remctl 2.13 released
Russ Allbery
rra at stanford.edu
Fri Nov 14 22:20:18 EST 2008
I'm pleased to announce release 2.13 of remctl.
remctl is a client/server application that supports remote execution of
specific commands, using Kerberos v5 GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh. remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh
and sudo without most of the features and complexity of either.
Changes from previous release:
Add support for ACL methods in the remctld server. The supported
schemes in this release are file and princ, which together provide the
same functionality as earlier releases, plus deny to explicitly reject
a user who matches another ACL and support for the CMU GPUT
authorization system. There is now a framework in place for adding
new ACL methods in the future. This work was contributed by Jeffrey
Hutzelman.
When processing the include of a directory for configuration files or
ACL files, limit the files read to those whose names contain only
characters in [a-zA-Z0-9_-]. This replaces the previous exclusion of
files containing periods and also excludes Emacs backup and temporary
files. Thanks, Timothy G. Abbott.
Add a PHP remctl PECL module from Andrew Mortensen, enabled with
--enable-php at configure time. These bindings are only tested with
PHP 5.
Add Python bindings from Thomas L. Kula, enabled with --enable-python
at configure time. These bindings are tested with Python 2.5 but
should work with versions back to 2.3.
Include all *.class files in the JAR file built by java/Makefile,
making the resulting JAR actually useful. Thanks, Marcus Watts.
Add an ant build configuration for the Java remctl implementation.
It also has the capability to generate a distribution of just the Java
implementation using a file layout more similar to an Apache Jakarta
project than the layout of the java subdirectory.
Several Windows fixes from Matthew Loar, plus really include
portable/winsock.c in the distribution. This version should now build
and run on Windows.
With --with-gssapi, attempt to determine if the library directory is
lib32 or lib64 instead of lib and set LDFLAGS accordingly. Based on
an idea from the CMU Autoconf macros.
Add --with-gssapi-include and --with-gssapi-lib options to set the
include and library paths separately if needed.
Restore GSS-API portability checks for old versions of MIT Kerberos
accidentally dropped in the previous release.
Provide a proper bool type when built with Sun Studio 12 on Solaris
10. Thanks, Jeffrey Hutzelman.
Sanity-check the results of krb5-config before proceeding and error
out in configure if they don't work.
Fix Autoconf syntax error when probing for libkrb5support. Thanks,
Mike Garrison.
Create the docs directory in the build tree if it's missing, fixing a
build failure when builddir != srcdir. Thanks, Jeffrey Hutzelman.
In standalone mode, close the main server socket immediately in the
child handler processes. Since the socket was already marked close on
exec, this probably only matters for consistent test suite results,
ensuring that the port is released immediately, but it's more correct.
You can download it from:
<http://www.eyrie.org/~eagle/software/remctl/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian experimental to not interfere
with the upcoming lenny release. I expect them to take some time to be
approved through the NEW queue.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list