[16230] in Kerberos_V5_Development
Re: Processing .k5login (another patch)
daemon@ATHENA.MIT.EDU (Roland C. Dowdeswell)
Wed Sep 1 19:03:00 2010
Date: Thu, 2 Sep 2010 00:03:32 +0100
From: "Roland C. Dowdeswell" <elric@imrryr.org>
To: Russ Allbery <rra@stanford.edu>
Message-ID: <20100901230332.GE20547@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <87eiddt6y2.fsf@windlord.stanford.edu>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Wed, Sep 01, 2010 at 03:49:57PM -0700, Russ Allbery wrote:
>
> "Roland C. Dowdeswell" <elric@imrryr.org> writes:
> > On Wed, Sep 01, 2010 at 03:35:41PM -0700, Russ Allbery wrote:
>
> >> Can that support the case where multiple principals are authorized to
> >> log on to the local account? The use case I have in mind are for
> >> things like the oracle account.
>
> > Yes. The BDB is a hash of principal to local name. Local name
> > can be the same for multiple principals.
>
> The common scenario here is for all the DBAs to have their own individual
> accounts on the system with their individual .k5login files, plus all have
> access to the oracle account via .k5login. Maybe it's a failure of the
> imagination, but I don't see how any hash of one value to one other value
> would work for that. I think multiple values would have to be allowed.
Ah, I thought that you meant ``multiple principals are authorised
to log on to a local account'', rather than ``a single principal
can be authorised to log onto multiple local accounts''.
No, a simple hash lookup can't do that. I wasn't considering that
case, but as you point out it is valid.
But, I am not proposing that we remove the code for .k5login but
rather we allow organisations to disable it if it is undesirable
in their environment.
I am also proposing that we put in a simple hash lookup because it
would be quite useful in a number of situations. This would meet
my needs as I do not need to authorise a single principal to multiple
accounts, but perhaps something a bit more flexible would be more
desirable.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
