(Connect to a remote remctl server)


#include <remctl.h>

int remctl_open(struct remctl *r, const char *host, unsigned short port, const char *principal);

int remctl_open_addrinfo(struct remctl *r, const char *host, const struct addrinfo *ai, const char *principal);

int remctl_open_sockaddr(struct remctl *r, const char *host, const struct sockaddr *addr, int addrlen, const char *principal);

int remctl_open_fd(struct remctl *r, const char *host, int fd, const char *principal);


remctl_open() opens a TCP connection to the given host on the given port and then authenticates using the remctl protocol and the service principal principal. r is a remctl struct created via remctl_new(). host must not be NULL. If port is 0, the library first attempts to connect to the registered port of 4373 and then tries the legacy port of 4444 if that fails. Future versions of the library will drop this fallback to 4444. If principal is NULL, a service principal of host/host is used, with the realm determined by domain-realm mapping.

remctl_open_addrinfo() operates in the same manner as remctl_open(), but connects to the first usable address in ai, which must be a list of results as returned by getaddrinfo(3). The host is used only to form the default service principal, and may be NULL if principal is not NULL.

remctl_open_sockaddr() is equivalent to remctl_open_addrinfo() with a single addrinfo structure specifying the use of TCP with socket address addr and length addrlen.

remctl_open_fd() operates in the same manner as remctl_open_addrinfo(), but uses an already-established TCP connection identified by the file descriptor fd. On Windows, fd is of type SOCKET and must be a valid socket descriptor.

If no principal is specified and the default is used, the underlying GSS-API library may canonicalize host via DNS before determining the service principal, depending on your library configuration. Specifying a principal disables this behavior.

The remctl protocol uses Kerberos via GSS-API for authentication. The underlying GSS-API library will use the default ticket cache for authentication, so to successfully use remctl_open(), the caller should already have Kerberos tickets for an appropriate realm stored in its default ticket cache. The environment variable KRB5CCNAME or the remctl_set_ccache(3) function can be used to control which ticket cache is used.

To control the timeout for the connect and for subsequent calls, see the remctl_set_timeout(3) function. To control the source IP used by remctl_open(), remctl_open_addrinfo(), and remctl_open_sockaddr(), see the remctl_set_source_ip(3) function.


remctl_open() returns true on success and false on failure. On failure, the caller should call remctl_error() to retrieve the error message.


The remctl_open() interface has been provided by the remctl client library since its initial release in version 2.0. remctl_open_addrinfo(), remctl_open_sockaddr(), and remctl_open_fd() were added in version 3.4.

The default port was changed to the IANA-registered port of 4373 in version 2.11.

Support for IPv6 was added in version 2.4.


If the principal argument to remctl_open() is NULL, most GSS-API libraries will canonicalize the host using DNS before deriving the principal name from it. This means that when connecting to a remctl server via a CNAME, remctl_open() will normally authenticate using a principal based on the canonical name of the host instead of the specified host parameter. This behavior may cause problems if two consecutive DNS lookups of host may return two different results, such as with some DNS-based load-balancing systems.

The canonicalization behavior is controlled by the GSS-API library; with the MIT Kerberos GSS-API library, canonicalization can be disabled by setting rdns to false in the [libdefaults] section of krb5.conf. It can also be disabled by passing an explicit Kerberos principal name via the principal argument, which will then be used without changes. If canonicalization is desired, the caller may wish to canonicalize host before calling remctl_open() to avoid problems with multiple DNS calls returning different results.

The default behavior, when a port of 0 is given, of trying 4373 and falling back to 4444 will be removed in a future version of this library in favor of using the remctl service in /etc/services if set and then falling back on only 4373. 4444 was the poorly-chosen original remctl port and should be phased out.

Connections established using the alternate-open interfaces remctl_open_fd(), remctl_open_addrinfo(), and remctl_open_sockaddr() do not support the automatic connection-reopening which is used to give the illusion of a single long-lived connection when sending multiple commands to a server which supports only version 1 of the remctl protocol. Therefore, when using these interfaces to open a connection to such a server, it will only be possible to send a single command, after which the connection must be closed and reopened before another command can be sent.


The remctl port number, 4373, was derived by tracing the diagonals of a QWERTY keyboard up from the letters remc to the number row.


Russ Allbery <>


Copyright 2007, 2008, 2009, 2014 The Board of Trustees of the Leland Stanford Junior University

Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without any warranty.


remctl_new(3), remctl_error(3), remctl_set_ccache(3), remctl_set_source_ip(3), remctl_set_timeout(3)

The current version of the remctl library and complete details of the remctl protocol are available from its web page at <>.

Last modified and spun 2016-10-11