[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .k5command -- new stuff for rsh

To: heimdal-discuss@sics.se
Subject: Re: .k5command -- new stuff for rsh
From: Leif Johansson <leifj@it.su.se>
Date: Wed, 14 Feb 2001 10:30:18 +0100
In-Reply-To: Message from Andrew Steingruebl <steingra@pprd.abbott.com> of "Mon, 12 Feb 2001 16:09:31 CST." <200102122209.f1CM9Wm29101@clio.pprd.abbott.com>
Sender: owner-heimdal-discuss@sics.se



We have a very specific application here which uses this feature
of ssh; we run aide on all our hosts by uploading a fresh aide 
binary and configuration file and pulling the resulting database
back to the server for analysis. This is not a bullet-proof solution
but it keeps us from running around with diskettes all the time.

I firmly believe that the .k5command-feature is capable of much 
improvement but as for roles and authrization we plan to use 
principals like

aide/file@SU.SE
aide/execute@SU.SE

for the two tasks performed by our remote-aide scripts. This looks
roughly equivalent (apart from the per-ip authorization) to what is
available in ssh today.

Having said that I agree with Brian that more thought should be put
into creating a good authorization and policy framework for kerberos. 
I am not sure that it has anything to do with spki though... Beeing
of that persuation myself ;-) I tend to believe that policy and 
authorization info belong in directories.

	MVH leifj

References:
- Re: .k5command -- new stuff for rsh
  - From: Andrew Steingruebl <steingra@pprd.abbott.com>

Prev by Date: Using Heimdal with a Win2k KDC
Next by Date: Re: otp initialization
Prev by thread: Re: .k5command -- new stuff for rsh
Next by thread: Heimdal / MIT incompatibilities
Index(es):
- Date
- Thread