| < remctl README | Russ Allbery > Software > remctl | remctl Manual Page > |
This Java remctl implementation was written by Marcus Watts, based somewhat on the original remctl Java implementation by Anton Ushakov. This documentation is based on the documentation provided by Marcus. A client and server are included. Both are entirely independent of the C implementation.
This implementation is not as mature or as well-tested as the C implementation. Any feedback and bug reports are gratefully accepted.
This implementation works with the Sun Java JDK 1.4.2, 5, and 6. It will not build with gcj; it could be ported, but wouldn't be useful until gcj has com.sun.security.auth.module.Krb5LoginModule or an equivalent.
This source tree will build in Eclipse and includes an Eclipse .project and .classpath file.
To use 256-bit AES keys, you will need to get the "Java Cryptography Extension (ECE) Unlimited Strength Jurisdiction Policy Files 6" (filename jce_policy-6.zip), which is available (at least to US residents) from <http://java.sun.com/javase/downloads/index.jsp>.
If your JDK isn't at /usr/lib/jvm/java-6-sun-1.6.0.00, either edit the Makefile to change JDK and then run make, or set the JDK variable on the command line with:
make JDK=/path/to/jdk
Then, create a k5.conf file by copying your /etc/krb5.conf file and then adding these lines to the [libdefaults] section:
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5 permitted_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
MIT Kerberos and Heimdal do not need this configuration and it is wrong for them, but the built-in list for Sun Java is limited.
You can remove the DES enctypes if your realm doesn't support DES. If you are using JDK 6, you can add aes128-cts to the beginning of each list. If you have the jce_policy-6.zip file installed, you can also add aes256-cts to the beginning of each line.
You can now run the client from the JAR file:
java -Djava.security.krb5.conf=k5.conf \
-Djava.security.auth.login.config=j3.conf -jar remctl.jar \
<host> <type> <service> [<parameter> ...]
This connects to the remctld on <host> and sends the command <type> <service> <parameter>. Also look at t5.java for an example of how to use the class in a Java program. You can also run the client from the class files:
java -Djava.security.krb5.conf=k5.conf \
-Djava.security.auth.login.config=j3.conf \
org.eyrie.eagle.remctl.RemctlClient \
<host> <type> <service> [<parameter> ...]
To run the server, create a keytab that the server will use for authentication and revise bcsKeytab.conf to match (you will need to change the principal at least). Then, start the server with:
java -Djavax.security.auth.useSubjectCredsOnly=false \
-Djava.security.auth.login.config=bcsKeytab.conf \
t7 4373 <principal>
This will start the server defined in t7.java, which just returns information about what command it received. 4373 is the port to listen to (4373 is the default value for remctl). Replace <principal> for the principal you created a keytab for.
To run this from Eclipse, select from the Run, Run..., "java application", make an instance for the selected Main Class. Under Arguments, set VM arguments to be those above for "java", and set the program arguments to be everything past the jar file or main class.
| < remctl README | Russ Allbery > Software > remctl | remctl Manual Page > |