Fix inconsistencies between programs and their usage
messages, correct instances where information seems
to be missing or lost. This includes missing arguments,
making usage consistent with manuals, and so on.
kvik writes:
I needed to convert the RSA private key that was laying around in
secstore into a format understood by UNIX® tools like SSH.
With asn12rsa(8) we can go from the ASN.1/DER to Plan 9 format, but not
back - so I wrote the libsec function asn1encodeRSApriv(2) and used it in
rsa2asn1(8) by adding the -a flag which causes the full private key to be
encoded and output.
due to linux omiting the final Z(4) in the NTLMv2 reply, and
the need for the windom for LMv2 authentication, here is a new
AuthNTLM ticket request now with length and dom fields.
in ntlmv2, the client will retry the challenge response trying a bunch
of different domain names assuming the same server challenge. so we have
to make retries work with factotum and the auth server.
also, windows 7 with compatlevel=4 sends all zeros LM response.
this implements the server part of mschapv2 with the new
authserver changes.
we also provide AuthInfo for the client now with the
MPPE secret and the authenticator.
this adds new rpc for mschapv2 authentication (21)
deliver the MPPE secret not after the ticket/authenticator
response as cheartext, but include it in the first 128 bit
of the ticket key. and the authenticator in the first 160 bit
of the authenticator random field.
use OCHAPREPLYLEN instead of sizeof(reply) (no padding).
exit after sending ticket response to force eof as factotum
unconditionally reads tailing secret hash (as of mschap).
the role=login protocol is ment to replace proto=p9cr in
auth_userpasswd() from libauth to authenticate a user
given a username and a password. in contrast to p9cr, it
does not require an authentication server when user is the
hostowner and its key is present in factotum.
this makes implementing ssh-rsa authentication easier, as we
then can convert the public key directly to ssh format and check
if the server will accept that public key.
tlshand just needs the modulus to see if the public key matches
the one it has from the certificate.
aiju → i don't like it, it's more bullshit ways to expose the key :)
aiju → if someone can grab /adm/keyseed, they can also grab /adm/users and /adm/keys