AUTH(6)                                                   AUTH(6)

     NAME
          fsauth, rexauth, chal, changekey - authentication services

     DESCRIPTION
          This manual page describes the authentication services: the
          protocols used to authorize connections, confirm the identi-
          ties of users and machines, and maintain the associated
          databases.  The machine that provides these services is
          called the authentication server and may be a stand-alone
          machine or a general-use machine such as a CPU server.  The
          network database holds for each public machine, such as a
          CPU server or file server, the name of the authentication
          server that machine uses.

          There are four authentication services.  Each is executed by
          making a network call from the machine wishing authentica-
          tion to the authentication server and exchanging messages.
          The services are:

          fsauth   authenticate file system attaches
          rexauth  authenticate remote execution from a Plan 9 machine
          chal     authenticate connections from a non-Plan 9 machine
                   using a SecureNet box (see securenet(8))
          changekey
                   change the key for a user or client.
          Multiple fsauth requests may be processed on a single con-
          nection to the authentication server.  The other protocols
          accept only one request per call.
          When a client calls another machine, say a file server,
          using the 9P protocol, the file server receives a Tauth mes-
          sage containing information about the user making the call
          (see auth(5)). The file server exchanges some messages with
          the authentication server using the fsauth protocol
          described below.  It then returns an Rauth message to the
          client containing a ticket to be used by the client in the
          subsequent Tattach message (see attach(5)); that ticket
          guarantees that the user requesting the service is the one
          validated by authentication server.
          In describing the protocols, the following notation is used.
          A    The authentication server.
          S    A CPU server or file server.
          C    A client connecting to S.  When any of these appears as
               part of a message, it refers to the textual name of the
               agent padded with zeros to a total of NAMELEN bytes.
          Kx   The seven byte authentication key of x; x is either S
               or C.  Servers keep a private copy of their keys, typi-
               cally in non-volatile RAM, and encrypt using the
               library functions encrypt(2) and decrypt. Clients keep
               a copy of the current user's key in the file #c/key and
               encrypt using the file #c/crypt (see cons(3)).

     Page 1                       Plan 9            (printed 11/18/24)

     AUTH(6)                                                   AUTH(6)

          K'C  C's network key, stored in C's SecureNet box.  Encryp-
               tion with K'C is done with the algorithm described in
               securenet(8). KC may also be used in place of K'C to
               execute the chal protocol without a SecureNet box; in
               this case, the netcrypt routine is used for encryption.
               In either case the result of the encryption is a vari-
               able length text string, to be transmitted with its
               terminating NUL.
          KT   A ticket key, a random number stored in a ticket.
            A password for the client: a 10 byte NUL-terminated
               string.  The character x is either o for an old pass-
               word or n for a new one.
          Chx  A seven byte challenge made by x; x is one of A, S, or
               C.
          NetCh
               A NUL-terminated string of between 1 and 6 digits for
               encryption using K'C.  NetCh is a challenge generated
               by A and is transmitted as a variable length NUL-
               terminated string.
          Kx{s}
               Braces denote encryption.  Kx{s} is the result of
               encrypting s using key Kx.
          E    An error message ERRLEN bytes long.

          Arrows indicate communication.  The authentication server
          communicates only with a server, so a communication between
          A and C indicates that S forwards the message uninterpreted.

          Consider the fsauth protocol to validate a connection to a
          file server.  Here is the concise notation of the protocol;
          following that is a prose description of its execution:

          Fsauth
          [1] C->S KC{FScchal, ChC, S}, C
          [2] S->A KS{FSschal, ChS, C, KC{FScchal, ChC, S}}, S
          [3] A->S KS{FSok, ChS, KC{FSctick, ChC, KT, KS{FSstick, ChS,
                   KT}}}
          or
          [4] A->S KS{FSerr, ChS, E}
          [5] S->C KC{FSctick, ChC, KT, KS{FSstick, ChS, KT}}
          [6] C->S KS{FSstick, ChS, KT}

          [1] The client prepares a string containing an initial byte
          with value FScchal (defined in <auth.h>), a seven-byte ran-
          dom string, ChC, and the name of the server it is calling,
          e.g.  kremvax, padded with zeros to NAMELEN bytes, for a
          total of 1+7+NAMELEN=36 bytes.  If the client does not care
          which file system it attaches to, it can substitute the
          string any for the name of the server.  It calls encrypt(2)
          to encrypt this string using the password typed by the user
          at login time and stored in #c/key (KC).  Next the client
          prepares a Tauth message (see auth(5)): chal is set to the

     Page 2                       Plan 9            (printed 11/18/24)

     AUTH(6)                                                   AUTH(6)

          result of the encryption (KC{FScchal,ChC,S}) and uid to the
          name of the user placing the call (C).  This message is
          transmitted to the server, S.

          [2] The server prepares a string containing an initial byte
          with value FSschal, another 7-byte random string (ChS), the
          name of the client (C), and the contents of the chal field
          of the Tauth message.  It encrypts this using the server's
          key (KS) and appends its own name to the 2*36=72 resulting
          bytes and sends the total 72+NAMELEN=100 bytes to the
          authentication server.

          The authentication server responds with one of two results,
          both encrypted with the server's key.  [3] If the authenti-
          cation is approved, the (decrypted) result contains a byte
          with value FSok, the server's challenge (ChS), and a
          thirty-byte string, called chal, encrypted with the client's
          key, to be returned to the client
          (KC{FSctick,ChC,KT,KS{FSstick,ChS,KT}}).  [4] If the authen-
          tication is not approved, the result contains a byte with
          value FSerr, the server challenge, and an error message.

          [5] The server decrypts the response and sends either an
          Rauth message with the chal field set to the chal string or
          an Rerror message containing the error describing why
          authentication failed.  (The error case is not shown in the
          concise form; it is outside the authentication protocol.)

          [6] If authentication succeeds, the client decrypts the chal
          field of the Rauth and extracts the 15-byte long ticket
          (KS{FSctick,ChS,KT}).  It places that in the auth field of
          the Tattach message it sends to establish the connection to
          the server.

          In the remaining protocol descriptions, the bytes transmit-
          ted in the communications are exactly as presented in the
          concise notation.

          Rexauth
          [1] S->C KS{RXschal, ChS}
          [2] C->A KC{KS{RXschal, ChS}, S, RXcchal, ChC}, C
          [3] A->C KC{KS{RXstick, ChS, C, KC}, RXctick, ChC}
          [4] C->S KS{RXstick, ChS, C, KC}

          [1] The client C calls the (CPU) server, which recognizes
          the incoming call and reads the already-encrypted string
          KS{RXschal,ChS} from the file #c/chal and transmits it to C.
          RXscal is a single byte identifying the message type.

          [2] The client encapsulates the message in a larger message
          containing the server name (S) , an RXcchal byte, a client
          challenge (ChC), all encrypted, and the client name (C)

     Page 3                       Plan 9            (printed 11/18/24)

     AUTH(6)                                                   AUTH(6)

          (KC{KS{RXschal,ChS},S,RXcchal,ChC},C).  This message is sent
          to S which forwards it to the authentication server A.

          [3] The authentication server forms a new message
          (KC{KS{RXstick,ChS,C,KC},RXctick,ChC}) and sends it through
          the server to the client.

          [4] The client decrypts this message and extracts a ticket
          (KS{RXstick,ChS,C,KC}) which it sends to the server.  The
          ticket contains the client key (KC) so the server may vali-
          date further requests for the client from the server.

          Chal
          [1] S->A C, S, KS{RXschal, ChS}
          [2] A->C NetCh
          [3] C->A K'C{NetCh}
          [4] A->S KS{RXstick, ChS, C, KC}

          The chal protocol is closely related to rexauth. The main
          difference [2] is that the authentication server sends to
          the client a challenge (NetCh) to be encrypted by a
          SecureNet box.  The result is returned [3] to the authenti-
          cation server.  The challenge and response are variable-
          length NUL-terminated strings of digits.  The rest of the
          protocol is isomorphic to rexauth.

          Changekey
          [1] A->C ChA
          [2] C->A C, KC{CKcchal, ChA, oPC, nPC}
          [3] A->C password changed
          or
          [4] A->C E

          This protocol is run directly between a user and the authen-
          tication server to change the key for a user; no other
          server is involved.

          [1] The authentication server sends a challenge directly to
          the client.

          [2] The client constructs a message containing the name (C)
          and an encrypted string holding a CKcchal byte, the chal-
          lenge, the old password for the client (oPC) and the new
          password (nPC).  It returns this to the authentication
          server.

          [3] If the change is accepted the authentication server
          returns the text string password changed.

          [4] Otherwise, it returns an error string (E).

     SEE ALSO

     Page 4                       Plan 9            (printed 11/18/24)

     AUTH(6)                                                   AUTH(6)

          auth(2), encrypt(2), intro(5), auth(5)

     BUGS
          The rexauth and chal protocols should create a new key for
          the server to hold on behalf of the client.

     Page 5                       Plan 9            (printed 11/18/24)