[kerberos-discuss] autologin krb5.conf option for rsh/rcp/rdist/rlogin?

Wed, 14 May 2008 01:57:01 -0700 

Glenn Barry wrote:
> Glenn Barry wrote:
>   
>> OpenSolaris telnet(1) has the following option given in krb5.conf(4):
>>
>>   [appdefaults]
>>
>> ...
>>
>>      autologin = [true | false]
>>
>>          Forces the application to  attempt  automatic  login  by
>>          presenting  Kerberos credentials. This is only valid for
>>          the telnet application.
>>
>> (It actually does not work now in OpenSolaris, appears to be a bug.)
>>
>> This could be a useful feature to enable kerb telnet on a system-wide
>> basis and the cust who filed this would like to use it as they
>> transition to kerb as they won't have to change all their scripts to
>> use a new option to get kerb rsh/rcp/rlogin/rdist (or change their
>> scripts to switch to ssh/scp(1) which should be their
>> long-term strategy).
>>
>> So given telnet should have this behavior, we'd like to fix telnet and
>> extend it to rsh/rcp/rlogin/rdist.
>>
>> So for rsh it would look like this in krb5.conf:
>>
>>         rsh = {
>>                 autologin = true
>>         }
>>
>> and "rsh host foocmd" would now use kerb auth.
>>
>> Any reason not to do this?
>>
>> Note rsh/rcp/rdist do not have any cmdline opt to shutoff kerb so we'd
>> likely need to add one to override the krb5.conf.
>>
>>   
>>     
>
> No objections in general yet.
>
> We did get some good suggestions on how to enable this.
>
> Here are the options:
>
> 1)  extend autologin from telnet to rcmds (method outlined above).
>
> 2) enable at a higher level such as a conf file (if one exists) or smf 
> profile for each cmd.
>     this seems a bit cleaner as the krb5.conf ideally should not be 
> consulted unless  kerb is already enabled.
>  
>     no system-wide conf file exists so we'd have to go w/smf for s10+.   
> for pre-s10 we'd prolly go with
>     a defaults file in /etc/default.
>
> 3) autoconfig - if user's creds are avail, then attempt krb5 auth and sso.
>     this might be too radical a change for these cmds that have been 
> around forever and the fallback
>     to non-kerb only works for PO.
>
>   

These all seem to be palatable to at least one of the ARC members.   He 
preferred (3) but it's too rad a change as noted above.

So I'm going to go with (1) as orig planned so we will have the same UI 
as telnet and we can keep the same UI  (and code more or less) for 
opensolaris rcmds back to s8.

Reply via email to