[remctl] Proposal for new credential delegation functionality
Simo Sorce
simo at redhat.com
Fri Nov 7 10:50:07 EST 2014
On Fri, 07 Nov 2014 15:22:15 +0100
Rémi Ferrand <remi.ferrand at cc.in2p3.fr> wrote:
> Hi everyone,
>
> It's been a while since I think about a *proxy* functionnality for
> remctl that could allow, in a scenario like:
>
> [client (someone at EXAMPLE.ORG)] --> [remctl server 1 / command
> *the_command*]
>
> to delegate credentials from client to remctl server (credentials
> could be stored in a ccache like SSH does when GSSAPI delegation
> occurs). The command *the_command* executed on remctl server [remctl
> server 1] could then execute other remctl chained commands with user
> credentials.
>
> This could allow one to call other remctl commands within a remctl
> server command.
>
> Each delegated credential should also be isolated from the others
> (just like SSH does).
> Of course this should be optional and specified as an option for each
> command defined on the server.
>
> For now, I do already have a very simple but working version of
> remctl with modified client and server to accomplish this.
>
> Now comes the time I ask you what you think about this idea ?
> Do you think that this is a *MUST HAVE* functionnality for remctl or
> are we the only one interested in this at CC-IN2P3 :-)
It is a very nice to have, but, it would be really nice if you did not
use unbounded delegation (ie send the whole TGT) but ratherr allow to
either just send a ticket (set of tickets) for whatever action may be
neded, and/or support constrained delegation on the receiving end
(s4u2proxy).
My2c.
simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list