some information and runs a shell script with environment
variables set accordingly, before running the usual window taskbar).

4. connect through to a plan 9 system:

when the window manager has started, you can start a shell
and connect through to a plan 9 system:
	% 9cpu -h plan9.vitanuova.com
	cpu% 
once there, you can create new shell windows in the same cpu
session with iwin:
	cpu% iwin
	cpu% 
you can create new "rio-style" windows with iwin -r:
	cpu% iwin -r acme -l $home/acme.dump
	cpu% 


STARTING UP

I've provided a couple of convenience scripts for starting emu:

Wm is an rc script that starts emu with some appropriate
options; emu.bat is a windows batch file that should live
in the directory above the inferno root directory and starts emu.
it's useful for starting emu under windows when the drive
letter is not known (AFAIK it's not possible to create a path-relative shortcut). Mutate either as necessary.

appl/authsrc provides the source to the above commands.
It also provides a new version of mount that uses factotum
(installed as imount.dis).
I haven't made it the default version because it lacks some
of the functionality of the old mount (in particular it doesn't
implement the -9 option, which is useful for making an authenticated
connection to sources).

Feedback appreciated.
Enjoy.

	rog@vitanuova.com

Bell Labs OSI certified Powered by Plan 9

(Return to Plan 9 Home Page)

Copyright © 2021 Plan 9 Foundation. All Rights Reserved.
Comments to webmaster@9p.io.