Re: [bug-inetutils] Present libshishi support.

[Simon Josefsson]

Mats Erik Andersson <address@hidden> writes:

> torsdag den  9 augusti 2012 klockan 15:00 skrev Simon Josefsson detta:
>> Mats Erik Andersson <address@hidden> writes:
>> 
>> >      in order to comply with the naming in Shishi.
>> >      Momentarily this concerns rshd and rlogind.
>> >      Should also telnetd offer this switch?
>> 
>> I think that would be useful.
>
> Will do.
>
>> Btw, I noticed that MIT/Heimdal telnet has a '-k realm' parameter to
>> override the realm of the remote host.  That could be useful too.
>
> This was implemented for libshishi and telnet client in commit bfc79fcb,
> on July, 13th!

Ah.  I was using Ubuntu 12.04 packaged inetutils-telnet, which
presumably doesn't have that.  (Btw, maybe it is time for a release?)

>> >    * Could the above be extended to allow
>> >
>> >          address@hidden
>> >
>> >      or even
>> >
>> >          --server-name=rsh/address@hidden
>> >
>> >      with increasing degree of replacing the default
>> >
>> >             host/address@hidden   ?
>> 
>> Yeah, maybe that is even better.  A value of @REALM could indicate that
>> you only want to override the remote realm.  However, the name of the
>> switch is a bit strange then, --server-principal maybe?
>
> The library offers shishi_parse_name() to decompose a qualified
> principal's name. However it only decomposes into realm and principal,
> but not separating off the instance name. Have I overlooked a further
> library call?

If needed, something could be added.

> I imagine some useful setups where one would want services
>
>       telnet/address@hidden
>
>       rsh/address@hidden
>
> instead of the simplistic
>
>       host/address@hidden
>
> for both services. This "address@hidden" would need one ticket for
> each server: "telnet/bang.ex.org" and "rsh/bang.ex.org".

I agree this would be better (one key per service), although it breaks
with the Kerberos tradition.

> At the moment I do not recall whether MIT, or Heimdal, make
> provisions for telnetd and ftpd to declare themselfs as
> something more specific than "host/bang.ex.org". Certainly
> Inetutils is not able to do that yet.

I don't recall this either.  The "host" part is often hard coded.

> In fact, a correctly written "~/.k5login" would specify
>
>        ## /home/admin/.k5login
>
>        sigge/address@hidden
>        gusten/address@hidden
>        address@hidden
>
> allowing optional role selection. We are not yet at this stage
> within Inetutils. Could one imagine calls like
>
>     $ telnet -kEX.ORG -l sigge/admin kdc.ex.org
>
>     $ rsh -l gusten/build bbuild.ex.org  start_rebuild now
>
> which would need a simple stripping off of the instance string
> from the specified user name.

I don't think that is how it is supposed to work -- they way Kerberos
roles are typically is that you acquire a role ticket, say 'shishi
sigge/address@hidden' and then use that ticket to authenticate against the
remote server.  What you provide to the -l switch is still the username
on the remote server.  This should work fine now, I believe.

However, if you have more than one ticket in your ticket cache, I'm not
sure there is a way to ask the client which ticket to use.  MIT/Heimdal
doesn't have this problem, I believe, since they don't support storing
tickets for multiple user principals in their ticket files.  We would
need another switch for this, say:

telnet --realm EX.ORG --remote-principal telnet/kdc.ex.org
        --use-ticket sigge/address@hidden kdc.ex.org

where --realm and --remote-principal specify the Kerberos name of the
remote server and --use-ticket specify which local ticket it should
authenticate with.

/Simon