devssl, cpu, import, oexportfs: delete

SSL is implemented by devssl. It's extremely
obsolete by now, and is not used anywhere but
cpu, import, and oexportfs.

This change strips out the devssl bits, but
does not (yet) remove the code from libsec.
This commit is contained in:
Ori Bernstein 2021-12-13 02:17:02 +00:00
parent b4d4cf69be
commit 7efbea82c6
19 changed files with 0 additions and 3314 deletions

View file

@ -536,7 +536,6 @@ extern int reject(int, char*, char*);
/* /*
* encryption * encryption
*/ */
extern int pushssl(int, char*, char*, char*, int*);
extern int pushtls(int, char*, char*, int, char*, char*); extern int pushtls(int, char*, char*, int, char*, char*);
/* /*

View file

@ -1,237 +0,0 @@
.TH CPU 1
.SH NAME
cpu \- connection to CPU server
.SH SYNOPSIS
.B cpu
[
.B -p
] [
.B -h
.I server
] [
.B -u
.I user
] [
.B -a
.I auth-method
] [
.B -P
.I patternfile
] [
.B -e
.I encryption-hash-algs
] [
.B -k
.I keypattern
] [
.B -c
.I cmd args ...
]
.PP
.B cpu
[
.B -n
] [
.B -A
.I address
] [
.B -R
]
.SH DESCRIPTION
This tool is deprecated and has been replaced by
.IR rcpu (1).
.PP
.I Cpu
starts an
.IR rc (1)
running on the
.I server
machine, or the machine named in the
.B $cpu
environment variable if there is no
.B -h
option.
.IR Rc 's
standard input, output, and error files will be
.B /dev/cons
in the name space where the
.I cpu
command was invoked.
Normally,
.I cpu
is run in an
.IR rio (1)
window on a terminal, so
.IR rc
output goes to that window, and input comes from the keyboard
when that window is current.
.IR Rc 's
current directory is
the working directory of the
.I cpu
command itself.
.PP
The name space for the new
.I rc
is an analogue of the name space where the
.I cpu
command was invoked:
it is the same except for architecture-dependent bindings such as
.B /bin
and the use of fast paths to file servers, if available.
.PP
If a
.B -u
argument is present,
.I cpu
uses the argument as the remote user id.
.PP
If a
.B -c
argument is present, the remainder of the command line is executed by
.I rc
on the server, and then
.I cpu
exits.
.PP
If a
.B -P
argument is present, the
.I patternfile
is passed to
.IR oexportfs (4)
to control how much of the local name space will be exported to
the remote system.
.PP
The
.B -a
command allows the user to specify the authentication mechanism used
when connecting to the remote system. The two possibilities for
.I auth-method
are:
.TF netkey
.TP
.B p9
This is the default. Authentication is done using the standard Plan 9
mechanisms, (see
.IR authsrv (6)).
No user interaction is required.
.TP
.B netkey
Authentication is done using challenge/response and a hand held
authenticator or the
.I netkey
program
(see
.IR passwd (1)).
The user must encrypt the challenge and type the encryption
back to
.IR cpu .
This is used if the local host is in a different protection domain than
the server or if the user wants to log into the server as a different
user.
.TP
.B none
This skips authentication. This requires the
.IR -n
flag to be specified on the remote side.
.PD
.PP
The
.B -e
option specifies an encryption and/or hash algorithm to
use for the connection. If both are specified, they must
be space separated and comprise a single argument, so they
must be quoted if in a shell command. The default is
.L rc4_256
encryption and
.L sha1
hashing. See
.IR ssl (3)
for details on possible algorithms. The argument
.L clear
specifies no encryption algorithm and can be used to talk
to older versions of the
.I cpu
service.
.PP
The
.B -k
flag specifies a key pattern to use to restrict the keys
selected by the
.I auth_proxy
call used for authentication.
.PP
The name space is built by running
.B /usr/$user/lib/profile
with the root of the invoking name space bound to
.BR /mnt/term .
The
.B service
environment variable is set to
.BR cpu ;
the
.B cputype
and
.B objtype
environment variables reflect the server's architecture.
.PP
The
.B -R
flag causes
.I cpu
to run the server (remote) side of the protocol.
It is run from service files such as
.BR /bin/service/tcp17010 .
The
.B -n
option allows using the
.B none
authentication method for incoming connections and must be
specified before the
.B -R
flag.
.PP
The
.B -p
flag pushes the
.IR aan (8)
filter onto the connection to protect against temporary
network outages.
.PP
The
.B -A
flag sets the announce-string
.I address
to use for
.IR aan (8)
connections, if requested by the initial protocol.
.SH FILES
The name space of the terminal side of the
.I cpu
command is mounted, via
.IR oexportfs (4),
on the CPU side on directory
.BR /mnt/term .
The files such as
.B /dev/cons
are bound to their standard locations from there.
.SH SOURCE
.B /sys/src/cmd/cpu.c
.SH SEE ALSO
.IR rcpu (1) ,
.IR rc (1) ,
.IR rio (1) ,
.IR oexportfs (4) ,
.IR aan (8)
.SH BUGS
Binds and mounts done after the terminal
.B lib/profile
is run are not reflected in the new name space.
.PP
By default, the entire namespace of the local system is
exported to the remote system. Use of the
.B -P
option in conjunction with a customized patternfile can
limit this exposure, but also limits the usefulness of
.B /mnt/term.

View file

@ -1,221 +0,0 @@
.TH IMPORT 4
.SH NAME
import \- import a name space from a remote system
.SH SYNOPSIS
.B import
[
.I options
]
.I system
.I file
[
.I mountpoint
]
.PP
.B import
.B -B
[
.I options
]
.I mountpoint
[
.I cmd
[
.I args ...
]
]
.SH DESCRIPTION
This tool is deprecated and has been replaced by
.I rimport
(see
.IR rcpu (1)).
.PP
.I Import
allows an arbitrary
.I file
on a remote
.I system
to be imported into the local name space.
Usually
.I file
is a directory, so the complete
file tree under the directory is made available.
.PP
A process is started on the
remote machine, with authority of the user of
.IR import ,
to perform work for the local machine using the
.IR oexportfs (4)
service.
The default port used is TCP 17007.
If
.I mountpoint
is omitted
.I import
uses the name of the remote
.I file
as the local mount point.
.PP
The options are:
.TF "-s namexxx"
.PD
.TP
.B -a -b -c -C
Control the construction of union directories, as in
.I mount
and
.IR bind (1).
Only valid when
.I file
is a directory.
.TP
.B -A
Skip the authentication protocol.
This is useful for connecting to foreign systems like Inferno.
.TP
.B -z
Bypass the initial protocol request for which remote tree to serve.
This is necessary when the remote
.IR oexportfs (4)
is running with the
.B -r
or
.B -S
options which pre-select a file tree to serve. The exception is if both sides are
operating in the
.B -B
backwards mode.
.TP
.B -B
Run in ``backwards'' mode, described below.
.TP
.B -E \fIenc
Push an encryption protocol on its network connection.
The supported protocols are
.B clear
(the default, no protocol)
and
.BR ssl .
There are plans to make
.B tls
available.
.TP
.B -e '\fIenc hash\fR'
Specify the encryption and hash algorithms to use for
encrypting and authenticating the wire traffic
(see
.IR ssl (3)).
The defaults are
.B rc4_256
and
.BR sha1 .
.TP
.B -k \fIkeypattern
Use
.I keypattern
to select a key to authenticate to the remote side
(see
.IR auth (2)).
.TP
.B -p
Push the
.IR aan (8)
filter onto the connection to protect against
temporary network outages.
.TP
.B -n
Specify announce string for
.IR aan (8)
filter when run in ``backwards'' mode.
.TP
.B -s \fIname
Post the connection's mountable file descriptor as
.BI /srv/ name\fR.
.PD
.PP
The
.B -B
option runs
.I import
in ``backwards'' mode.
In this mode,
.I import
runs a
.I p9any
authentication (as server) over its file descriptor 0
(expected to be an incoming network connection from
.B oexportfs
.BR -B ),
mounts the connection onto
.IR mntpt ,
and optionally runs
.I cmd
.IR args .
.SH EXAMPLES
Assume a machine
.B kremvax
that has IP interfaces for the company intranet and the global
internet mounted on
.I /net
and
.I /net.alt
respectively.
Any machine inside the company can get telnet out to the global
internet using:
.IP
.EX
import -a kremvax /net.alt
telnet /net.alt/tcp!ucbvax
.EE
.PP
Suppose that the machine
.B moscvax
has access to a private file server containing public web pages
that need to be served by the less-trusted server
.BR webvax .
.B Webvax
runs the following listener
(see
.IR listen (8))
on TCP port 999:
.IP
.EX
#!/bin/rc
import -B -s rowebfs /usr/web /bin/restarthttpd
.EE
.PP
When
.B moscvax
boots, it runs
.IP
.EX
oexportfs -R -r /usr/web -B tcp!webvax!999
.EE
.PP
to serve a read-only copy of
.B /usr/web
to
.BR webvax .
When
.B webvax
gets the call,
.B import
mounts the served tree onto its own
.B /usr/web
and then runs
.B /bin/restarthttpd
to restart
.IR httpd (8).
.SH SOURCE
.B /sys/src/cmd/import.c
.SH SEE ALSO
.IR rcpu (1),
.IR bind (1),
.IR ssl (3),
.IR oexportfs (4),
.IR srv (4),
.IR aan (8),
.IR listen (8),
.B cs
in
.IR ndb (8)

View file

@ -1,143 +0,0 @@
.TH OEXPORTFS 4
.SH NAME
oexportfs \- legacy exportfs for cpu and import
.SH SYNOPSIS
.PP
.B oexportfs
[
.I options
]
.SH DESCRIPTION
.I Oexportfs
is older version of the
.IR exportfs (4)
program that handles an initial protocol to establish a root directory
for the exported name space.
It also provides authentication and encryption using
the
.IR ssl (3)
device.
.PP
It is used exclusively by the deprecated
.IR cpu (1)
and
.IR import (4)
services.
.PP
The options are:
.TP
.B -d
Log all 9P traffic to standard error.
.TP
.B -P \fIpatternfile
Restrict the set of exported files.
.I Patternfile
contains one regular expression per line,
to be matched against path names
relative to the current working directory
and starting with
.BR / .
For a file to be exported, all lines with a prefix
.B +
must match and all those with prefix
.B -
must not match.
.TP
.B -R
Make the served name space read only.
.TP
.B -r \fIroot
Serve the name space rooted at
.IR root .
.TP
.B -S \fIservice
Serve the result of mounting
.IR service .
A separate mount is used for each
.IR attach (5)
message,
to correctly handle servers in which each mount
corresponds to a different client
.IR e.g. , (
.IR rio (4)).
.TP
.B -s
equivalent to
.B -r
.BR / ;
kept for compatibility.
.TP
.B -m \fImsize
Set the maximum message size that
.I oexportfs
should offer to send (see
.IR version (5));
this helps tunneled
9P connections to avoid unnecessary fragmentation.
.TP
.B -A \fIaddress
Use the network
.I address
to announce
.IR aan (8)
connections,
if requested by the initial protocol.
.TP
.B -a
Authenticate the user with the
.I p9any
protocol before running the regular
.I oexportfs
session; used when
.I oexportfs
is invoked to handle an incoming network connection.
.I Exportfs
creates a new name space for each connection, using
.B /lib/namespace
by default (see
.IR namespace (6)).
.TP
.B -B \fIaddress
Dial
.IR address ,
authenticate as a
.I p9any
client, and then
serve that network connection.
Requires setting the root of the name space with
.B -r
or
.BR -s .
The remote system should run
.B import
.B -B
to handle the call.
See
.IR import (4)
for an example.
.TP
.B -e '\fIenc auth\fL'
Set the encryption and authentication algorithms to use for
encrypting the wire traffic (see
.IR ssl (3)).
The defaults are
.B rc4_256
and
.BR sha1 .
.TP
.B -N \fInsfile
Serve the name space described by
.IR nsfile .
.TP
.B -n
Disallow mounts by user
.BR none .
.EE
.SH SOURCE
.B /sys/src/cmd/exportfs/oexportfs.c
.SH SEE ALSO
.IR dial (2),
.IR exportfs (4),
.IR import (4),
.IR aan (8),
.IR listen (8)

View file

@ -10,7 +10,6 @@ dev
shr shr
dup dup
arch arch
ssl
tls tls
cap cap
fs fs

View file

@ -10,7 +10,6 @@ dev
shr shr
dup dup
arch arch
ssl
tls tls
cap cap
fs fs

View file

@ -10,7 +10,6 @@ dev
shr shr
dup dup
arch arch
ssl
tls tls
cap cap
fs fs

View file

@ -10,7 +10,6 @@ dev
shr shr
dup dup
arch arch
ssl
tls tls
cap cap
fs fs

View file

@ -10,7 +10,6 @@ dev
shr shr
dup dup
arch arch
ssl
tls tls
cap cap
fs fs

View file

@ -13,7 +13,6 @@ dev
dup dup
ether netif ether netif
ip arp chandial ip ipv6 ipaux iproute netlog nullmedium pktmedium inferno ip arp chandial ip ipv6 ipaux iproute netlog nullmedium pktmedium inferno
ssl
tls tls
# cap # cap
# kprof # kprof

View file

@ -13,7 +13,6 @@ dev
dup dup
rtc rtc
arch arch
ssl
tls tls
cap cap
kprof kprof

View file

@ -10,7 +10,6 @@ dev
mnt mnt
srv srv
dup dup
ssl
cap cap
kprof kprof
uart uart

View file

@ -11,7 +11,6 @@ dev
shr shr
dup dup
arch arch
ssl
tls tls
bridge log bridge log
sdp thwack unthwack sdp thwack unthwack

View file

@ -13,7 +13,6 @@ dev
shr shr
dup dup
rtc rtc
ssl
tls tls
cap cap
kprof kprof

View file

@ -13,7 +13,6 @@ dev
shr shr
dup dup
rtc rtc
ssl
tls tls
cap cap
kprof kprof

File diff suppressed because it is too large Load diff

View file

@ -102,7 +102,6 @@ auth.$O devcons.$O: /sys/include/authsrv.h
devcap.$O: /sys/include/libsec.h devcap.$O: /sys/include/libsec.h
devfs.$O: /sys/include/libsec.h devfs.$O: /sys/include/libsec.h
devsdp.$O: /sys/include/libsec.h devsdp.$O: /sys/include/libsec.h
devssl.$O: /sys/include/libsec.h
devtls.$O: /sys/include/libsec.h devtls.$O: /sys/include/libsec.h
devswap.$O: /sys/include/libsec.h devswap.$O: /sys/include/libsec.h
random.$O: /sys/include/libsec.h random.$O: /sys/include/libsec.h

File diff suppressed because it is too large Load diff

View file

@ -33,7 +33,6 @@ OFILES=\
postnote.$O\ postnote.$O\
privalloc.$O\ privalloc.$O\
procsetname.$O\ procsetname.$O\
pushssl.$O\
pushtls.$O\ pushtls.$O\
putenv.$O\ putenv.$O\
qlock.$O\ qlock.$O\