remctl

Small deeds done are better than great deeds planned.

Peter Marshall

Description

remctl (the client) and remctld (the server) implement a client/server protocol for running single commands on a remote host using Kerberos v5 authentication and returning the output. They use a very simple GSS-API-authenticated network protocol, combined with server-side ACL support and a server configuration file that maps remctl commands to programs that should be run when that command is called by an authorized user. remctld is very similar to a CGI server that uses a different network protocol than HTTP and always does strong authentication before executing the desired command.

There are a lot of different client/server systems that do something similar, including regular rsh, CGI, IBM's sysctl (not to be confused with the Linux kernel call and configuration file of the same name), CERN's arc, and more elaborate systems like MIT's Moira. remctl has the advantage over many of these schemes of using GSSAPI and being about as simple as it possibly can be while still being useful. It doesn't require any particular programming language, builds self-contained binaries, and uses as minimal of a protocol as possible.

remctl was written by Anton Ushakov, originally as a replacement for IBM's sysctl, a client/server application with Kerberos v4 authentication that allowed the client to run Tcl code on the server, protected by ACLs. At Stanford, we used sysctl extensively, but mostly only to run external programs. I've redone the protocol and extended it significantly, and currently maintain it.

Requirements

The remctld server and the standard client are written in C and require a C compiler to build. It compiles against either MIT Kerberos or Heimdal (only tested with MIT Kerberos 1.3 and later and Heimdal 0.6 and later). remctl will also build against the Kerberos GSS-API implementation shipped with AIX 5.2.

To build the remctl client for Windows, the Microsoft Windows SDK for Windows Vista and the MIT Kerberos for Windows SDK are required, along with a Microsoft Windows build environment (probably Visual Studio). remctl has only been tested with the 3.2.1 MIT Kerberos for Windows SDK. To run the resulting binary, MIT Kerberos for Windows must be installed and configured. The client has been tested on Windows XP and Vista and should work on Windows 2000 and up. The server is not supported on Windows.

To build the Perl bindings for the C client library, you will need Perl 5.6.0 or later. To run the full test suite for the Perl bindings, the Perl modules Test::More and Test::Pod must be installed (and installing Test::Pod also enables checks of the main remctl documentation). Test::More comes with Perl 5.8 and later. Test::Pod currently must be installed separately, but the POD tests will be skipped without interfering with the rest of the test suite if it's not installed.

A Java client and server are also available in the java subdirectory. This client and server have not received as much testing and depend on contributions from others who want to use Java.

If you change the Automake files and need to regenerate Makefile.in, you will need Automake 1.10 or later. If you change configure.ac or any of the m4 files it includes and need to regenerate configure or config.h.in, you will need Autoconf 2.61 or later.

License

The remctl package as a whole is released under the following license:

Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008 Board of Trustees, Leland Stanford Jr. University. All rights reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stanford University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Stanford University makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.

THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the remctl source distribution.

Download

The distribution:

Documentation:

• README
• Java client and server README
• remctl and remctld manual pages
• To-do list
• Change summary
• Protocol documentation
• License and copyright
• Debian package tracker

API Documentation:

• remctl and remctl_free_result
• remctl_new
• remctl_open
• remctl_command and remctl_commandv
• remctl_output
• remctl_close
• remctl-error
• Net::Remctl Perl module

Debian packages are available from Debian in unstable, the etch release, and the sarge release. For etch and later, install remctl-server for the server and remctl-client for the client. The sarge release only had a single remctl package that contained both. The Net::Remctl Perl module is only available currently from Debian unstable and testing (install libnet-remctl-perl).

I cannot provide Windows client builds, but you may be able to find binaries and other information at Matthew Loar's remctl page.