#!/bin/rc # not started yet echo 'things to remember in auth:' echo '1. Machines that boot with CPU kernel read machine key from nvram.' echo '2. To change this key echo SOMEJUNKDATA >/dev/sdC0/nvram and reboot in cpu mode' echo '3. The encrypted keys for the users are saved in /adm/keys. After setting machine key, you must have auth/keyfs running and do auth/changeuser to make the password keys based on the machine key.' echo '4. You must match bootes password to the machine key. Auth/changeuser bootes first.' echo '5. /lib/ndb tell machines who to talk to for auth. machines must have appropriate entries matching the correct authdom to what their machine key says. If you want to cpu to MACHINEA, you need ip=ip.of.machine.a sys=machinea authdom=(whatever authdom the auth server for machine a reports) in your /lib/ndb/local.' echo '6. factotum is the agent that handles authentication. factotum needs to be loaded with the correct keys on the auth server (usually from nvram) and the user needs to have a factotum and provide keys to it via prompts or secstore. auth/factotum starts a new factotum.' echo '7. netkey auth is a separate key database that needs another instance of auth/keyfs running at the correct mountpoint. auth/changeuser -n username installs that user in the netkey database for services such as ftp and telnet.' echo '8. the standard port for the auth server listener is 567.' echo '9. In short, the flow of auth setup is: set machine keys by resetting nvram, make sure keyfs is running, create user keys with /auth/changeuser, enable netkey if desired, make sufre lib/ndb/local information on both servers and clients is correct, make sure auth listeners are active, make sure factotums are active.' echo '10. auth/debug, ndb/query, the /sys/log/auth file, and echo debug >/mnt/factotum/ctl are potential helpers in case of auth difficulties.' exit