[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .k5command -- new stuff for rsh

To: joda@pdc.kth.se (Johan Danielsson)
Subject: Re: .k5command -- new stuff for rsh
From: Andrew Steingruebl <steingra@pprd.abbott.com>
Date: Mon, 12 Feb 2001 16:09:31 -0600
cc: heimdal-discuss@sics.se
In-reply-to: Your message of "12 Feb 2001 14:53:01 +0100." <xofg0hk80ua.fsf@blubb.pdc.kth.se>
Reply-To: steingra@pprd.abbott.com
Sender: owner-heimdal-discuss@sics.se

Johan Danielsson said:

>Leif Johansson <leifj@it.su.se> writes:
>
>> Enclosed is a few patches agains 0.3e to do the same thing with rsh.
>
>Ugh! How is this useful?
>

Its insanely useful.  If you want to allow automated processes to communicate 
between machines, you want to allow connections as some username.  You want to 
restrict the command said user can run, but you certainly don't want to 
implement it using a restricted shell or what not, that really ugly in this 
case.

We use it all the time with SSH to allow untrusted users to initiate 
root-level, or user-level actions of some sort in a restricted fashion.  The 
only other clean way to do it is to run a service inside your inetd.conf that 
calls a program given an incoming connection on a given port, but this gets 
ugly as well, AND you can't authenticate it very well.

Leif - thanks. I also wish that SSH would let you do command restriction using 
kerberos ACL's, rather than just RSA keys.  This would be acceptable for me 
also and probably preferable.

Follow-Ups:
- Re: .k5command -- new stuff for rsh
  - From: Leif Johansson <leifj@it.su.se>

References:
- Re: .k5command -- new stuff for rsh
  - From: joda@pdc.kth.se (Johan Danielsson)

Prev by Date: Re: .k5command -- new stuff for rsh
Next by Date: No Subject
Prev by thread: Re: SPKI (Was: .k5command -- new stuff for rsh)
Next by thread: Re: .k5command -- new stuff for rsh
Index(es):
- Date
- Thread