remctl 3.12 released

Russ Allbery eagle at eyrie.org
Fri Jul 29 17:14:16 EDT 2016 

I'm pleased to announce release 3.12 of remctl.

remctl is a client/server application that supports remote execution of
specific commands, using Kerberos GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh.  remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh
and sudo without most of the features and complexity of either.

Changes from previous release:

    Add a new server implementation, remctl-shell.  This does not use the
    remctl protocol; instead, it is meant to be run via ssh by being
    configured as the shell of a dedicated user.  It interprets a command
    it was given as a remctl command, using the same configuration and
    authorization checking as the normal remctl server.  This can be
    useful to introduce remctl into an environment that has ssh public key
    authentication instead of Kerberos.  remctl-shell has some significant
    limitations inherited from ssh and requires some setup to use.  See
    its manual page for more information.

    Add a new configuration option, sudo, which tells remctld and
    remctl-shell to run the command as a different user using sudo.  The
    path to the sudo binary is determined when remctld is compiled.
    Normally, it's more convenient to use the existing user option, but it
    relies on remctld running as root.  If running the daemon as a
    non-root user, or when running remctl-shell as a non-root user, this
    option may work better.

Note that remctl-shell is currently a bit of a science experiment, and
there are some remaining things I want to tweak about it, so its behavior
may change a bit in a subsequent release.  But I figured I'd put it out
there for people to play with.

You can download it from:

    <http://www.eyrie.org/~eagle/software/remctl/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list