This instructions suppose that you just have set up a plain Plan9 computer. Remember that setup is done with a terminal kernel, an authserver however will run with a cpu kernel and startup autonomously with a predefined user as the hostowner.

An appropiate /rc/bin/cpurc file has to be crafted and installed. Also, of course, networking has to be set up correctly, since the purpose of the authserver is to provide authentication in the network. Our workflow will be more or less:

1. boot with a terminal kernel as user glenda (first hostowner ever)
2. install (and test) /lib/ndb/local
3. install /rc/bin/cpurc
4. assure that the authserver starts at bootup
5. configure the default hostowner
6. reboot into a cpu kernel
7. set up the hostowner secstore account
8. start using your authserver

network configuration

• cat >/lib/ndb/local <<EOF
  
  
  /lib/ndb/local
  
  

LEG16112006

#

main network database configuration file

files comprising the database

database= file=/lib/ndb/local file=/lib/ndb/common file=/lib/ndb/auth

ipnet=magma.intern ip=10.0.0.0 ipmask=255.255.255.0 dnsdomain=magma.intern dns=10.0.0.1 ntp=router smtp=router authdom=magma.intern auth=porticus cpu=schiefer fs=schiefer

what's my name:

ip=10.0.0.6 sys=porticus

localhost

ip=127.0.0.1 sys=localhost dom=localhost

auth=sources.cs.bell-labs.com authdom=outside.plan9.bell-labs.com EOF

cpurc

• cat > /rc/bin/cpurc <<EOF
  
  
  !/bin/rc
  
  

/rc/bin/cpurc

LEG16112006

#

cpurc for authserver

echo -n cpu > /env/service date > /env/boottime

replace FILESERVER with the name of your file server

here we start with kfs, your local disk file system

fileserver=kfs

default authdom

authdom=magma.intern

the local domain to be used in the faces database

facedom=magma.intern

mount points

mntgen -s slashn && chmod 666 /srv/slashn

configure ip address

ip/ipconfig

name translation, cs sets /dev/sysname

ndb/cs sysname=`{cat /dev/sysname} ndb/dns -r

extract info about our network from ndb

ndb/query ipnet $$authdom |rc

parallelism for mk

NPROC = `{wc -l </dev/sysstat}

we use the fileserver for syncing time

aux/timesync -f -l $fs

start the secstored

auth/secstored

authserver

auth/keyfs -wp -m /mnt/keys /adm/keys >/dev/null >[2=1] auth/cron >>/sys/log/cron >[2=1] &

services available to networks

aux/listen -q -t /rc/bin/service.auth -d /rc/bin/service il aux/listen -q -t /rc/bin/service.auth -d /rc/bin/service tcp EOF

authserver

• auth database

  cat >/lib/ndb/auth <<EOF
  
  
  /lib/ndb/auth
  
  

LEG16112006

#

auth database for authserver

hostid=porticus uid=!sys uid=!adm uid=*

EOF * enable listening on the auth port:

cd /rc/bin/service.auth
mv authsrv.il566 il566
mv authsrv.tcp567 tcp567

* Eventually disable dummy services

cd /rc/bin/service
mv il566 !il566
mv tcp567 !tcp567

hostowner

* to set up the default hostowner and her password run

auth/wrkey

* answer the following questions: authid:

glenda

authdom:

magma.intern

secstore key:

password with at least eight (8) characters, this is not the password for glenda, but the encryption key for the 'nvram' partition.

password:

password for glenda, must be the same /!\ as in the keyserver and also have at least eight characters

.

* give the hostowner accessrights to the keystores and user database files:

* connect to the fossil console

con /srv/fscons

fsys main

uname adm +glenda

* type 'Ctl+\' then 'q' to disconnect from the con

* start keyserver and create the entry for the hostowner:

auth/keyfs

auth/changeuser glenda

* answer the following questions: Password:

must be the same /!\ as above

Confirm:

must be the same /!\ as above (humhm.. are we getting tired yet?)

assign Inferno/POP secret?:

y

make it the same as the plan 9 password?:

y

Expiration date (YYYYMMMDD or never)[return = never]:

just hit return

Post id:

Glenda

Users's full name:

Hostowner of porticus

Department:

Systems

Users's email address:

glenda

Sponsor's email address:

admin@magma.intern

* this address receives copy of notifications when glenda's password is about to expire other email address:

.. don't ask, I sure don't know (yet?)

Reboot

Stop the filesystem safely with fshalt, then reboot with '^T^Tr', or 'Ctrl+Alt+Del'

You should be able to connect from a remote system to the authserver e.g. with drawterm:

drawterm -a porticus -c porticus -u glenda

Still remember the password of glenda???

You can also login at the console if you were using Xen

hostowners secstore account

The secstore is a secure and comfortable way to store passwords, host-keys etc. in a network environment. Each user may have a secstore, it will be queryied first when authenticating to some network service. The secstore most probably runs on the authserver, just as in our example. Now we add the secstore for the hostowner of the authserver to the secstore daemons files.

Run the command: auth/secuser glenda, it will ask:

glenda password:

this is not the plan9 user glenda's password, so choose another one

retype password:

?BR

expires [DDMMYYYY, default = 18112007]:

?BR

Enabled or Disabled [default Enabled]::: ?BR require STA? [default no]::: ?BR comments [default = ]::: ?BR

We pretty much leave everything with default values.

To store passwords in an easy way, we'll need a running terminal first.

Security

You may want to disallow remote cpu connections to the authserver. Services are scripts in either /bin/service or /bin/service.auth.

The following scripts in /bin/service contain "cpu", after disabling them I could no longer log in remotely with drawterm into my authserver.

• tcp17005
• tcp17006
• tcp17010
• tcp17013 To disable a service just rename it e.g. be putting a '!' in front of the name.

cd /bin/service
mv tcp17005 !tcp17005
mv tcp17006 !tcp17006
mv tcp17010 !tcp17010
mv tcp17013 !tcp17013