James Carlson wrote: > Gary Winiger writes: > >> - Another way to do this would be to auto-detect Kerberos usage but >> it was rejected as too radical a change for these remote apps that >> have been in use for many years. >> > > Can you expand on that? > > What harm happens if the command "just works" in the presence of > Kerberos? Or, rather, why does the user need to configure the system > manually in order to get it to do what it should have done in the > first place? >
Yea, agreed it should have done it in the first place. But now that this current behavior has been around for years (since s10 in Solaris, much longer in the MIT Kerb distro apps) we did not want to change the behavior now by default. A possible problem situation is that the default is changed and the kerb rcmd is attempted (if the user has a valid tgt) but the kerb rcmd smf svc is not enabled (for example rlogin&rsh have diff smf svcs for non-kerb and kerb) on the srvr and it either hangs (rsh now) or fails (rlogin now). We could try to rework these clnts to fail faster and fallback to non-kerb but that is beyond the scope of what we want to do here. So we'd rather the user enable this option only if needed (and if the kerb rcmd smf svcs have been enabled). > This doesn't look at all analogous to the telnet "-a" option to me. > That one is quite different because transferring the user name is > typically *not* part of the protocol -- where it *is* part of the > expected protocol for the r-commands. > > At the proto level agreed. But -a, despite the man page not making it clear, is the opt to enable a kerb telnet "autologin". thx, glenn -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080911/fcd5ffb7/attachment.html>
