Some Eclipse Foundation services are deprecated, or will be soon. Please ensure you've read this important communication.
Bug 364859 - RFE: add kerberos support to rseserver
Summary: RFE: add kerberos support to rseserver
Status: NEW
Alias: None
Product: Target Management
Classification: Tools
Component: RSE (show other bugs)
Version: 3.3.1   Edit
Hardware: All Linux
: P3 normal (vote)
Target Milestone: ---   Edit
Assignee: dsdp.tm.rse-inbox CLA
QA Contact: Martin Oberhuber CLA
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-25 12:22 EST by Jeff Johnston CLA
Modified: 2012-03-25 00:04 EDT (History)
2 users (show)

See Also:


Attachments
Proposed patch to auth.pl to support Kerberos (2.02 KB, patch)
2011-11-25 15:20 EST, Jeff Johnston CLA
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeff Johnston CLA 2011-11-25 12:22:28 EST
The current version of the linux rseserver does not support kerberos.  It uses getpwnam to get the current crypted version of the user's password, but this does not work in the kerberos case.  I would like to propose a patch that uses Authen::pam to do the authorization.  This requires the perl-Authen-pam module to be installed.
Comment 1 Jeff Johnston CLA 2011-11-25 15:20:17 EST
Created attachment 207556 [details]
Proposed patch to auth.pl to support Kerberos

Proposed patch
Comment 2 David McKnight CLA 2011-11-29 10:03:19 EST
Martin, it would be nice to get this patch in but I don't think we should be outright replacing the existing auth.pl since the new one brings in dependencies that may not be around by default.  Perhaps the new auth.pl could be included as auth.kerberos.pl and then we could have a readme instructing users to replace auth.pl in appropriate circumstances.  Any thoughts on this?
Comment 3 Martin Oberhuber CLA 2011-11-29 14:41:53 EST
I like the idea of an auth.kerberos.pl -- supposedly in a Kerberos host environment the admin who installs rseserver needs to read the docs anyways so why not require special setup.

It would be nice to have if in an "update" scenario an updated rseserver could be deployed without having to think about the config again, any ideas how to do this?

Jeff, does the proposal sound acceptable to you too ?
Comment 4 Jeff Johnston CLA 2011-11-29 15:05:14 EST
(In reply to comment #3)
> I like the idea of an auth.kerberos.pl -- supposedly in a Kerberos host
> environment the admin who installs rseserver needs to read the docs anyways so
> why not require special setup.
> 
> It would be nice to have if in an "update" scenario an updated rseserver could
> be deployed without having to think about the config again, any ideas how to do
> this?
> 
> Jeff, does the proposal sound acceptable to you too ?

That would be fine.  Can someone point me to the rseserver source code?  I am going to add rseserver to the eclipse-rse Fedora package.  For Fedora, I can require Authen pam be installed so it is no problem making it the default auth.pl.
Comment 5 David McKnight CLA 2011-11-30 12:33:46 EST
(In reply to comment #4)
> (In reply to comment #3)
> > I like the idea of an auth.kerberos.pl -- supposedly in a Kerberos host
> > environment the admin who installs rseserver needs to read the docs anyways so
> > why not require special setup.
> > 
> > It would be nice to have if in an "update" scenario an updated rseserver could
> > be deployed without having to think about the config again, any ideas how to do
> > this?
> > 
> > Jeff, does the proposal sound acceptable to you too ?
> 
> That would be fine.  Can someone point me to the rseserver source code?  I am
> going to add rseserver to the eclipse-rse Fedora package.  For Fedora, I can
> require Authen pam be installed so it is no problem making it the default
> auth.pl.


The scripts for the server are located in following plugin:
org.eclipse.rse.services.dstore

You'll find them in the serverruntime directory.
Comment 6 Tom Ives CLA 2012-03-24 17:24:52 EDT
(In reply to comment #5)
> (In reply to comment #4)
> > (In reply to comment #3)
> > > I like the idea of an auth.kerberos.pl -- supposedly in a Kerberos host
> > > environment the admin who installs rseserver needs to read the docs anyways so
> > > why not require special setup.
> > > 
> > > It would be nice to have if in an "update" scenario an updated rseserver could
> > > be deployed without having to think about the config again, any ideas how to do
> > > this?
> > > 
> > > Jeff, does the proposal sound acceptable to you too ?
> > 
> > That would be fine.  Can someone point me to the rseserver source code?  I am
> > going to add rseserver to the eclipse-rse Fedora package.  For Fedora, I can
> > require Authen pam be installed so it is no problem making it the default
> > auth.pl.
> 
> 
> The scripts for the server are located in following plugin:
> org.eclipse.rse.services.dstore
> 
> You'll find them in the serverruntime directory.
Hi David:

I'd also like to make the changes that Jeff has suggested. Whenever   modifications are made to the auth.pl perl script (i.e. just a print statement) that  is already installed on the server it stops working.  Does something need to be changed in the source code?

thanks
tom
Comment 7 Tom Ives CLA 2012-03-25 00:04:42 EDT
(In reply to comment #6)
> (In reply to comment #5)
> > (In reply to comment #4)
> > > (In reply to comment #3)
> > > > I like the idea of an auth.kerberos.pl -- supposedly in a Kerberos host
> > > > environment the admin who installs rseserver needs to read the docs anyways so
> > > > why not require special setup.
> > > > 
> > > > It would be nice to have if in an "update" scenario an updated rseserver could
> > > > be deployed without having to think about the config again, any ideas how to do
> > > > this?
> > > > 
> > > > Jeff, does the proposal sound acceptable to you too ?
> > > 
> > > That would be fine.  Can someone point me to the rseserver source code?  I am
> > > going to add rseserver to the eclipse-rse Fedora package.  For Fedora, I can
> > > require Authen pam be installed so it is no problem making it the default
> > > auth.pl.
> > 
> > 
> > The scripts for the server are located in following plugin:
> > org.eclipse.rse.services.dstore
> > 
> > You'll find them in the serverruntime directory.
> Hi David:
> I'd also like to make the changes that Jeff has suggested. Whenever  
> modifications are made to the auth.pl perl script (i.e. just a print statement)
> that  is already installed on the server it stops working.  Does something need
> to be changed in the source code?
> thanks
> tom

Hi David:

Never mind the question.

I ended up just applying the patch an installing the Perl Module: Authen::PAM and it works fine.

thanks
tom