Mats Erik Andersson <[email protected]> writes: > torsdag den 9 augusti 2012 klockan 15:00 skrev Simon Josefsson detta: >> Mats Erik Andersson <[email protected]> writes: >> >> > in order to comply with the naming in Shishi. >> > Momentarily this concerns rshd and rlogind. >> > Should also telnetd offer this switch? >> >> I think that would be useful. > > Will do. > >> Btw, I noticed that MIT/Heimdal telnet has a '-k realm' parameter to >> override the realm of the remote host. That could be useful too. > > This was implemented for libshishi and telnet client in commit bfc79fcb, > on July, 13th!
Ah. I was using Ubuntu 12.04 packaged inetutils-telnet, which presumably doesn't have that. (Btw, maybe it is time for a release?) >> > * Could the above be extended to allow >> > >> > --server-name=localhost@HOST >> > >> > or even >> > >> > --server-name=rsh/localhost@LOCALHOST >> > >> > with increasing degree of replacing the default >> > >> > host/hostname@REALM ? >> >> Yeah, maybe that is even better. A value of @REALM could indicate that >> you only want to override the remote realm. However, the name of the >> switch is a bit strange then, --server-principal maybe? > > The library offers shishi_parse_name() to decompose a qualified > principal's name. However it only decomposes into realm and principal, > but not separating off the instance name. Have I overlooked a further > library call? If needed, something could be added. > I imagine some useful setups where one would want services > > telnet/[email protected] > > rsh/[email protected] > > instead of the simplistic > > host/[email protected] > > for both services. This "[email protected]" would need one ticket for > each server: "telnet/bang.ex.org" and "rsh/bang.ex.org". I agree this would be better (one key per service), although it breaks with the Kerberos tradition. > At the moment I do not recall whether MIT, or Heimdal, make > provisions for telnetd and ftpd to declare themselfs as > something more specific than "host/bang.ex.org". Certainly > Inetutils is not able to do that yet. I don't recall this either. The "host" part is often hard coded. > In fact, a correctly written "~/.k5login" would specify > > ## /home/admin/.k5login > > sigge/[email protected] > gusten/[email protected] > [email protected] > > allowing optional role selection. We are not yet at this stage > within Inetutils. Could one imagine calls like > > $ telnet -kEX.ORG -l sigge/admin kdc.ex.org > > $ rsh -l gusten/build bbuild.ex.org start_rebuild now > > which would need a simple stripping off of the instance string > from the specified user name. I don't think that is how it is supposed to work -- they way Kerberos roles are typically is that you acquire a role ticket, say 'shishi sigge/[email protected]' and then use that ticket to authenticate against the remote server. What you provide to the -l switch is still the username on the remote server. This should work fine now, I believe. However, if you have more than one ticket in your ticket cache, I'm not sure there is a way to ask the client which ticket to use. MIT/Heimdal doesn't have this problem, I believe, since they don't support storing tickets for multiple user principals in their ticket files. We would need another switch for this, say: telnet --realm EX.ORG --remote-principal telnet/kdc.ex.org --use-ticket sigge/[email protected] kdc.ex.org where --realm and --remote-principal specify the Kerberos name of the remote server and --use-ticket specify which local ticket it should authenticate with. /Simon
