| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
This change adds support for dkim signing to upas.
It has2 pieces:
1. Adding support for different asn1 formats to auth/rsa2asn1;
we can now generate SubjectPublicKeyInfo RSA keys, which
wrap the keys up with an algorithm identifier.
2. Adding a upas/dkim command which filters a message and signs
it using dkim.
To configure dkim, you need to generate a (small-ish) rsa key;
large keys do not fit into DNS text records:
# generate the private key and add it to factotum
ramfs -p
cd /tmp
auth/rsagen -b 2048 -t 'service=dkim role=sign hash=sha256 domain=orib.dev owner=*' > dkim.key
cat dkim.key > factotum.ctl
# extract the public key, encode it, and strip out the junk
pubkey=`{
<dkim.key auth/rsa2asn1 -f spki | \
auth/pemencode WHATEVER | \
grep -v 'WHATEVER' | \
ssam 'x/\n/d'
}
domain=example.org
# then add it to /lib/ndb.local
echo 'dom=dkim._domainkey.'$domain' soa=
ip=144.202.1.203
refresh=600 ttl=600
ns=ns.orib.dev
txt="k=rsa; v='$pubkey \
>> /lib/ndb/local
Then, finally, insert it into your outgoing mail pipeline. One
thing to be careful of is that upas will do some outgoing 'From:'
rewriting, so you may need to make sure that either '$upasname'
is set, or 'upas/dkim' is inserted after the rewrite stage.
A good place is in /mail/lib/qmail, in place of upas/vf:
% cat /mail/lib/qmail
rfork s
upas/dkim -d example.com | upas/qer /mail/queue mail $* || exit 'qer failed'
upas/runq -n 10 /mail/queue /mail/lib/remotemail </dev/null >/dev/null >[2=1] &
|
|
|
|
Auth/box previously switched to /, rather than
preserving the cwd. This would break relative
paths to items that would get pulled into the
namespace.
This change removes the '-.' flag, and causes
auth/box to keep the current working directory,
making it more usable for scripting.
|
|
-. decides where we chdir to before execing, we can't
sit where we are because our directory may not exist.
If not specified we go to '/'.
-s is used to source a rc script instead of execing cmd.
This is primarily to enable:
'#!/bin/auth/box -s'
Shebang line size is a bit tight(32), so we have this shorthand
to use rc along with setting up the required namespace components.
|
|
The original intention was to put devskel in to the
kernel to detach what it provides from devsrv.
That is not a good reason, just move it to userspace.
auth/box has been changed to exec skelfs instead
of relying on '#z'.
|
|
Changing the user to none doesn't do much for us
here. For kernel drivers that check the user of the
current proc we'll be none, but anything from devmnt
will still be accessed using creds from the original
attachment. Instead, running with none can be done
by chaining with auth/none:
auth/none auth/box ...
|
|
This prevents stuttering on the command line by
not having to give a -r flag for the binary itself.
|
|
|
|
to change user, have to (re-)mount factotum under the new user,
so it can authenticate us under the correct user for the filesystems.
|
|
|
|
try to keep everything in utf8 format.
|
|
|
|
we don't use or care about the user agent.
|
|
Getting certs is more tied to authentication than it
is to ip.
|
|
This is useful for acmed, and possibly other web
technologies.
|
|
|
|
X509to*pub() name buffer
We need a way to parse a rsa certificate request and return the public
key and subject names. The new function X509reqtoRSApub() works the
same way as X509toRSApub() but on a certificate request.
We also need to support certificates that are valid for multiple domain
names (as tlshand does not support certificate selection). For this
reason, a comma separated list is returned as the certificate subject,
making it symmetric to X509rsareq() handling.
A little helper is provided with this change (auth/x5092pub) that takes
a certificate (or a certificate request when -r flag is provided) and
outputs the RSA public key in plan 9 format appended with the subject
attribute.
|
|
Passwd used to produce a very confusing error
about DES not being enabled whenever the password
was mistyped. This happened because we attempted
to guess what authentication method to use, and
preseneted the error from the wrong one on failure.
This puts the legacy mode behind a flag, so that
we don't even try the old method unless it's
explicitly requested.
|
|
|
|
version(5) says:
If the server does not understand the client's version
string, it should respond with an Rversion message (not
Rerror) with the version string the 7 characters
``unknown''.
Pre-lib9p file servers -- all except cwfs(4) -- do return Rerror.
lib9p(2) follows the above spec, although ignoring the next part
concerning comparison after period-stripping. It assumes an
Fcall.version starting with "9P" is correctly formed and returns
the only supported version of the protocol, which seems alright.
This patch brings pre-lib9p servers in accordance with the spec.
|
|
The mount() and bind() syscalls return -1 on error,
and the mountid sequence number on success.
The manpage states that the mountid sequence number
is a positive integer, but the kernels implementation
currently uses a unsigned 32-bit integer and does not
guarantee that the mountid will not become negative.
Most code just cares about the error, so test for
the -1 error value only.
|
|
Fix inconsistencies between programs and their usage
messages, correct instances where information seems
to be missing or lost. This includes missing arguments,
making usage consistent with manuals, and so on.
|
|
print useful message when user invokes these commands incorrectly
(thanks henesy)
|
|
kvik writes:
I needed to convert the RSA private key that was laying around in
secstore into a format understood by UNIX® tools like SSH.
With asn12rsa(8) we can go from the ASN.1/DER to Plan 9 format, but not
back - so I wrote the libsec function asn1encodeRSApriv(2) and used it in
rsa2asn1(8) by adding the -a flag which causes the full private key to be
encoded and output.
|
|
mptobe() and memset()
|
|
|
|
|
|
|
|
due to linux omiting the final Z(4) in the NTLMv2 reply, and
the need for the windom for LMv2 authentication, here is a new
AuthNTLM ticket request now with length and dom fields.
|
|
|
|
in ntlmv2, the client will retry the challenge response trying a bunch
of different domain names assuming the same server challenge. so we have
to make retries work with factotum and the auth server.
also, windows 7 with compatlevel=4 sends all zeros LM response.
|
|
|
|
this implements the server part of mschapv2 with the new
authserver changes.
we also provide AuthInfo for the client now with the
MPPE secret and the authenticator.
|
|
this adds new rpc for mschapv2 authentication (21)
deliver the MPPE secret not after the ticket/authenticator
response as cheartext, but include it in the first 128 bit
of the ticket key. and the authenticator in the first 160 bit
of the authenticator random field.
|
|
use OCHAPREPLYLEN instead of sizeof(reply) (no padding).
exit after sending ticket response to force eof as factotum
unconditionally reads tailing secret hash (as of mschap).
|
|
|
|
|
|
was mostly usefull for old ssh.
|
|
|
|
|
|
channels
|
|
the role=login protocol is ment to replace proto=p9cr in
auth_userpasswd() from libauth to authenticate a user
given a username and a password. in contrast to p9cr, it
does not require an authentication server when user is the
hostowner and its key is present in factotum.
|
|
|
|
document in rsa(8)
|
|
|
