[1638] in Kerberos_V5_Development
Re: preliminary appdefaults patch
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Aug 26 17:09:35 1996
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, eichin@cygnus.com
Cc: Sam Hartman <hartmans@MIT.EDU>, krbdev@MIT.EDU
From: Sam Hartman <hartmans@MIT.EDU>
Date: 26 Aug 1996 17:06:54 -0400
In-Reply-To: Ken Hornstein's message of Mon, 26 Aug 1996 16:30:38 -0400
>>>>> "Ken" == Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
Ken> Looks great! I will start banging on this.
>> Also, I need to decide how to deal with command-line overides
>> for options I wish to disable. In particular, how do I disable
>> something like forwardable from the kinit command line once I
>> have enabled it in the profile? This is probably even more
>> important for rlogin and rsh.
Ken> Hmmm.
Ken> How about -N as a command-line option? I think it's open on
Ken> all programs (kinit, telnet, rlogin, rsh).
That sounds reasonable. I think an option model along the
* use current options to enable the flags--things like proxyable,
* forwardable, etc.
* Try to support capital letter versions oof options to disable. For
example, -P would turn off proxyable, -F would turn off forwardable on
kinit.
* For forwardable and possibly others, the capital letter is already
used as an option for some programs. In these cases, I propose that
we take an additional option (-N sounds good for forwardable) and
document that as the preferred way to turn off the flag. On prgrams
where the capital letter is not taken, that should work as well.
Thus, you could use -F or -n to turn off forwardable on kinit,
although the manual would tell you to use -n.
* There won't be a way of getting the system default for things like
lifetime that aren't boolean; if you want a specific lifetime, you
specify it on the command line, otherwise you get the lifetime in
krb5.conf if set.
* I believe Cygnus has already defined options to turn off encryption
on rlogin. We may need to support these--I just hope they didn't use
-N.
Ken> Oh, is the plan to have login.krb5 use the appdefaults
Ken> section instead of it's own [login] section?
I think this would be ideal. I don't know how much backwards
compatability Cygnus will want to preserve in this regard. Any
comments, Mark? Actually, that did go out in Beta 6, didn't it? We
may want to have some backward compatability as well.
Ken> --Ken
