remctld on windows

Dyer, Rodney rmdyer at uncc.edu
Mon Mar 1 21:49:56 EST 2010 

> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf
> Of Christopher D. Clausen
> Sent: Friday, February 26, 2010 10:46 PM
> To: Jason Edgecombe
> Cc: kerberos at mit.edu
> Subject: Re: remctld on windows
> 

<snipped for brevity>

> I'd hope not just anyone could start killing my processes though, that
would be bad.

You need to understand the history of our environment for you to
understand where the need is.  In our college student TAs are used for
help desk, as the college would not, or does not want to spend money for
enough competent full time salaried help desk people.  This also helps
by providing students jobs, during their education, preparing them for
life in the field.  The more students we can hire, the better off we
look to some of the EDU types at the state level.  So when users have
issues, some of the TAs have the ability to kill user processes, log
people out of locked workstations, and reboot workstations.  This is
done using an in-house written, security-through-obscurity tool that now
needs to be migrated, or replaced altogether.

Whatever we replace the old tool with, needs to satisfy some
requirements.

*  It should not allow full a full "admin" or "root" SSH type shell.
*  It should only allow certain users to perform certain actions.  A
simple flat file database would suffice of users to actions.
   Actions:  List processes for user, kill process of user, reboot
workstation (rarely needed), log user out.
*  It needs to be cross platform between Windows and Linux (previously
Solaris).

Using the TAs Kerberos credentials would be nice, however not exactly
necessary if we could use private keys.
We don't have a SSHd running on XP.  This makes things more complicated.
We either buy one, or run OpenSSH from Cygwin.

> -----
> 
> You could have remctld on non-windows call commands using
> http://eol.ovh.org/winexe/ with the appropriate parameters passed in.
> This actually might be simpler as you could keep the credentials used
> for authentication on the single system running remctld and ACL
commands
> there to subsets of computers instead of needing to configure remctld
on
> every computer.
> 
> In theory the user on the remctl side only needs permission to make
the
> call through remctld and it will have embedded credentials to access
the
> system.

Using a middle-man is possible, though not ideal.

Because of the complications and lack of time, we've decided to simply
fall back to the old tool and cross-compile the client on Linux.  Since
most of our machines now are Windows, we rarely need to perform the
operations on Linux.

Rodney

More information about the Kerberos mailing list