[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: .k5command -- new stuff for rsh
Johan Danielsson said:
>Leif Johansson <email@example.com> writes:
>> Enclosed is a few patches agains 0.3e to do the same thing with rsh.
>Ugh! How is this useful?
Its insanely useful. If you want to allow automated processes to communicate
between machines, you want to allow connections as some username. You want to
restrict the command said user can run, but you certainly don't want to
implement it using a restricted shell or what not, that really ugly in this
We use it all the time with SSH to allow untrusted users to initiate
root-level, or user-level actions of some sort in a restricted fashion. The
only other clean way to do it is to run a service inside your inetd.conf that
calls a program given an incoming connection on a given port, but this gets
ugly as well, AND you can't authenticate it very well.
Leif - thanks. I also wish that SSH would let you do command restriction using
kerberos ACL's, rather than just RSA keys. This would be acceptable for me
also and probably preferable.