remctl

Small deeds done are better than great deeds planned.

Peter Marshall

Description

remctl is a client/server application that supports remote execution of specific commands, using Kerberos GSS-API for authentication and confidentiality. Which commands a given user can execute is controlled by a configuration file and ACL files and can be easily tightly limited, unlike with rsh. The mapping of command to backend program is done by the configuration file, which allows some additional flexibility compared to ssh command restrictions and works with Kerberos authentications rather than being limited to public key authentications.

remctld is very similar to a CGI server that uses a different network protocol than HTTP, always does strong authentication before executing the desired command, and guarantees the data is encrypted on the network. Alternately, you can think of it as a very simple combination of Kerberos rsh and sudo, without most of the features of both but with simpler authorization.

There are a lot of different client/server systems that do something similar, including regular rsh, CGI, IBM's sysctl (not to be confused with the Linux kernel call and configuration file of the same name), CERN's arc, and more elaborate systems like MIT's Moira. remctl has the advantage over many of these schemes of using GSS-API and being about as simple as it possibly can be while still being useful. It doesn't require any particular programming language, builds self-contained binaries, and uses as minimal of a protocol as possible.

Both C and Java clients and servers are provided, as well as Perl, PHP, Python, and Ruby bindings for the C client library.

remctl was originally written by Anton Ushakov as a replacement for IBM's sysctl, a client/server application with Kerberos v4 authentication that allowed the client to run Tcl code on the server, protected by ACLs. At Stanford, we used sysctl extensively, but mostly only to run external programs, so remctl was developed as a kerberos v5 equivalent that did only the portions we needed.

Requirements

The remctld server and the standard client are written in C and require a C compiler to build. Both will build with either MIT Kerberos or Heimdal (only tested with MIT Kerberos 1.3 and later and Heimdal 0.6 and later). remctl will also build against the Kerberos GSS-API implementation shipped with AIX 5.2 and the Solaris 10 generic GSS-API library.

The remctl server will support regex ACLs if the system supports the POSIX regex API. The remctl server also optionally supports PCRE regular expressions in ACLs. To include that support, the PCRE library is required.

To build the remctl client for Windows, the Microsoft Windows SDK for Windows Vista and the MIT Kerberos for Windows SDK are required, along with a Microsoft Windows build environment (probably Visual Studio). remctl has only been tested with the 3.2.1 MIT Kerberos for Windows SDK. To run the resulting binary, MIT Kerberos for Windows must be installed and configured. The client has been tested on Windows XP and Vista and should work on Windows 2000 and up. The server is not supported on Windows.

To build the Perl bindings for the C client library, you will need Perl 5.8 or later. To build the PHP bindings for the C client library, you will need PHP 5.x (only tested with 5.2 and 5.3) and phpize, plus any other programs that phpize requires. To build the Python bindings for the C client library, you will need Python 2.3 or later (primarily tested with Python 2.5 and later). To build the Ruby bindings for the C client library, you will need Ruby 1.8 or later. None of the language bindings have been tested on Windows.

A Java client and server are also available in the java subdirectory, but they are not integrated into the normal build or built by default. There is a basic Makefile in that directory that may require some tweaking. It currently requires the Sun Java JDK (1.4.2, 5, or 6) or OpenJDK 6 or later. A considerably better Java implementation is currently under development.

Download

The distribution:

remctl 3.9 2014-07-03 tar.gz (PGP signature) tar.xz (PGP signature)

An archive of older releases is also available.

Debian packages are available from Debian as of Debian 3.1 (sarge). For Debian 4.0 (etch) and later, install remctl-server for the server and remctl-client for the client. The sarge release had a single remctl package that contained both.

The Net::Remctl Perl module is available in Debian 5.0 (lenny) and newer; install libnet-remctl-perl for it. The PHP bindings (php5-remctl), Python bindings (python-remctl), and Ruby bindings (ruby-remctl) are available in Debian 6.0 (squeeze) and newer. The Ruby bindings package is called libremctl-ruby for Debian versions before 7.0 (wheezy).

RPMs for Red Hat Enterprise Linux are available from the Stanford RPM repository. Look under the stanford-EL* repositories.

I cannot provide Windows client builds, but the remctl source comes with Windows build files and should hopefully build with a Windows Kerberos SDK.

For those using Puppet, there is a Puppet module available for installing the remctl server and managing server configurations. This was written and is maintained by the IN2P3 Computing Centre; see that page for more information.

remctl is maintained using the Git version control system. To check out the current development tree, clone:

    git://git.eyrie.org/kerberos/remctl.git

You can also browse the current development source.

Documentation

User documentation:

Developer documentation:

API documentation:

License

The remctl package as a whole is released under the following license:

Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014 The Board of Trustees of the Leland Stanford Junior University

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the remctl source distribution.

Last modified and spun 2014-10-19