[remctl] Proposal for new credential delegation functionality

Rémi Ferrand remi.ferrand at cc.in2p3.fr
Fri Nov 7 09:22:15 EST 2014


Hi everyone,

It's been a while since I think about a *proxy* functionnality for 
remctl that could allow, in a scenario like:

[client (someone at EXAMPLE.ORG)] --> [remctl server 1 / command 
*the_command*]

to delegate credentials from client to remctl server (credentials could 
be stored in a ccache like SSH does when GSSAPI delegation occurs).
The command *the_command* executed on remctl server [remctl server 1] 
could then execute other remctl chained commands with user credentials.

This could allow one to call other remctl commands within a remctl 
server command.

Each delegated credential should also be isolated from the others (just 
like SSH does).
Of course this should be optional and specified as an option for each 
command defined on the server.

For now, I do already have a very simple but working version of remctl 
with modified client and server to accomplish this.

Now comes the time I ask you what you think about this idea ?
Do you think that this is a *MUST HAVE* functionnality for remctl or are 
we the only one interested in this at CC-IN2P3 :-)

Cheers

Rémi

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2940 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20141107/3d9a45f1/attachment.bin


More information about the Kerberos mailing list