Net::Remctl(3pm) | User Contributed Perl Documentation | Net::Remctl(3pm) |
Net::Remctl - Perl bindings for remctl (Kerberos remote command execution)
# Simplified form. use Net::Remctl; my $result = remctl("hostname", undef, undef, "test", "echo", "Hi"); if ($result->error) { die "test echo failed with error ", $result->error, "\n"; } else { warn $result->stderr; print $result->stdout; exit $result->status; } # Full interface. use Net::Remctl (); my $remctl = Net::Remctl->new; $remctl->open("hostname") or die "Cannot connect to hostname: ", $remctl->error, "\n"; $remctl->command("test", "echo", "Hi there") or die "Cannot send command: ", $remctl->error, "\n"; my $output; do { $output = $remctl->output; if ($output->type eq 'output') { if ($output->stream == 1) { print $output->data; } elsif ($output->stream == 2) { warn $output->data; } } elsif ($output->type eq 'error') { warn $output->error, "\n"; } elsif ($output->type eq 'status') { exit $output->status; } else { die "Unknown output token from library: ", $output->type, "\n"; } } while ($output->type eq 'output'); $remctl->noop or die "Cannot send NOOP: ", $remctl->error, "\n";
Net::Remctl provides Perl bindings to the libremctl client library. remctl is a protocol for remote command execution using GSS-API authentication. The specific allowable commands must be listed in a configuration file on the remote system and the remote system can map the remctl command names to any local command without exposing that mapping to the client. This module implements a remctl client.
If you want to run a single command on a remote system and get back the output and exit status, you can use the exported remctl() function:
As far as the module is concerned, undef may be passed as PORT and PRINCIPAL and is the same as 0 and the empty string respectively. However, Perl will warn about passing undef explicitly as a function argument.
The return value is a Net::Remctl::Result object which supports the following methods:
Each call to remctl() will open a new connection to the remote host and close it after retrieving the results of the command. To maintain a persistent connection, use the full interface described below.
The full remctl library interface requires that the user do more bookkeeping, but it provides more flexibility and allows one to issue multiple commands on the same persistent connection (provided that the remote server supports protocol version two; if not, the library will transparently fall back to opening a new connection for each command).
To use the full interface, first create a Net::Remctl object with new() and then connect() to a remote server. Then, issue a command() and call output() to retrieve output tokens (as Net::Remctl::Output objects) until a status token is received. Destroying the Net::Remctl object will close the connection.
Methods below are annotated with the version at which they were added. Note that this is the version of the remctl distribution, which only matches the Net::Remctl module version in 3.05 and later. Earlier versions of the module used an independent versioning system that is not documented here, and versions earlier than 3.05 are therefore not suitable for use with "use".
The supported object methods are:
If the remctl client library was built against a Kerberos library and the GSS-API library supported gss_krb5_import_cred, this call affects only this Net::Remctl object. Otherwise, this will affect not only all subsequent open() calls for the same object, but all subsequent remctl connections of any kind from the same process, and even other GSS-API connections from the same process unrelated to remctl.
Not all GSS-API implementations support setting the credential cache. If this is not supported, false will be returned.
The timeout is a timeout on network activity from the server, not on a complete operation. So, for example, a timeout of ten seconds just requires that the server send some data every ten seconds. If the server sends only tiny amounts of data at a time, the complete operation could take much longer than ten seconds without triggering the timeout.
As far as the module is concerned, undef may be passed as PORT and PRINCIPAL and is the same as 0 and the empty string respectively. However, Perl will warn about passing undef explicitly as a function argument.
The NOOP message requires protocol version 3 support in the server, so the caller should be prepared for this function to fail, indicating that the connection could not be kept alive and possibly that it was closed by the server. In this case, the client will need to explicitly reopen the connection with open().
Note that, due to internal implementation details in the library, the Net::Remctl::Output object returned by output() will be invalidated by the next call to command() or output() or by destroying the producing Net::Remctl object. Therefore, any data in the output token should be processed and stored if needed before making any further Net::Remctl method calls on the same object.
The main object methods are annotated above with the version in which that interface was added. All unannotated methods have been present since the first release of the module.
Support for the gss_krb5_import_cred method of isolating the changed ticket cache to only this remctl client object was added in version 3.5.
The default port was changed to the IANA-registered port of 4373 in version 2.11.
This module was first released with version 2.8.
If the principal argument to remctl() or remctl_open() is NULL, most GSS-API libraries will canonicalize the host using DNS before deriving the principal name from it. This means that when connecting to a remctl server via a CNAME, remctl() and remctl_open() will normally authenticate using a principal based on the canonical name of the host instead of the specified host parameter. This behavior may cause problems if two consecutive DNS lookups of host may return two different results, such as with some DNS-based load-balancing systems.
The canonicalization behavior is controlled by the GSS-API library; with the MIT Kerberos GSS-API library, canonicalization can be disabled by setting "rdns" to false in the [libdefaults] section of krb5.conf. It can also be disabled by passing an explicit Kerberos principal name via the principal argument, which will then be used without changes. If canonicalization is desired, the caller may wish to canonicalize host before calling remctl() or remctl_open() to avoid problems with multiple DNS calls returning different results.
The default behavior, when the port is not specified, of trying 4373 and falling back to 4444 will be removed in a future version of this module in favor of using the "remctl" service in /etc/services if set and then falling back on only 4373. 4444 was the poorly-chosen original remctl port and should be phased out.
The remctl port number, 4373, was derived by tracing the diagonals of a QWERTY keyboard up from the letters "remc" to the number row.
Russ Allbery <eagle@eyrie.org>
Copyright 2020 Russ Allbery <eagle@eyrie.org>
Copyright 2007-2008, 2011-2014 The Board of Trustees of the Leland Stanford Junior University
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The current version of this module is available from its web page at <https://www.eyrie.org/~eagle/software/remctl/>.
2020-12-13 | perl v5.32.0 |