[36604] in Kerberos
[remctl] Proposal for new credential delegation functionality
daemon@ATHENA.MIT.EDU (=?UTF-8?B?UsOpbWkgRmVycmFuZA==?=)
Fri Nov 7 09:22:32 2014
Message-ID: <545CD597.5020605@cc.in2p3.fr>
Date: Fri, 07 Nov 2014 15:22:15 +0100
From: =?UTF-8?B?UsOpbWkgRmVycmFuZA==?= <remi.ferrand@cc.in2p3.fr>
MIME-Version: 1.0
To: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: multipart/mixed; boundary="===============1713404202=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============1713404202==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms010506000100080108070304"
This is a cryptographically signed message in MIME format.
--------------ms010506000100080108070304
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Hi everyone,
It's been a while since I think about a *proxy* functionnality for=20
remctl that could allow, in a scenario like:
[client (someone@EXAMPLE.ORG)] --> [remctl server 1 / command=20
*the_command*]
to delegate credentials from client to remctl server (credentials could=20
be stored in a ccache like SSH does when GSSAPI delegation occurs).
The command *the_command* executed on remctl server [remctl server 1]=20
could then execute other remctl chained commands with user credentials.
This could allow one to call other remctl commands within a remctl=20
server command.
Each delegated credential should also be isolated from the others (just=20
like SSH does).
Of course this should be optional and specified as an option for each=20
command defined on the server.
For now, I do already have a very simple but working version of remctl=20
with modified client and server to accomplish this.
Now comes the time I ask you what you think about this idea ?
Do you think that this is a *MUST HAVE* functionnality for remctl or are =
we the only one interested in this at CC-IN2P3 :-)
Cheers
R=C3=A9mi
--------------ms010506000100080108070304
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIIczCC
A7YwggKeoAMCAQICAQMwDQYJKoZIhvcNAQEFBQAwLDELMAkGA1UEBhMCRlIxDTALBgNVBAoT
BENOUlMxDjAMBgNVBAMTBUNOUlMyMB4XDTA5MDEyMTA5MDM1MloXDTI5MDEyMDA5MDM1Mlow
NTELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxFzAVBgNVBAMTDkNOUlMyLVN0YW5kYXJk
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnKlkarQHIxnDvggIxOIqXe3UKN7+
P6DtkkRrFkc1EzeNdKn1TYPkBRuPCGFM3ndb16n/u2Wdyaw8D/GJe5MioEcPXwa+jnigC3nX
QmVhcmOSQIpbZxD61ic+2HdNHnnbb0sSAFJY4thCBbIzN3fgjWwdvPj28pRYJfeC2YbZXPPY
Ls39cIkEh+850SrYkoxpLxxSZfpgjxB/zI/5XC4U7UyL4J03uNI8lMpQ/UF63vY87K7svVwW
3bDwc5l6gf87M9IAnk2Mxls4LjPDdobKclTbLeIQ/ZJQaJOE7XepiWlRhevglKP5lwgRjCTw
D7o4tCzW12xOY/60MZ/vj6ZapQIDAQABo4HZMIHWMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFBHj2dFSRxtZsTwbeGZr9KGI7QpbMFQGA1UdIwRNMEuAFFCXtg33rDMXr/EdRjxrO/8A
oOXloTCkLjAsMQswCQYDVQQGEwJGUjENMAsGA1UEChMEQ05SUzEOMAwGA1UEAxMFQ05SUzKC
AQAwDgYDVR0PAQH/BAQDAgEGMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jcmxzLnNlcnZp
Y2VzLmNucnMuZnIvQ05SUzIvZ2V0ZGVyLmNybDANBgkqhkiG9w0BAQUFAAOCAQEAT+njF+ZM
J/UXalBV6u7PTKq97izddj5ZoC8LaInaQ9AeHSxrEvlnE55lK6SE0jHPgqDK7yLoEGzpzxd8
rK2HhUyK4dV7TObZDrKh5CmeIK8PPnu5fyRMMuCI/nrarBZgoXWuiZyKZp2Uun6rDiAj7ffH
hF2CSBTexNSwxU4sh9SNAxEvNtUpb66ZZxkMjW1aIN/Rn8bLr1XuC8qxWw/vXHT080aJY0d+
LM6/yDANAEb2GOZsPzB+kG4QjR85Sc+TaevInsJnc69Ki/Z8Qijdpd3tr8lVG2Q/VLxhJhDr
kdXp9+7Q9gsL+qaQ3WD0QJ0Lp5z4zi8hOP6rBr/aDXf6ZzCCBLUwggOdoAMCAQICAncXMA0G
CSqGSIb3DQEBBQUAMDUxCzAJBgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMRcwFQYDVQQDEw5D
TlJTMi1TdGFuZGFyZDAeFw0xMzEyMTYwOTU2NTRaFw0xNTEyMTYwOTU2NTRaMG4xCzAJBgNV
BAYTAkZSMQ0wCwYDVQQKEwRDTlJTMRAwDgYDVQQLEwdVU1I2NDAyMRUwEwYDVQQDEwxSZW1p
IEZlcnJhbmQxJzAlBgkqhkiG9w0BCQEWGHJlbWkuZmVycmFuZEBjYy5pbjJwMy5mcjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKX2GNdpXGGVVTHINm0/jbX4GhT7ahVCNlJA
vv0cg5oGxw8sJRNKdM6AWvPz7Q93FkxFy9dcPL3R9deXo4FgAF+RCbDtnDorPCqo+Zmk+2M/
FsbGKPcauVsy8wWua3l08GcDLICwYA/urUeI/obeo2xTbhT0FQTNHKvYJPGVTSxEZ332yNBp
yapLOvlg8hMjruFXUQ3cSCrt5fCAH/MJX9klvA0cDBJ79mbss9O+S9YpMsyHTfESoVVuOIE3
y8ulpioMyL/JKAzsQRxTvXY8l0fgITCaMHEAv1CTg2aSaY9+RvyFXZEWeF9Gkx20XN1TNutq
yzRoLLQ7BRqVRceyR5sCAwEAAaOCAZQwggGQMAwGA1UdEwEB/wQCMAAwEQYJYIZIAYb4QgEB
BAQDAgSwMA4GA1UdDwEB/wQEAwIF4DB6BglghkgBhvhCAQ0EbRZrQ2VydGlmaWNhdCBDTlJT
Mi1TdGFuZGFyZC4gUG91ciB0b3V0ZSBpbmZvcm1hdGlvbiBzZSByZXBvcnRlciDgIGh0dHA6
Ly9pZ2Muc2VydmljZXMuY25ycy5mci9DTlJTMi1TdGFuZGFyZC8wHQYDVR0OBBYEFHdU+LuD
UWrGGhG87mM7ESwUh9IYMFQGA1UdIwRNMEuAFBHj2dFSRxtZsTwbeGZr9KGI7QpboTCkLjAs
MQswCQYDVQQGEwJGUjENMAsGA1UEChMEQ05SUzEOMAwGA1UEAxMFQ05SUzKCAQMwIwYDVR0R
BBwwGoEYcmVtaS5mZXJyYW5kQGNjLmluMnAzLmZyMEcGA1UdHwRAMD4wPKA6oDiGNmh0dHA6
Ly9jcmxzLnNlcnZpY2VzLmNucnMuZnIvQ05SUzItU3RhbmRhcmQvZ2V0ZGVyLmNybDANBgkq
hkiG9w0BAQUFAAOCAQEAPaW7JB0REr9b8m95MR9FOqa0CusPLcB7ehvms+WhkTPWNYKAbB4R
RUbIiD796zs7pefwPQh7GBvVEaTWIN8bLnSIkfb7cXooH2XLHToUjuMVMrnabfKZ4bWLbA/3
rczLXBTi4/rDh+sHBEOx0jlCAGbKfvy6IeGFJTYTVEeAtrxofXRppf2RM5K7lGuMagvcDu49
HXCstx5wdoHYAwzwBiHhvCmBRQ3mSpHnH+KewJ+LUSeD+xv0Q95ElCr7cPJraI9J+6BFCEoh
7Gy2O9gk51HEVf98JYXdkfVqhOGxegVN+dSJznif8FL/vWXF6KgCTqST1iEv8gzUDAH3zdpJ
jzGCAsswggLHAgEBMDswNTELMAkGA1UEBhMCRlIxDTALBgNVBAoTBENOUlMxFzAVBgNVBAMT
DkNOUlMyLVN0YW5kYXJkAgJ3FzAJBgUrDgMCGgUAoIIBZTAYBgkqhkiG9w0BCQMxCwYJKoZI
hvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNDExMDcxNDIyMTVaMCMGCSqGSIb3DQEJBDEWBBQn
cGgj+5XHeJLyArQeTFd3INeq8DBKBgkrBgEEAYI3EAQxPTA7MDUxCzAJBgNVBAYTAkZSMQ0w
CwYDVQQKEwRDTlJTMRcwFQYDVQQDEw5DTlJTMi1TdGFuZGFyZAICdxcwTAYLKoZIhvcNAQkQ
AgsxPaA7MDUxCzAJBgNVBAYTAkZSMQ0wCwYDVQQKEwRDTlJTMRcwFQYDVQQDEw5DTlJTMi1T
dGFuZGFyZAICdxcwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAEC
MAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzAN
BggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQALtJ2YB3Mww5cYI8Qt/mBU7If4i9/2
fCiC1scwsz+AlMGidBR3JNAWRbiakjN2X/LayfK91hmOe4G4nOfHKHgHMD4hwiQ1NCE6TPBl
VyRoxriRjTQ+JxHnj7SSwogLwmClO+5xMd8adr2J2e/v6Mh/kDoazkTItjOUzyn/fLNZxPf2
3Q4ExGzyGd2Au29662kjK6q2sjjwyLDzpKj3UiPFCjAYmCqZv6puzkwYo1FD9qdraDWlHiLP
gPEL243LATU85mI12bqb9cljvhFkP6gjdYy3xV53/YmPdp2Gtj40UpwBGS4OF9jbGa7NGuHp
UOhcEmwuFpU/QZtPVFUsYyXOAAAAAAAA
--------------ms010506000100080108070304--
--===============1713404202==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1713404202==--
