ref: 1d17ae034c477cedd86d43d9a8332453d76b36e6
parent: 7264dc77cd61edd53e0d0e3e804ce844398676ea
author: stanley lieber <stanley.lieber@gmail.com>
date: Tue Feb 9 18:18:01 EST 2016
misc fixes; clarify fqa7; add fqa7.4.3.2
--- a/fqa.ms
+++ b/fqa.ms
@@ -926,7 +926,11 @@
.ihtml a
.ihtml a <a href="fqa7.html#7.4.3.1">
-7.4.3 - Adding users to secstore
+7.4.3.1 - Adding users to secstore
+.ihtml a
+
+.ihtml a <a href="fqa7.html#7.4.3.2">
+7.4.3.2 - Converting from ps9k1 to dp9ik
.ihtml a
.ihtml a <a href="fqa7.html#7.5">
--- a/fqa7.ms
+++ b/fqa7.ms
@@ -144,6 +144,9 @@
.B Note:
Users seeking access to the file server must be added as a user on the file system itself, and, if auth is enabled, added to the auth server's user database.
+.B Note:
+Some users choose to run remote cpu or auth servers as stand-alone systmes, each with their own local disk file systems. The distinction between all these types of systems is fuzzy and can become even fuzzier as services are enabled and disabled in different combinations.
+
.html - <a name="7.1.3" />
.ihtml h3 <h3>
.SH
@@ -177,13 +180,15 @@
.R
.ihtml h3
-The cpu server is used for remote computation. A cpu server's kernel runs processes in isolation, on only that machine. The boot process of a cpu server (defined by setting
+The cpu server is used for remote computation. A cpu server's kernel runs processes in isolation, on only that machine. The boot process of a cpu server (defined as such by setting
.CW service=cpu
in the machine's
.CW plan9.ini
or equivalent) may be examined by reading the
.CW /rc/bin/cpurc
-script, which is executed at boot time.
+script, which is executed at boot time. Running as a cpu server causes the kernel to adjust certain resource values that ultimately determine the behavior of the machine. For example, the
+.CW cpurc
+script starts certain programs only if the machine is recognized as a cpu server.
Common use cases for a separate cpu server are: To execute programs compiled for a different architecture than that of the terminal; To execute programs closer to the data they are operating upon (for example, if the terminal is running over a slow link but the cpu server is on the same ethernet segment as the file server); To execute processes in physical isolation from other processes. In the early days of Plan 9, a cpu server was often significantly more powerful than the (often, special-purpose) hardware used for diskless terminals. Today, terminals are typically powerful computers in their own right, and the need for a separate machine running only as a cpu server is less common. That said, it can be useful to execute unstable or unpredictable programs on a separate machine so that frequently crashing and/or rebooting does not affect one's immediate workspace environment\(emespecially when testing new code. In the case of remote (mail, web, etc.) servers, it is also likely that cpu access would be desired.
@@ -190,7 +195,7 @@
In practice, the disk file server, the auth server, and even some terminals will often run their own cpu listeners, to enable remote access to the processes controlled by their kernels.
.B Note:
-Users seeking access to a cpu server must first be added on the file system of the cpu server's corresponding file server (for permission to access and modify files) as well as the user database of its auth server (for login authentication).
+Users seeking access to a cpu server must first be added on the file system of the cpu server's corresponding file server (for permission to access and modify files) as well as the user database of its designated auth server (for login authentication).
Read:
.ihtml a <a href="http://doc.cat-v.org/plan_9/4th_edition/papers/net/">
@@ -212,9 +217,9 @@
.R
.ihtml h3
-The terminal is the machine at which the Plan 9 user is most often physically located. Usually diskless, the terminal will typically run with graphics enabled (for launching the
+The terminal is the machine at which the Plan 9 user is most often physically located. Usually diskless, the terminal will almost always run with graphics enabled (for launching the
.CW rio
-GUI or other graphical programs). The boot process of a terminal (defined by setting
+GUI or other graphical programs). The boot process of a terminal (defined as such by setting
.CW service=terminal
in the machine's
.CW plan9.ini
@@ -539,16 +544,22 @@
secstore key
.R
is the password of the user on the secure-store server (Read:
-.ihtml a <a href="http://man.9front.org/1/secstore">
-.CW secstore(1)
+.ihtml a <a href="fqa7.html#7.4.3">
+.I
+FQA 7.4.3 - secstored).
+.R
.ihtml a
-and
-.ihtml a <a href="http://man.9front.org/8/secstore">
-.CW secstore(8)) .
-.ihtml a
-If
+If the
.CW secstore
-is not being used, just hit
+client (Read:
+.ihtml a <a href="fqa8.html#8.4.7">
+.I
+FQA 8.4.7 - secstore)
+.R
+.ihtml a
+is not being used on this machine (for example, if this is the auth server where
+.CW secstored
+will run), just hit
.CW enter
at the
.CW
@@ -561,7 +572,7 @@
.P1
bad nvram key
bad authentication id
-bad authentication domain
+bad authentication domain # You may not see these errors.
authid: glenda
authdom: 9front
secstore key: [glenda's secstore password]
@@ -1046,6 +1057,68 @@
for more information on using the
.CW secstore
lient.
+
+.html - <a name="7.4.3.2" />
+.ihtml h4 <h4>
+.SH
+7.4.3.2 - Converting from ps9k1 to dp9ik
+.R
+.ihtml h4
+
+.P1
+Date: Wed, 6 Jan 2016 03:54:08 +0100
+From: cinap_lenrek@felloff.net
+To: 9front@9front.org
+Subject: [9front] new factotum/authsrv/keyfs
+Reply-To: 9front@9front.org
+
+i just pushed the new code which adds dp9ik authentication support.
+
+to update a system, the following things need to be done:
+
+# make sure you have the latest libmp/libsec
+cd /sys/src/libmp; mk install
+cd /sys/src/libsec; mk install
+
+# rebuild mpc (required for libauthsrv)
+cd /sys/src/cmd; mk mpc.install
+
+# rebuild libauthsrv / libauth
+cd /sys/src/libauthsrv; mk install
+cd /sys/src/libauth; mk install
+
+# rebuild factotum/keyfs/authsrv
+cd /sys/src/cmd/auth; mk install
+
+# then rebuild kernel to include the new factotum,
+# but dont reboot your authserver just yet...
+cd /sys/src/9/pc; mk install
+
+# if your /adm/keydb is still in DES format (cat it to see
+# if the keyfile starts with the AES signature), you need to
+# convert it to use the new dp9ik protocol:
+
+# make backup
+cp /adm/keys /adm/keys.old
+auth/convkeys -ap /adm/keys
+
+# now set the aes key in nvram (so authserver can decrypt
+# the keydb when it boots)
+auth/wrkey
+
+# now you can reboot the AS and once its up, you have to
+# set new passwords for the users. logging in with the
+# old p9sk1 plan9 password should continue to work if
+# you skip this.
+passwd [username]
+
+# if there are issues logging in with dp9ik because keydb
+# doesnt have the new key yet, you can use delkey(1) to
+# remove the dp9ik key from factotum as a work arround.
+
+--
+cinap
+.P2
.html - <a name="7.5" />
.ihtml h2 <h2>
--- a/fqa8.ms
+++ b/fqa8.ms
@@ -1177,8 +1177,8 @@
.R
.ihtml h4
-Plan 9 user fgb ported OpenSSH 4.7p1, OpenSSL 0.9.8g 19 Oct 2007 to Plan 9. It is available in his contrib directory, or a 386 binary is available here (to install, unpack it over /):
-.ihtml a <a href="http://plan9.stanleylieber.com/pkg//386/openssh-2012.03.15.tbz">
+Plan 9 user fgb ported OpenSSH 4.7p1, OpenSSL 0.9.8g 19 Oct 2007 to Plan 9. It is available in his contrib directory (on the Bell Labs server), or a 386 binary is available here (to install, unpack it over /):
+.ihtml a <a href="http://plan9.stanleylieber.com/pkg/386/openssh-2012.03.15.tbz">
openssh.tgz.
.ihtml a