PSARC/2008/572 Kerberos autologin for r-cmds

[Glenn Barry]

James Carlson wrote:
> Gary Winiger writes:
>   
>>  - Another way to do this would be to auto-detect Kerberos usage but
>>    it was rejected as too radical a change for these remote apps that
>>    have been in use for many years.
>>     
>
> Can you expand on that?
>
> What harm happens if the command "just works" in the presence of
> Kerberos?  Or, rather, why does the user need to configure the system
> manually in order to get it to do what it should have done in the
> first place?
>   

Yea, agreed it should have done it in the first place.  But now that 
this current behavior has been around for years (since s10 in Solaris, 
much longer in the MIT Kerb distro apps) we did not want to change the 
behavior now by default.   A possible problem situation is that the 
default is changed and the kerb rcmd is attempted (if the user has a 
valid tgt)   but the  kerb rcmd smf svc is not enabled  (for example 
rlogin&rsh have diff smf svcs for non-kerb and kerb) on the srvr  and  
it either hangs (rsh now) or fails (rlogin now).   We could try to 
rework these clnts to fail faster and fallback to non-kerb but that is 
beyond the scope of what we want to do here.

So we'd rather the user enable this option only if needed (and if the 
kerb rcmd smf svcs  have been enabled).

> This doesn't look at all analogous to the telnet "-a" option to me.
> That one is quite different because transferring the user name is
> typically *not* part of the protocol -- where it *is* part of the
> expected protocol for the r-commands.
>
>   

At the proto level agreed.   But -a, despite the man page  not making it 
clear, is the opt to  enable a kerb telnet "autologin".

thx,
glenn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080911/fcd5ffb7/attachment.html>