remctl is a client/server application that supports remote execution of
specific commands, using Kerberos GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh. remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh
and sudo without most of the features and complexity of either.
Changes from previous release:
Add a new server implementation, remctl-shell. This does not use the
remctl protocol; instead, it is meant to be run via ssh by being
configured as the shell of a dedicated user. It interprets a command
it was given as a remctl command, using the same configuration and
authorization checking as the normal remctl server. This can be
useful to introduce remctl into an environment that has ssh public key
authentication instead of Kerberos. remctl-shell has some significant
limitations inherited from ssh and requires some setup to use. See
its manual page for more information.
Add a new configuration option, sudo, which tells remctld and
remctl-shell to run the command as a different user using sudo. The
path to the sudo binary is determined when remctld is compiled.
Normally, it's more convenient to use the existing user option, but it
relies on remctld running as root. If running the daemon as a
non-root user, or when running remctl-shell as a non-root user, this
option may work better.
Note that remctl-shell is currently a bit of a science experiment, and
there are some remaining things I want to tweak about it, so its behavior
may change a bit in a subsequent release. But I figured I'd put it out
there for people to play with.