Bugzilla – Full Text Bug Listing
| Summary: | [tcf] Add a Login service to fully support authentication | ||
|---|---|---|---|
| Product: | [Tools] TCF | Reporter: | Anna Dushistova <anna.dushistova> |
| Component: | Core | Assignee: | Project Inbox <dsdp.tm.tcf-inbox> |
| Status: | NEW --- | QA Contact: | Martin Oberhuber <mober.at+eclipse> |
| Severity: | enhancement | ||
| Priority: | P3 | CC: | cdtdoug, jessica.zhang, lianhao.lu, liping.ke |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Whiteboard: | |||
|
Description
Anna Dushistova
I paste Eugene Tarassov comments here:
> The problem is that Terminals service is a wrong place to handle login. It only
> changes user account for bash that it starts for a terminal, but all services
> that the agent provides continue to use original account (e.g. root). Correct
> implementation of login would fork the agent, change user on the child agent,
> then re-route all client traffic to the new agent. This is better to be
> implemented as a separate service, e.g. Login service. Until it is done, it is
> better to assume that login is not supported at all, and a user has to start
> the agent under right user account before connecting to it.
>
> Regards,
> Eugene
We thought there're two steps to do:
Step 1: Enable Terminal/shell service firstly without Login service:
a. Remove/mask current login code in terminal service
b. Set needed environment settings for terminal/shell services since we can't reuse login functionality an
more.
Step 2: Implement login service firstly
a. Login service should be initiated during TCF connect phase.
b. The details of implementation (several things to do, such as how to deal broadcast, which parts
of job should be done by TCF parent agent and which parts should be moved into TCF child agent)
will be sent by Lianhao.
And Eugene and Anna,
Since you're the TCF agent, any input (especially step 2) will be highly appreciated.
And Anna, we think we can send the Step 1 patch soon if the proposed is accepted by you. Maybe we need to create a new bugzilla Entry, close the terminal/shell service feature request entry, but add non-login Terminal/shell service request entry? How do you think so?
Thanks& Regards,
criping
This plan is fine with me. Eugene, what do you think? > We thought there're two steps to do: > Step 1: Enable Terminal/shell service firstly without Login service: > a. Remove/mask current login code in terminal service > b. Set needed environment settings for terminal/shell services since we > can't reuse login functionality an > more. > Step 2: Implement login service firstly > a. Login service should be initiated during TCF connect phase. > b. The details of implementation (several things to do, such as how to deal > broadcast, which parts > of job should be done by TCF parent agent and which parts should be moved > into TCF child agent) > will be sent by Lianhao. > For step 1.b, I created a new bug https://bugs.eclipse.org/bugs/show_bug.cgi?id=328796 A login service will likely have to transfer the password in encrypted form, before the agent can be forked. Note that any encryption algorightms implemented for this will need to be disclosed in the plugin's about.html. For dstore, /org.eclipse.dstore.core/src/org/eclipse/dstore/core/client/ClientConnection.java currently does use plaintext passwords, but this is less of an issue for dstore since the entire connection can be secured using SSL. I believe the TCF agent also supports SSL. Running an agent with the cmd line parameter "-sSSL:" and connecting to it with the URL of "SSL:<ip addr>:<port>" should results the SSL connection instead of TCP. |