remctl 2.12 released

Russ Allbery rra at
Sat Apr 5 02:00:48 EDT 2008

I'm pleased to announce release 2.12 of remctl.

This release of remctl includes the port and build machinery for a native
Windows client contributed by Matthew Loar.  I also tried to add some
portability code so that socket errors in the client would be reported
properly on Windows.  This release, however, almost certainly won't even
compile on Windows since I do not have a system with which to test.  Those
of you with a Windows development environment and an interest in remctl
working on Windows, please test and let me know what I broke (and ideally
how to fix it).  I'm planning on making another release in short order
(within a month or so) to incorporate contributed PHP and Python bindings,
and I'll try to get the Windows client completely working for that

remctl is a client/server application that supports remote execution of
specific commands, using Kerberos v5 GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh.  remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh
and sudo without most of the features and complexity of either.

Changes from previous release:

    If no server principal is specified on the remctl command line or in
    the remctl() or remctl_open() C or Perl library interfaces, remctl now
    uses a host-based service name for the server instead of a Kerberos
    principal of host/server.  The practical effect of this is that
    domain-realm mapping rules will be applied rather than assuming the
    server's principal is in the local domain and, for the C and Perl
    library interfaces, server name canonicalization will be done if
    configured in the GSS-API library.  Users of the C or Perl library
    interfaces will find that remctl now authenticates to a principal for
    the host after a forward and reverse DNS lookup instead of the host
    specified in the API call with most GSS-API libraries.  To disable
    this canonicalization behavior, see your GSS-API library
    documentation; setting rdns in [libdefaults] to false works for MIT
    Kerberos.  The remctl command-line client continues to canonicalize
    its host argument always prior to any network connection or GSS-API

    Add documentation of hostname canonicalization and the choice of
    authentication principals to the remctl client, remctl() and
    remctl_open() C API, and Net::Remctl Perl API documentation.

    Fix a place in libremctl where the library would call exit rather than
    returning an error on memory allocation failure.

    Standardize on lowercase first characters in library error strings.

    Include the Windows port of the client done by Matthew Loar.  See
    README for information on requirements and compilation.  Only the
    client shared library and command-line utility are supported or built
    currently.  I cannot easily test this code and probably broke it when
    integrating the patch; please report any problems so that they can be
    fixed in subsequent releases.

    When running the server in standalone mode, set the network file
    descriptors close-on-exec so that they're not inherited by commands
    run by remctl.  Also close the low-numbered file descriptors before
    running a command to catch the replay cache file, which isn't marked
    close-on-exec in older versions of MIT Kerberos.

    When passing a variable set to undef into remctl_open in the Perl API,
    the principal was converted to the empty string.  Adjust Net::Remctl
    to recognize the empty string as an unspecified principal.

    The configure option to specify the path to the GSS-API libraries is
    now --with-gssapi instead of --with-kerberos and the GSS-API probes
    should be more robust.

    Delete the man page symlinks before recreating them so that reinstalls
    work.  Thanks, Nicholas Riley.

    Belatedly bump the libtool versioning for libremctl for the port
    number change in the previous release.  (This is primarily for
    documentation purposes and doesn't change the library SONAME.)

You can download it from:


Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list