| < pam-krb5 | Russ Allbery > Software | runauth > |
Small deeds done are better than great deeds planned.
Peter Marshall
remctl (the client) and remctld (the server) implement a client/server protocol for running single commands on a remote host using Kerberos v5 authentication and returning the output. They use a very simple GSS-API-authenticated network protocol, combined with server-side ACL support and a server configuration file that maps remctl commands to programs that should be run when that command is called by an authorized user. remctld is very similar to a CGI server that uses a different network protocol than HTTP and always does strong authentication before executing the desired command.
There are a lot of different client/server systems that do something similar, including regular rsh, CGI, IBM's sysctl (not to be confused with the Linux kernel call and configuration file of the same name), CERN's arc, and more elaborate systems like MIT's Moira. remctl has the advantage over many of these schemes of using GSSAPI and being about as simple as it possibly can be while still being useful. It doesn't require any particular programming language, builds self-contained binaries, and uses as minimal of a protocol as possible.
Both C and Java clients and servers are provided, as well as Perl, PHP, and Python bindings for the C client library.
remctl was written by Anton Ushakov, originally as a replacement for IBM's sysctl, a client/server application with Kerberos v4 authentication that allowed the client to run Tcl code on the server, protected by ACLs. At Stanford, we used sysctl extensively, but mostly only to run external programs. I've redone the protocol and extended it significantly, and currently maintain it.
The remctld server and the standard client are written in C and require a C compiler to build. It compiles against either MIT Kerberos or Heimdal (only tested with MIT Kerberos 1.3 and later and Heimdal 0.6 and later). remctl will also build against the Kerberos GSS-API implementation shipped with AIX 5.2.
To build the remctl client for Windows, the Microsoft Windows SDK for Windows Vista and the MIT Kerberos for Windows SDK are required, along with a Microsoft Windows build environment (probably Visual Studio). remctl has only been tested with the 3.2.1 MIT Kerberos for Windows SDK. To run the resulting binary, MIT Kerberos for Windows must be installed and configured. The client has been tested on Windows XP and Vista and should work on Windows 2000 and up. The server is not supported on Windows.
To build the Perl bindings for the C client library, you will need Perl 5.6.0 or later. To run the full test suite for the Perl bindings, the Perl modules Test::More and Test::Pod must be installed (and installing Test::Pod also enables checks of the main remctl documentation). Test::More comes with Perl 5.8 and later. Test::Pod currently must be installed separately. The Perl bindings have not been tested on Windows.
To build the PHP bindings for the C client library, you will need PHP 5.x (only tested with 5.2) and phpize, plus any other programs that phpize requires.
To build the Python bindings for the C client library, you will need Python 2.3 or later (primarily tested with Python 2.5). The Python bindings have not been tested on Windows.
A Java client and server are also available in the java subdirectory. This client and server have not received as much testing and depend on contributions from others who want to use Java. It currently requires the Sun Java JDK (1.4.2, 5, or 6).
If you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.10 or later. If you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.61 or later.
The distribution:
| remctl 2.13 | 2008-11-15 | Download | PGP signature |
An archive of older releases is also available.
Documentation:
API Documentation:
Debian packages are available from Debian as of Debian 3.1 (sarge). For Debian 4.0 (etch) and later, install remctl-server for the server and remctl-client for the client. The sarge release only had a single remctl package that contained both.
The Net::Remctl Perl module is only available as of Debian 5.0 (lenny); install libnet-remctl-perl for it. The PHP bindings (php5-remctl) and Python bindings (python-remctl) are currently available only from Debian experimental, but will be uploaded to unstable after the lenny release.
I cannot provide Windows client builds, but you may be able to find binaries and other information at Matthew Loar's remctl page.
remctl is maintained using the Git version control system. To check out the current development tree, clone:
git://git.eyrie.org/kerberos/remctl.git
You can also browse the current development source.
The remctl package as a whole is released under the following license:
Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008 Board of Trustees, Leland Stanford Jr. University. All rights reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.
THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the remctl source distribution.
| < pam-krb5 | Russ Allbery > Software | runauth > |