remctl 3.2 released

Russ Allbery rra at
Wed Jun 20 00:35:52 EDT 2012

I'm pleased to announce release 3.2 of remctl.

remctl is a client/server application that supports remote execution of
specific commands, using Kerberos v5 GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh.  remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh
and sudo without most of the features and complexity of either.

Changes from previous release:

    Add new summary option to the remctld configuration.  If remctld
    receives a command of "help" with no arguments and no command by that
    name has been defined, the server will look through the configuration
    for any command with a summary option set, a subcommand of ALL, and
    which the user would have been allowed to run.  If any such commands
    are found, the server will run each with the subcommand specified by
    the summary option, sending the results to the user.  This allows
    display of a command summary to the user based on which commands that
    user is authorized to run.  Written by Jon Robertson.

    Add new help option to the remctld configuration.  If remctld receives
    a command of "help" with either one or two arguments and no command by
    that name has been defined, it takes the arguments to the command as a
    command and subcommand and checks for an entry in the configuration
    file that matches.  If such an entry is found, the help option is set
    for that command, and the user is authorized to run it, remctld runs
    the command, passing the value of the help option as the subcommand
    and the arguments to help as additional arguments.  This permits a
    standard interface to get additional help for a particular remctl
    command.  Written by Jon Robertson.

    remctld now always closes the client connection after low-level errors
    reading or sending tokens.  Previously, it would attempt to continue
    after some socket or GSS-API errors, which may have caused hanging
    remctld processes in some circumstances.

    Fix remctld segfault when the configuration does not define any
    commands.  Thanks to Andrew Mortensen for the report.

    Fix GSS-API header probes when configure was told to build with a
    specific GSS-API library in a non-default path.  Previously, configure
    still used the compiler to probe for the correct header names, which
    could pick up incorrect headers from the default include path.  Thanks
    to Jeffrey Hutzelman for the suggested solution.

    Solaris can return ECONNRESET instead of EPIPE on write when the other
    end of the network connection closes it.  Handle that error properly
    in the remctld server.  Patch from Jeffrey Hutzelman.

    Fix multiple portability issues in the test suite on Solaris and old
    versions of Heimdal.  Thanks to Jeffrey Hutzelman for the series of

    Update to rra-c-util 4.5:

    * Pass --deps to krb5-config in the non-reduced-dependencies case.
    * Silence __attribute__ warnings on more compilers.

    Update to C TAP Harness 1.12:

    * Only use feature-test macros when requested or built with gcc -ansi.
    * Drop is_double from the C TAP library to avoid requiring -lm.
    * Avoid using local in the shell library.
    * Silence __attribute__ warnings on more compilers.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list