I'm pleased to announce release 2.7 of remctl.

remctl is a client/server application that supports remote execution of
specific commands, using Kerberos v5 GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh. remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh
and sudo without most of the features and complexity of either.

Changes from previous release:

In remctld, consider the command complete once the child process
exits. Do not wait for its standard output and error to be closed,
since the child process may have spawned a long-running daemon that
doesn't clean up its file descriptors properly.

When the command-line remctl client canonicalizes the name of the
server host to get the right principal, it then needs to connect to
the canonical hostname. Otherwise, DNS schemes that return a
different answer each time one asks for a given host may cause remctl
to connect to a different host than the canonical name used for the
principal, resulting in authentication failure.

Fixed a subtle bookkeeping error when sending commands larger than the
maximum token size that would have resulted in malformed tokens for
boundary cases of argument lengths.

Fixed memory and file descriptor leaks in remctld that only become
apparent when the server runs many commands before exiting.

Various minor fixes so that make warnings and make check work on a
Solaris 8 system without IPv6 configured.

Use a portability wrapper around the GSS-API header to avoid repeating
the same portability code in every file.

You can download it from:

Debian packages will be uploaded to Debian unstable after the etch
release. In the meantime, I've uploaded packages to my personal
repository. See for
more information.

Please let me know of any problems or feature requests not already listed
in the TODO file.

Russ Allbery (rra@stanford.edu)
Kerberos mailing list Kerberos@mit.edu