Plan 9: Password Management

 An authentication server manages users credentials in a Plan 9 grid. However, if you are just getting started, probably it would be a better idea to directly use factotum for managing credentials for various services.

Create a file keys with the following content. 

key proto=pass        service=ftp server=10.0.2.2 user=anand !password=<password>
key proto=wpapsk service=wpa essid=Tomato24 !password=<password>
 

Load the keys in factotum. 

read -m keys > /mnt/factotum/ctl
 
# Verify
cat  /mnt/factotum/ctl
 


Now you can log into the services without manually entering the password.

ftpfs 10.0.2.2
aux/wpa -s Tomato24 /net/ether1 

Finally, you can add the command to $home/lib/profile so that it will be executed automatically during bootup.


If you have the authentication server configured, you can use the following commands to manage your credentials. (Secstore files are stored at "/adm/secstore/user/" on the authserver).

% ramfs -p; cd /tmp
% auth/secstore -vg factotum
secstore password:

# Append new key 
% echo 'key proto=apop dom=x.com user=ehg !password=hi' >> factotum
 
# Verify all the credentials are available
% cat factotum

% auth/secstore -vp factotum
secstore password:

# Load credentials in the current factotum process 
% read -m factotum > /mnt/factotum/ctl
 
# Toggle debug. Log is in /mnt/factotum/log
echo debug > /mnt/factotum/ctl
 

 

Time-Based One-Time Password (TOTP) Authenticator


 Time-Based One-Time Password (TOTP) is increasingly the preferred way for securing accounts with Two-factor authentication. This program allows you to access TOTP using GUI and CLI. Use mouse-2 to copy the code in the GUI.

Note: The demo uses a modified version (notice aux/totp vs auth/totp in 9front).

Sample factotum key: 

key proto=totp role=client label=google secret=JBSWY3DPEHPK3PXP
 

TOTP is time-sensitive. You must keep the time synchronized for codes to work.

aux/timesync -n pool.ntp.org
 

 

Key Formats

  • otpauth://: The official open standard used by almost all TOTP apps for a single secret. e.g. otpauth://totp/{label}?secret={secret}&issuer={issuer}
  • otpauth-migration://offline?data=<base64 string>: A Google authenticator custom protocol that encapsulates multiple secrets into a single string using Google Protocol Buffers (Protobuf) and Base64 encoding.

 

# Export 
aux/totp -e
 
# Import 
aux/totp -i 'otpauth://totp/label1?secret=JBSWY3DPEHPK3PXP&issuer=issuer1'

# Import data from Google authenticator
aux/totpga 'otpauth-migration://offline?data=JBSWY3DPEHPK3PXP'
 

 

Quick Response (QR) code

QR code can be generated using qr command.

echo test | qr | page
 
# Decode
qr -d < p9-image 

  

Code


Lessons Learnt

  1. Secret fields in factotum can only be accessed via RPC. factotum/totp.c and factotum/pass.c are the implementation for password and TOTP respectively.

 

References

  1. utotp code
  2. totp code 
  3. TOTP Algorithm 
  4. QR code standard 
  5. Decode a QR code by hand  

 

Comments

Post a Comment

Popular posts from this blog

Plan 9 : The Infinity Notebook

Image
  Plan 9 is an Operating System (OS) from Bell Labs which is a successor to UNIX. It builds on the learnings from the previous Operating systems. Network computing and graphics is an integral part of the OS rather than an afterthought. It is modular and portable - it comes with a cross compiler . It is available, under MIT License , which anybody can use, learn and tweak. Features Everything is a file. Small Kernel:  Around 5MB size which can be built in under 2 minutes.  Singular Grid: All the computers running Plan 9 OS and connected together act like a singular grid. So there's no need for remote access solutions like VNC or RDP. This cool video shows a small glimpse of the possibilities. Process Isolation: Processes run within their own namespaces and are isolated from each other. So you can run rio (the window manager) within rio. Applications like Browsers don't need complicated sandboxing. And a crashing program is unlikely to bring down the OS. No DLL Hell : ...
Read more

Emacs: Binary File Viewer

Image
  Quick visualization tool for Binary data using C header definition. Semantic parses the C header file and generates a type definition. The type definition is passed to bindat-unpack along with the binary data. The result is displayed using speedbar . ;; Note: The command works on the binary data in the current buffer.   M-x hexl-form   (hexl-form)      The image shows the example included in the commentary section of bindat.el .   Conversions (format "%02X" 255) ;; => "FF" (string-to-number "FF" 16) ;; => 255   ;; Little endian unpacking (let* ((bindat-raw [1 2 3 4 5 6 7 8])           (bindat-idx 0))   (bindat--unpack-u64r))   ;; Little endian packing (let* ((bindat-raw [0 0 0 0 0 0 0 0])           (bindat-idx 0))   (bindat--pack-u64r #x0102030405060708)   bindat-raw)      Insert Binary Data Emacs creates a multibyte buffer ...
Read more

Plan 9 Remote File Access from Emacs

Image
  Plan 9 Operating System uses 9p protocol for file access. This is an Elisp implementation of the protocol. Plan 9 ( 9front distribution) is running in QEMU with NAT networking. Local port 12564 is forwarded to 9fs service port 564 in the virtual machine.   Code https://gitlab.com/atamariya/emacs/-/blob/dev/lisp/net/plan9.el   Troubleshooting Plan 9 connection Ensure you are booting with  -a tcp!*!564  parameters. (Tip: You can add these to your /n/9fat/plan9.ini) Ensure you have configured the network interface   ip/ipconfig   Ensure you have an IP address  cat /net/ndb  Ensure you are running cpu+auth server  cpurc  (Optional) Start graphics mode  screenrc   (Optional) Start window manager  rio   (Optional) List open connections  netstat    (Optional) Monitor network traffic  snoopy   (Optional) Debug authentication  auth/debug  (Optional)...
Read more