5 * Add support for running commands as filters, passing standard input
6 asynchronously from the client. This requires significant
7 re-engineering of the client loop and should wait for better
8 configuration since we don't want to do this with every command. It
9 also introduces out-of-order responses and possible deadlocks to the
10 protocol. docs/protocol-v4 has an initial draft.
12 * Add a capabilities command to the protocol so that the client can
13 retrieve the list of supported commands rather than assuming based on
16 * Support locating remctl services via SRV records, probably
17 _remctl._tcp.<hostname>. This will need linking with a resolver
18 library that allows SRV queries. libresolv and res_search is probably
19 the best approach, since that should be portable to any system.
21 * Modify the server to not allow MESSAGE_COMMAND split in the middle of a
22 length element and require that commands be split in the middle or at
23 the end of argument data.
27 * Add a way of explicitly specifying the null command or subcommand in
28 the remctl configuration annd then permit it rather than returning a
31 * Maximum argument count, maximum data size in MESSAGE_COMMAND, and
32 inactivity timeouts for commands should be configurable parameters of
33 the server rather than hard-coded values.
35 * Support LDAP-based ACLs in addition to file system ACLs.
36 Probably need to support both entitlement and group-based ACLs.
38 * Add support for external ACL checking programs. If the program exits
39 with a zero status, access is granted. If it exits 1, access is not
40 granted but checking continues. If it exits with any other exit
41 status, access is not granted and checking aborts.
43 Ideally, for writing generic ACL checking programs, the program should
44 get the type and service of the remctl command as well as any
45 arguments. However, it would also be good to support passing other
46 arguments into the program as specified in the ACL file.
48 * Sort the files in a directory before processing them so that the order
49 is deterministic. Affects both configuration (earlier entries override
50 later ones) and ACL rules in the presence of deny ACLs.
52 * Add a timeout for commands after which the server kills the command.
54 * The server should call gss_inquire_context to retrieve the mechanism
55 OID and then pass that in to calls to gssapi_error_string rather than
56 hard-coding the Kerberos v5 OID.
58 * Add option to mask all arguments.
60 * Track all the children spawned by remctld in stand-alone mode. On
61 receipt of SIGTERM or SIGINT, send SIGUSR1 to all children. In the
62 children, on receipt of SIGUSR1, exit as soon as the current command in
63 progress (if any) stops running. (SIGTERM or SIGINT directly to a
64 child should kill it outright.)
66 * Support masking the argument following a particular string so that the
67 argument to a particular flag can be masked regardless of its location
70 * Add server support for persistent child processes that the server
71 communicates with over a UNIX domain socket. The best protocol for
72 communication is probably FastCGI, since that will allow the child
73 processes to be written in a wide variety of languages and take
74 advantage of existing libraries. This will probably require a new
75 implementation of the FastCGI server-side protocol.
77 * In long-running remctld processes, check for configuration file changes
78 and reload the configuration automatically.
80 * Consider dropping the client remctl connection when the client's
81 authentication credentials have expired. Otherwise, remctld
82 potentially violates the security properties of the Kerberos protocol
83 by using authenticators beyond their stated lifetime.
85 * Move the core server protocol code into a library so that one can embed
86 a remctl server in other programs.
88 * Clean up the argv generation code for commands in the server.
92 * Implement file upload in the remctl client.
94 * Add readline support to the remctl client for multiple commands to the
95 same server in the same authenticated session.
97 * Add an option that prompts the user, with echo disabled, for a piece of
98 secure data, prompting twice to ensure both times match, and then sends
99 that as the last argument to the command. This would be useful for
100 remctl interfaces to change passwords.
102 * Allow sending the empty command in the command-line client once the
105 * Allow multiple comma-separated hosts to be specified on the command
106 line, resulting in the remctl command being run on each host in turn.
110 * The client should ideally not specify an OID for the authentication
111 mechanism and instead permit GSS-API to negotiate an appropriate
112 mechanism. It should then call gss_inquire_context to retrieve the
113 mechanism OID and then pass that in to calls to gssapi_error_string
114 rather than hard-coding the Kerberos v5 OID.
118 * Incorporate the Go library developed by Thomas Kula.
122 * Add Net::Remctl::Backend support for obtaining a Kerberos ticket from a
123 given keytab file before running a command.
125 * Add Net::Remctl::Backend support for creating a PAG and obtaining AFS
126 tokens before running a command.
128 * Add support for per-command help (possibly extracted from the POD
129 documentation with some additional markup) to implement the help server
134 * Revise for better Python coding style.
136 * Sort out type handling fully and stop being so aggressive about
137 supporting multiple ways to specify the commands, instead just
138 requiring an iterable of str or bytes.
140 * Add enums for streams and protocol error codes.
142 * Add proper mypy stubs to typeshed and to this package.
144 * Move API documentation to proper docstrings and use Sphinx to generate
147 * Fix or drop module version information.
149 * Use a named tuple for the return value of output().
151 * Use a dataclass for RemctlSimpleResult.
153 * Add a Python equivalent to Net::Remctl::Backend.
157 * Revise for better Ruby coding style.
165 * Incorporate the Go bindings for the client library.
169 * Remove the description of the version 1 remctl protocol from the
170 current protocol specification and put it in its own, separate
171 specification document. Most people will no longer care how this
174 * Submit the remctl protocol as an IETF Internet-Draft.
176 * Document conventions for the configuration in the remctld manual.
178 * Rewrite the documentation and protocol specification as a proper manual
179 and format it with Sphinx.
183 * Refactor getopt to be easier to understand and less deeply nested.
187 * Fix tests on a host with only IPv6 addresses. Right now, the test
188 suite assumes remctld will always bind to 127.0.0.1. While fixing this
189 problem, it may be possible to also fix remctld binding to public IP
190 addresses while the test suite runs.
192 * Incorporate a program that can generate a Kerberos ticket cache from a
193 keytab and use that for running the Kerberos tests instead of requiring
194 the user to generate a keytab.
196 * Add tests to ensure that no child processes of the remctld server are
197 still running when the test command finishes for cases like
198 server/timeout or server/invalid where we've previously stranded child
199 processes for long periods.
203 * Integrate the new Java client implementation.
205 * Integrate the Java build into the rest of the build system so that it
206 is enabled using an --enable-java flag similar to the bindings, finds
207 maven and a JAVA_HOME in configure, and does the JAR build in the main
208 Makefile using maven.
210 * Java cannot obtain tickets from a ticket cache created using the
211 k5.conf file included in the java directory using the current MIT
212 Kerberos on Debian. It has to prompt for a password and get tickets
213 itself. Figure out why and fix it.
projects / kerberos / remctl.git / blob