[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .k5command -- new stuff for rsh

Johan Danielsson said:

>Leif Johansson <leifj@it.su.se> writes:
>> Enclosed is a few patches agains 0.3e to do the same thing with rsh.
>Ugh! How is this useful?

Its insanely useful.  If you want to allow automated processes to communicate 
between machines, you want to allow connections as some username.  You want to 
restrict the command said user can run, but you certainly don't want to 
implement it using a restricted shell or what not, that really ugly in this 

We use it all the time with SSH to allow untrusted users to initiate 
root-level, or user-level actions of some sort in a restricted fashion.  The 
only other clean way to do it is to run a service inside your inetd.conf that 
calls a program given an incoming connection on a given port, but this gets 
ugly as well, AND you can't authenticate it very well.

Leif - thanks. I also wish that SSH would let you do command restriction using 
kerberos ACL's, rather than just RSA keys.  This would be acceptable for me 
also and probably preferable.