remctl 3.2 released
Russ Allbery
rra at stanford.edu
Wed Jun 20 00:35:52 EDT 2012
I'm pleased to announce release 3.2 of remctl.
remctl is a client/server application that supports remote execution of
specific commands, using Kerberos v5 GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh. remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh
and sudo without most of the features and complexity of either.
Changes from previous release:
Add new summary option to the remctld configuration. If remctld
receives a command of "help" with no arguments and no command by that
name has been defined, the server will look through the configuration
for any command with a summary option set, a subcommand of ALL, and
which the user would have been allowed to run. If any such commands
are found, the server will run each with the subcommand specified by
the summary option, sending the results to the user. This allows
display of a command summary to the user based on which commands that
user is authorized to run. Written by Jon Robertson.
Add new help option to the remctld configuration. If remctld receives
a command of "help" with either one or two arguments and no command by
that name has been defined, it takes the arguments to the command as a
command and subcommand and checks for an entry in the configuration
file that matches. If such an entry is found, the help option is set
for that command, and the user is authorized to run it, remctld runs
the command, passing the value of the help option as the subcommand
and the arguments to help as additional arguments. This permits a
standard interface to get additional help for a particular remctl
command. Written by Jon Robertson.
remctld now always closes the client connection after low-level errors
reading or sending tokens. Previously, it would attempt to continue
after some socket or GSS-API errors, which may have caused hanging
remctld processes in some circumstances.
Fix remctld segfault when the configuration does not define any
commands. Thanks to Andrew Mortensen for the report.
Fix GSS-API header probes when configure was told to build with a
specific GSS-API library in a non-default path. Previously, configure
still used the compiler to probe for the correct header names, which
could pick up incorrect headers from the default include path. Thanks
to Jeffrey Hutzelman for the suggested solution.
Solaris can return ECONNRESET instead of EPIPE on write when the other
end of the network connection closes it. Handle that error properly
in the remctld server. Patch from Jeffrey Hutzelman.
Fix multiple portability issues in the test suite on Solaris and old
versions of Heimdal. Thanks to Jeffrey Hutzelman for the series of
patches.
Update to rra-c-util 4.5:
* Pass --deps to krb5-config in the non-reduced-dependencies case.
* Silence __attribute__ warnings on more compilers.
Update to C TAP Harness 1.12:
* Only use feature-test macros when requested or built with gcc -ansi.
* Drop is_double from the C TAP library to avoid requiring -lm.
* Avoid using local in the shell libtap.sh library.
* Silence __attribute__ warnings on more compilers.
You can download it from:
<http://www.eyrie.org/~eagle/software/remctl/>
This package is maintained using Git; see the instructions on the above
page to access the Git repository.
Debian packages have been uploaded to Debian unstable.
Please let me know of any problems or feature requests not already listed
in the TODO file.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list