[remctl] Proposal for new credential delegation functionality
Rémi Ferrand
remi.ferrand at cc.in2p3.fr
Fri Nov 7 09:22:15 EST 2014
Hi everyone,
It's been a while since I think about a *proxy* functionnality for
remctl that could allow, in a scenario like:
[client (someone at EXAMPLE.ORG)] --> [remctl server 1 / command
*the_command*]
to delegate credentials from client to remctl server (credentials could
be stored in a ccache like SSH does when GSSAPI delegation occurs).
The command *the_command* executed on remctl server [remctl server 1]
could then execute other remctl chained commands with user credentials.
This could allow one to call other remctl commands within a remctl
server command.
Each delegated credential should also be isolated from the others (just
like SSH does).
Of course this should be optional and specified as an option for each
command defined on the server.
For now, I do already have a very simple but working version of remctl
with modified client and server to accomplish this.
Now comes the time I ask you what you think about this idea ?
Do you think that this is a *MUST HAVE* functionnality for remctl or are
we the only one interested in this at CC-IN2P3 :-)
Cheers
Rémi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2940 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20141107/3d9a45f1/attachment.bin
More information about the Kerberos
mailing list