[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: .k5command -- new stuff for rsh

We have a very specific application here which uses this feature
of ssh; we run aide on all our hosts by uploading a fresh aide 
binary and configuration file and pulling the resulting database
back to the server for analysis. This is not a bullet-proof solution
but it keeps us from running around with diskettes all the time.

I firmly believe that the .k5command-feature is capable of much 
improvement but as for roles and authrization we plan to use 
principals like


for the two tasks performed by our remote-aide scripts. This looks
roughly equivalent (apart from the per-ip authorization) to what is
available in ssh today.

Having said that I agree with Brian that more thought should be put
into creating a good authorization and policy framework for kerberos. 
I am not sure that it has anything to do with spki though... Beeing
of that persuation myself ;-) I tend to believe that policy and 
authorization info belong in directories.

	MVH leifj