I'm sponsoring this Fast Track for Glenn Barry and the Kerberos project team.
It extends the existing ability to autologin telnet(1) sessions to the
Berkeley r-cmds.
Interface stability levels that match those of the r-cmds options
(presumed Commitmented) and krb5.conf(4) configuration variables
(Uncommitted) are requested.
A Patch release binding is requested. There is an intent to backport
minimally to S10 and perhaps as far back as S8.
The timer is set for 17 Sept, 2008. As there's no meeting 17 Sept,
and there are consumers asking for these changes, the project team
requests acknowledgement or discussion from members so the case can
complete.
Diff marked man pages are in the case directory. A telnet man page is
also present for reference.
Gary..
===============================================================================
ABSTRACT
--------
This proposal extends the krb5.conf(4) autologin configuration
variable from applicability only to telnet(1) to rsh(1), rcp(1), rdist(1),
and rlogin(1) as well (collectively called the r-cmds). This will allow
the system administrator to enable Kerberos-based Single Sign-On on a
per-system basis for the r-cmds. This is useful for customers who are
transitioning to Kerberos and have many scripts that use the r-cmds
and want to enable Kerberos for these cmds without having to change
their scripts.
BACKGROUND
----------
Currently customers can enable telnet(1) to use Kerberos for Single
Sign-On on a system-wide basis via krb5.conf(4):
autologin = [true | false]
Forces the application to attempt automatic login by
presenting Kerberos credentials. This is only valid for
the telnet application.
The krb5.conf(4) autologin configuration variable is the equivalent of
the telnet command line option -a. The telnet(1) -K command line
option can override the krb5.conf(4) autologin configuration variable.
A customer has noticed this and would like to extend it to the r-cmds.
The customer also knows that ssh(1)/scp(1) is the current preferred
remote shell/copy program and should be used if possible but they have
many legacy scripts that use the r-cmds and need them to work
seamlessly as they transition to Kerberos-based NFS.
telnet(1) and the r-cmds all currently have the following
configuration variables available in krb5.conf(4) (and have equivalent
command line options):
encrypt = [true | false]
forward = [true | false]
forwardable = [true | false]
while only telnet(1) has the autologin variable available.
PROPOSAL
--------
- We propose to extend the krb5.conf(4) autologin from telnet(1) to the
r-cmds. This will allow the system administrator to enable
Kerberos for the r-cmds on a system-wide basis.
For example, the krb5.conf(4) autologin variable for rsh(1) can be
enabled like so:
rsh = {
autologin = true
}
This is the equivalent of the command line "rsh -a ...".
The r-cmds will only examine the autologin variable if there is no
preference for it given on the command line. And if autologin is
not specified in krb5.conf(4), then it defaults to a value of
`false'.
- We propose to add a new command line option for
rsh/rcp/rdist/rlogin of -K to force non-kerberos use and thus can
override the krb5.conf(4) autologin variable. Currently -K has
this same functionality in telnet(1). Note rlogin(1) already has
the -a option which forces non-Kerberos use but we will also add
the -K to make it consistent with the other r-cmds.
NOTES
-----
- These proposed features will need to be backported to Solaris 10 and
Solaris 9 (and maybe Solaris 8).
- Another way to do this would be to auto-detect Kerberos usage but
it was rejected as too radical a change for these remote apps that
have been in use for many years.
