[37331] in Kerberos

home help back first fref pref prev next nref lref last post

remctl 3.10 released

daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Nov 27 18:49:57 2015

From: Russ Allbery <eagle@eyrie.org>
To: kerberos@mit.edu
Date: Fri, 27 Nov 2015 15:49:28 -0800
Message-ID: <87a8pzngtz.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

I'm pleased to announce release 3.10 of remctl.

remctl is a client/server application that supports remote execution of
specific commands, using Kerberos GSS-API for authentication.
Authorization is controlled by a configuration file and ACL files and can
be set separately for each command, unlike with rsh.  remctl is like a
Kerberos-authenticated simple CGI server, or a combination of Kerberos rsh
and sudo without most of the features and complexity of either.

Changes from previous release:

    Two new remctld ACLs are supported: anyuser:auth and
    anyuser:anonymous.  The first is equivalent to ANYUSER, and indeed
    ANYUSER is now treated as a backwards-compatibility alias for
    anyuser:auth.  This permits any authenticated user in either the local
    realm or any realm with which there is cross-realm trust.  The new
    anyuser:anonymous ACL permits absolutely any user, even
    unauthenticated users, allowing anyone with network access to the
    server to run the command.  (Note, however, that actually running
    commands anonymously requires anonymous PKINIT and anonymous service
    tickets be enabled for the local Kerberos realm.  These are not common
    configurations, particularly the second.)

    The remctld server now sets the REMOTE_EXPIRES environment variable to
    the time (in seconds since UNIX epoch) when the authenticated session
    used to run a command will expire.  This will generally be the
    expiration time of the Kerberos ticket used to authenticate to the
    server.

    Anonymous authentication (such as via anonymous PKINIT) no longer
    satisfies ANYUSER ACLs.  It's unlikely that existing installations
    would have encountered anonymous authentication, since obtaining
    service tickets with anonymous PKINIT is disabled by default.

    Simplify the Python RemctlError exception class.  The code in the
    exception class just duplicated the behavior of the parent Exception
    class and was unnecessary, and it interfered with pickling the
    exception.  This means that RemctlError exceptions, and any derived
    from RemctlError, will no longer have a value attribute.  To get this
    information, use the string value of the exception object, or call the
    error() method on the remctl object.  Thanks to Andrew Deason for the
    report.

    Previous versions always passed the flags to disable certain warnings
    to the language binding builds, even if warnings weren't otherwise
    enabled.  As of remctl 3.9, that included a warning flag not supported
    by old versions of gcc, breaking builds on RHEL 5.  Instead, only pass
    the warning suppression flags when building with warnings (via make
    warnings), which is not the default and is only supported with recent
    versions of gcc.  Thanks to Ken Dreyer for the report.

    For the localgroup ACL scheme, dynamically resize the buffer passed to
    getgrnam_r if the call fails due to ERANGE.  Users in large numbers of
    local groups may require more space than the buffer size returned by
    the sysconf call.  Patch from Hugh Cole-Baker.

    Fix test suite portability to systems with older versions of Kerberos
    that didn't have krb5_get_init_creds_opt_alloc, such as the included
    Kerberos in Solaris 10.

    Update to rra-c-util 5.8:

    * Add missing va_end to xasprintf implementation.
    * Fix Perl test suite framework for new Automake relative paths.
    * Avoid $() in the probe for systemd support for Solaris portability.
    * Prefer libsystemd to libsystemd-daemon if it is available.
    * Improve portability to Kerberos included in Solaris 10.
    * Use appropriate warning flags with Clang (currently not warning clean).
    * Check for integer overflow in vector_join.
    * Avoid strlcpy in more of the portability code.
    * Fix hidden visibility of some utility functions.
    * Improve portability of socket error codes to Windows.

    Update to C TAP Harness 3.4:

    * Fix segfault in runtests with an empty test list.
    * Display verbose test results with -v or C_TAP_VERBOSE.
    * Support comments and blank lines in test lists.

You can download it from:

    <http://www.eyrie.org/~eagle/software/remctl/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Debian packages have been uploaded to Debian unstable.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (eagle@eyrie.org)              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post