remctl 3.17 released

Russ Allbery eagle at
Sun Dec 13 20:24:48 EST 2020

I'm pleased to announce release 3.17 of remctl.  This is a stop-gap bugfix
release that, alas, doesn't address open feature work.

I am considering breaking the remctl distribution into separate releases
for each language binding, saving the remctl release for only the primary
C library, client, and server.  The primary motivation would be to upload
the language bindings to their respective ecosystem repositories so that
they're available to tools like cpanm and pip.  However, this will require
work for the Red Hat packaging and a bit more work when manually
installing.  If this would cause problems for you, let me know.  (It's not
likely to happen all that quickly, since there are some other things I
need to fix first.)

remctl is a client/server application that supports remote execution of
specific commands, using Kerberos GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh.  remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos ssh
and sudo without most of the features and complexity of either.

Changes from previous release:

    Port the PHP extention to PHP 8.  This required declaring the
    arguments to the functions (which should have been done with PHP 7)
    and removing some obsolete constructs.

    Make the Python install_requires dependency on typing conditional on
    Python versions earlier than 3.5 so that setuptools won't attempt to
    download typing when it's part of the standard library.  Thanks to
    Gianfranco Costamagna and Matthias Klose for the bug report.

    Fix the Python module build to more reliably test the newly-built
    module and to enable verbose testing.

    Fix non-Kerberos network tests on hosts with no IPv4 addresses.  In
    this case, the network tests for binding all configured addresses will
    bind only to IPv6, which broke some prior assumptions in the test
    suite.  Thanks to Niko Tyni for the bug report.  Note that the tests
    that require a Kerberos setup will still fail in this scenario, since
    they assume remctld will bind to by default.

    Stop providing a replacement for a broken snprintf and assume the libc
    version works correctly.  This portability code has proven difficult
    to maintain, and was only relevant for ancient proprietary UNIX
    versions that have been obsolete for many years.

    Update to rra-c-util 8.4:

    * Fix reallocarray prototyping on NetBSD.
    * Fix getnameinfo tests on musl-based Linux distributions.
    * Include string.h when probing for getaddrinfo properties.
    * Fix Perl style issues found by Perl::Critic::Freenode.
    * Fix support for configuring the test suite with a krb5.conf file.
    * Fix tests when the system krb5.conf file does not set default_realm.
    * Ignore files in tests/config when checking for license identifiers.
    * Ignore object files when checking for license identifiers.
    * Drop support for Perl 5.6.
    * Reformat all C source using clang-format 10.
    * Remove bogus snprintf tests.

    Update to C TAP Harness 4.7:

    * Fix warning with GCC 10.

You can download it from:


This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (eagle at             <>

More information about the Kerberos mailing list