This instructions suppose that you just have set up a plain Plan9 computer. Remember that setup is done with a terminal kernel, an authserver however will run with a cpu kernel and startup autonomously with a predefined user as the hostowner.

An appropiate /rc/bin/cpurc file has to be crafted and installed. Also, of course, networking has to be set up correctly, since the purpose of the authserver is to provide authentication in the network. Our workflow will be more or less:

  1. boot with a terminal kernel as user glenda (first hostowner ever)
  2. install (and test) /lib/ndb/local
  3. install /rc/bin/cpurc
  4. assure that the authserver starts at bootup
  5. configure the default hostowner
  6. reboot into a cpu kernel
  7. set up the hostowner secstore account
  8. start using your authserver

network configuration

  • cat >/lib/ndb/local <<EOF




main network database configuration file

files comprising the database

database= file=/lib/ndb/local file=/lib/ndb/common file=/lib/ndb/auth

ipnet=magma.intern ip= ipmask= dnsdomain=magma.intern dns= ntp=router smtp=router authdom=magma.intern auth=porticus cpu=schiefer fs=schiefer

what's my name:

ip= sys=porticus


ip= sys=localhost dom=localhost EOF


  • cat > /rc/bin/cpurc <<EOF





cpurc for authserver

echo -n cpu > /env/service date > /env/boottime

replace FILESERVER with the name of your file server

here we start with kfs, your local disk file system


default authdom


the local domain to be used in the faces database


mount points

mntgen -s slashn && chmod 666 /srv/slashn

configure ip address


name translation, cs sets /dev/sysname

ndb/cs sysname=`{cat /dev/sysname} ndb/dns -r

extract info about our network from ndb

ndb/query ipnet $$authdom |rc

parallelism for mk

NPROC = `{wc -l </dev/sysstat}

we use the fileserver for syncing time

aux/timesync -f -l $fs

start the secstored



auth/keyfs -wp -m /mnt/keys /adm/keys >/dev/null >[2=1] auth/cron >>/sys/log/cron >[2=1] &

services available to networks

aux/listen -q -t /rc/bin/service.auth -d /rc/bin/service il aux/listen -q -t /rc/bin/service.auth -d /rc/bin/service tcp EOF


  • auth database
    cat >/lib/ndb/auth <<EOF




auth database for authserver

hostid=porticus uid=!sys uid=!adm uid=*

EOF * enable listening on the auth port:

cd /rc/bin/service.auth
mv authsrv.il566 il566
mv authsrv.tcp567 tcp567
* Eventually disable dummy services
cd /rc/bin/service
mv il566 !il566
mv tcp567 !tcp567


* to set up the default hostowner and her password run
* answer the following questions: authid:
secstore key:
password with at least eight (8) characters, this is not the password for glenda, but the encryption key for the 'nvram' partition.
password for glenda, must be the same /!\ as in the keyserver and also have at least eight characters


* give the hostowner accessrights to the keystores and user database files:
* connect to the fossil console
con /srv/fscons
fsys main
uname adm +glenda
* type 'Ctl+\' then 'q' to disconnect from the con
* start keyserver and create the entry for the hostowner:
auth/changeuser glenda
* answer the following questions: Password:
must be the same /!\ as above
must be the same /!\ as above (humhm.. are we getting tired yet?)
assign Inferno/POP secret?:
make it the same as the plan 9 password?:
Expiration date (YYYYMMMDD or never)[return = never]:
just hit return
Post id:
Users's full name:
Hostowner of porticus
Users's email address:
Sponsor's email address:
* this address receives copy of notifications when glenda's password is about to expire other email address:
.. don't ask, I sure don't know (yet?)


Stop the filesystem safely with fshalt, then reboot with '^T^Tr', or 'Ctrl+Alt+Del'

You should be able to connect from a remote system to the authserver e.g. with drawterm:

drawterm -a porticus -c porticus -u glenda

Still remember the password of glenda???

You can also login at the console if you were using Xen

hostowners secstore account

The secstore is a secure and comfortable way to store passwords, host-keys etc. in a network environment. Each user may have a secstore, it will be queryied first when authenticating to some network service. The secstore most probably runs on the authserver, just as in our example. Now we add the secstore for the hostowner of the authserver to the secstore daemons files.

Run the command: auth/secuser glenda, it will ask:
glenda password:
this is not the plan9 user glenda's password, so choose another one
retype password:
expires [DDMMYYYY, default = 18112007]:

Enabled or Disabled [default Enabled]::: ?BR require STA? [default no]::: ?BR comments [default = ]::: ?BR

We pretty much leave everything with default values.

To store passwords in an easy way, we'll need a running terminal first.


You may want to disallow remote cpu connections to the authserver. Services are scripts in either /bin/service or /bin/service.auth.

The following scripts in /bin/service contain "cpu", after disabling them I could no longer log in remotely with drawterm into my authserver.

  • tcp17005
  • tcp17006
  • tcp17010
  • tcp17013 To disable a service just rename it e.g. be putting a '!' in front of the name.
cd /bin/service
mv tcp17005 !tcp17005
mv tcp17006 !tcp17006
mv tcp17010 !tcp17010
mv tcp17013 !tcp17013