I'm pleased to announce release 3.12 of remctl. remctl is a client/server application that supports remote execution of specific commands, using Kerberos GSS-API for authentication. Authorization is controlled by a configuration file and ACL files and can be set separately for each command, unlike with rsh. remctl is like a Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh and sudo without most of the features and complexity of either.
Changes from previous release: Add a new server implementation, remctl-shell. This does not use the remctl protocol; instead, it is meant to be run via ssh by being configured as the shell of a dedicated user. It interprets a command it was given as a remctl command, using the same configuration and authorization checking as the normal remctl server. This can be useful to introduce remctl into an environment that has ssh public key authentication instead of Kerberos. remctl-shell has some significant limitations inherited from ssh and requires some setup to use. See its manual page for more information. Add a new configuration option, sudo, which tells remctld and remctl-shell to run the command as a different user using sudo. The path to the sudo binary is determined when remctld is compiled. Normally, it's more convenient to use the existing user option, but it relies on remctld running as root. If running the daemon as a non-root user, or when running remctl-shell as a non-root user, this option may work better. Note that remctl-shell is currently a bit of a science experiment, and there are some remaining things I want to tweak about it, so its behavior may change a bit in a subsequent release. But I figured I'd put it out there for people to play with. You can download it from: <http://www.eyrie.org/~eagle/software/remctl/> This package is maintained using Git; see the instructions on the above page to access the Git repository. Debian packages have been uploaded to Debian unstable. Please let me know of any problems or feature requests not already listed in the TODO file. -- Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos