remctld - The LCFG remctld component
This documentation refers to lcfg-remctld version 0.0.8
remctl is a program that allows a user to execute commands remotely on a server that is running the remctld deamon. remctl does not interpret the commands given to it, it passes them to the server and displays the return message. The commands must be defined on the server-side before a remctl client can execute them, and the user running remctl must be authorized to execute the particular command on the server.
Access to remote commands is authenticated via Kerberos v5 GSS-API, so a user must have a ticket granting ticket to use remctl. All transmissions to and from the remctld server are encrypted using GSS- API’s security layer.
This component configures the remctld daemon. It assumes that remctld is being run from (x)inetd, and as such makes no attempt to stop or start the service.
A list of space-separated types (command-groups) available.
For example, types might contain "accounts printing".
A list of space-separated services (sub-commands) available within the specified type (command-group) type. The sub-command is passed as an argument to the executable command for that service.
For example, if "accounts" is a specified type, services_accounts might contain "create delete view passwd".
The keyword "ALL" can be used to invoke the same executable for all command-groups (types).
For example, if services_printing contains "ALL", exec_printing_ALL might contain /usr/local/bin/printthing and aclfile_printing_ALL might contain /etc/acl/group2 - and any sub-command from the command-group "printing" would use the same executable and ACL file.
The absolute pathname to the executable command to be run for this type and service combination. For example, exec_accounts_create might contain /usr/local/bin/doaccount.
Mask this positional parameter when logging. For example, logmask_accounts_passwd might contain "3".
This is a boolean value which is used to control whether the command is accessible by all authenticated users. If this resource is true then any aclfile and allow resources associated with the same type and service combination are ignored. You can combine this with deny resources to block access to specific users. The default setting is false. See the notes on the ANYUSER ACL in remctld(8) for more information.
The paths for one or more access control files. If the path is not absolute then it is assumed that it refers to a file stored within the directory named in the acldir resource.
For example, aclfile_accounts_create may contain "/etc/acl/group1 /etc/acl/group2".
A list of principals which are authorized to execute this command.
A list of principals which are specifically not permitted to execute this command.
A list of ACL groups for which ACL files will be generated. The generated files are stored in the directory named in the acldir resource.
The list of member principals in the group. It is possible to deny access to specific principals by prefixing a principal with the "deny:" string.
The location of the directory into which any generated ACL files will be stored.
This is a basic example which creates an ACL file with entries for two users.
!remctld.aclgroups mADD(foo)
remctld.aclmembers_foo fred@EXAMPLE.ORG barney@EXAMPLE.ORGThis sets up an echo service which just repeats back whatever you send.
!remctld.types mADD(echo)
remctld.services_echo ALL
remctld.exec_echo_ALL /bin/echo
remctld.aclfile_echo_ALL fooSee remctld(8) for a more detailed description of the configuration possibilities.
See remctl(1) for details on client usage.
The current version of remctl is available from its web page at http://www.eyrie.org/~eagle/software/remctl/.
This is the list of platforms on which we have tested this software. We expect this software to work on any Unix-like platform which is supported by Perl.
ScientificLinux5
Current author: Stephen Quinney <squinney@inf.ed.ac.uk>
This work is based on previous implementations by other people:
Roger Burroughes <roger@inf.ed.ac.uk> (original implementation) Simon Wilkinson <simon@sxw.org.uk> (perl implementation)
Copyright (C) 2009 University of Edinburgh. All rights reserved.This library is free software; you can redistribute it and/or modify it under the terms of the GPL, version 2 or later.
Hey! The above document had some coding errors, which are explained below:
Non-ASCII character seen before =encoding in 'API’s'. Assuming UTF-8