remctl allows me to remotely invoke a program (with arguments) and retrieve output (stdout and stderr) of said program, together with its exit status. Program invocation is authenticated and encrypted by GSS-API Kerberos 5.
Using the remctl client program, I might invoke the following command on a client machine, provided I have a valid Kerberos ticket:
and remctld (started on the specified server via inetd or as a daemon) will execute the following command:
if the server’s
remctl.conf configuration file contains
There are two magic tokens in the previous configuration line:
ALLstands for all subcommands. Remctld supports the notion of subclassing a command and I can apply different ACLs to specific subcommands. In this particular case I leave that to the program.
ANYUSERin the ACL specifies that any principal may invoke this particular program/subcommand pair.
I launch remctl via xinetd thusly:
mywho script supports three “subcommands” (in remctld-speak):
The program is invoked on the server (under remctld’s control) as the user remctld is
running as (typically
root). Reminiscent of HTTP CGI scripts, it gets these
environment variables passed to it:
REMOTE_USER: the Kerberos identity of the caller.
REMOTE_ADDR: the IP address of the client host.
REMOTE_HOST: the name of the client host.
I can configure remctld to allow program invocation for particular principals
only, or I can (as in the example above) allow ANY user and use the
to decide whether that principal may use the accounts program.
remctl is like a lightweight rsh or ssh and can be used for a number of purposes, such as
- Monitoring (think: fetch Nagios results)
- Service provisioning; for example, I could securely invoke an on-demand Puppet run on a machine.
- Centralized account creation (c.f. kadmin-remctl, a remctl back-end which implements
Kerberos account administration with the same functionality as
- Remote system-administration (e.g. reboot)
- Or even just checking for new mail. :)
remctl has bindings for C, Perl, PHP, Java and Python. Here’s a tiny example in C:
When I run this, the output for my principal is: