path: root/NEWS

                       User-Visible remctl Changes

remctl 3.14 (2018-03-31)

    SECURITY: Fix use-after-free and double-free when handling the sudo
    option in the remctld and remctl-shell server.  For remctl-shell, this
    will occasionally produce a spurious non-zero exit status for a
    command that succeeded.  For remctld, the normal consequence is a
    server process crash after running a command with the sudo option, but
    it may be possible (albeit difficult) for a streaming client to abuse
    this bug to execute an arbitrary command on the server or corrupt
    server memory.  Thanks, Santosh Ananthakrishnan.  (CVE-2018-0493)

remctl 3.13 (2016-10-10)

    remctl-shell now also supports being run as a forced command from
    authorized_keys (or other methods).  This may be preferrable to using
    it as a shell since it doesn't require setting non-standard sshd
    options.

    The summary configuration option is now allowed for commands with
    subcommands other than ALL.  When generating a help summary (done in
    response to the command "help" with no arguments), command lines with
    a subcommand and a summary option will be run with two arguments: the
    value of the summary option and then the subcommand.  This allows
    proper generation of command summaries even for users who only have
    access to a few subcommands of a command.  Patch from Remi Ferrand.

    The build system now supports new REMCTL_PROGRAM_CFLAGS and
    REMCTL_PROGRAM_LDFLAGS variables that can be set at build time to pass
    in additional arguments when compiling and linking programs (like
    remctl and remctld) but not libraries and, more importantly, language
    bindings.  This can be used in distribution builds to pass in -fPIE
    for additional binary hardening.  (CFLAGS and LDFLAGS cannot be used
    since -fPIE breaks the builds of the dynamic modules for langauges
    like Perl.)

    Update to rra-c-util 6.1:

    * Correct return-value checks for snprintf.
    * Adjust Test::RRA::Config for new load path behavior in Perl 5.22.2.

remctl 3.12 (2016-07-29)

    Add a new server implementation, remctl-shell.  This does not use the
    remctl protocol; instead, it is meant to be run via ssh by being
    configured as the shell of a dedicated user.  It interprets a command
    it was given as a remctl command, using the same configuration and
    authorization checking as the normal remctl server.  This can be
    useful to introduce remctl into an environment that has ssh public key
    authentication instead of Kerberos.  remctl-shell has some significant
    limitations inherited from ssh and requires some setup to use.  See
    its manual page for more information.

    Add a new configuration option, sudo, which tells remctld and
    remctl-shell to run the command as a different user using sudo.  The
    path to the sudo binary is determined when remctld is compiled.
    Normally, it's more convenient to use the existing user option, but it
    relies on remctld running as root.  If running the daemon as a
    non-root user, or when running remctl-shell as a non-root user, this
    option may work better.

remctl 3.11 (2016-05-07)

    The PHP bindings have been ported to PHP 7, based on work by Nish
    Aravamudan.  The PHP 7 API is sufficiently different that this was
    done by forking the PHP code and creating a new version for PHP 7 and
    later, chosing which extension to compile based on the discovered
    version of PHP.  Currently, there is no functionality difference, but
    the PHP 5 extension should be considered frozen and may not get any
    new features.  It will eventually be removed in a future version of
    remctl when PHP 7 is sufficiently widespread.

    Rename the script to bootstrap from a Git checkout to bootstrap,
    matching the emerging consensus in the Autoconf world.

    Fix numerous portability issues to various versions of Heimdal, thanks
    to multiple patches from Jeffrey Hutzelman.

    Multiple fixes and improvements to the RPM spec file from Jeffrey
    Hutzelman: systemd support, SLES support, add the missing
    libevent-devel dependency, fix the version, and fix an invalid date.

    Update to rra-c-util 6.0:

    * Remove all remaining uses of strlcpy and strlcat.
    * Fix the Perl docs/synopsis.t test to be less UNIX-specific.
    * Make util/network/server-t more robust against missing IPv6.

    Update to C TAP Harness 4.0:

    * Use C_TAP_SOURCE and C_TAP_BUILD instead of SOURCE and BUILD.

remctl 3.10 (2015-11-27)

    Two new remctld ACLs are supported: anyuser:auth and
    anyuser:anonymous.  The first is equivalent to ANYUSER, and indeed
    ANYUSER is now treated as a backwards-compatibility alias for
    anyuser:auth.  This permits any authenticated user in either the local
    realm or any realm with which there is cross-realm trust.  The new
    anyuser:anonymous ACL permits absolutely any user, even
    unauthenticated users, allowing anyone with network access to the
    server to run the command.  (Note, however, that actually running
    commands anonymously requires anonymous PKINIT and anonymous service
    tickets be enabled for the local Kerberos realm.  These are not common
    configurations, particularly the second.)

    The remctld server now sets the REMOTE_EXPIRES environment variable to
    the time (in seconds since UNIX epoch) when the authenticated session
    used to run a command will expire.  This will generally be the
    expiration time of the Kerberos ticket used to authenticate to the
    server.

    Anonymous authentication (such as via anonymous PKINIT) no longer
    satisfies ANYUSER ACLs.  It's unlikely that existing installations
    would have encountered anonymous authentication, since obtaining
    service tickets with anonymous PKINIT is disabled by default.

    Simplify the Python RemctlError exception class.  The code in the
    exception class just duplicated the behavior of the parent Exception
    class and was unnecessary, and it interfered with pickling the
    exception.  This means that RemctlError exceptions, and any derived
    from RemctlError, will no longer have a value attribute.  To get this
    information, use the string value of the exception object, or call the
    error() method on the remctl object.  Thanks to Andrew Deason for the
    report.

    Previous versions always passed the flags to disable certain warnings
    to the language binding builds, even if warnings weren't otherwise
    enabled.  As of remctl 3.9, that included a warning flag not supported
    by old versions of gcc, breaking builds on RHEL 5.  Instead, only pass
    the warning suppression flags when building with warnings (via make
    warnings), which is not the default and is only supported with recent
    versions of gcc.  Thanks to Ken Dreyer for the report.

    For the localgroup ACL scheme, dynamically resize the buffer passed to
    getgrnam_r if the call fails due to ERANGE.  Users in large numbers of
    local groups may require more space than the buffer size returned by
    the sysconf call.  Patch from Hugh Cole-Baker.

    Fix test suite portability to systems with older versions of Kerberos
    that didn't have krb5_get_init_creds_opt_alloc, such as the included
    Kerberos in Solaris 10.

    Update to rra-c-util 5.9:

    * Add missing va_end to xasprintf implementation.
    * Fix Perl test suite framework for new Automake relative paths.
    * Avoid $() in the probe for systemd support for Solaris portability.
    * Prefer libsystemd to libsystemd-daemon if it is available.
    * Improve portability to Kerberos included in Solaris 10.
    * Use appropriate warning flags with Clang (currently not warning clean).
    * Check for integer overflow in vector_join.
    * Avoid strlcpy in more of the portability code.
    * Fix hidden visibility of some utility functions.
    * Improve portability of socket error codes to Windows.

    Update to C TAP Harness 3.4:

    * Fix segfault in runtests with an empty test list.
    * Display verbose test results with -v or C_TAP_VERBOSE.
    * Support comments and blank lines in test lists.

remctl 3.9 (2014-07-02)

    Add a new server ACL type, localgroup, which converts the principal to
    a local username with krb5_aname_to_localname and then checks whether
    it is a member of a given local group.  Based on work by Remi Ferrand.

    Use calloc in preference to calculating a malloc size with
    multiplication everywhere, and reallocarray in preference to
    calculating a realloc size.  In most places this caution was probably
    not necessary, but uniformity is easier to audit and no one will ever
    notice the speed difference between malloc and calloc.  Add explicit
    overflow checks before every remaining malloc call with a calculated
    size.

    Fix incorrect handling of interruptions of network writes by signals
    in the server.  Previous versions of remctld did not correctly handle
    EINTR returns from select, read, and write and might abort the
    connection instead of retrying the system call.

    Reset the SIGPIPE signal handler before running a command.  The server
    sets SIGPIPE to SIG_IGN, which meant that, since ignored signals are
    inherited across an exec, the child process would inherit possibly
    surprising SIGPIPE behavior.  Reset the handler to SIG_DFL so that
    commands get default SIGPIPE handling.

    Add version and compatibility information to all manual pages.
    Command-line and configuration options, ACL methods, environment
    variables, client library APIs, and other major features are now
    annotated with the version of remctl in which they were added.

    Update to rra-c-util 5.5:

    * Use Lancaster Consensus environment variables to control tests.
    * Work around perltidy bug that leaves behind stray log files.
    * Use calloc or reallocarray for protection against integer overflows.
    * Suppress warnings from Kerberos headers in non-system paths.

    Update to C TAP Harness 3.1:

    * Add breallocarray API for error-checked reallocarray in tests.
    * Check for integer overflow on memory allocations.

remctl 3.8 (2014-01-28)

    The remctld server now uses libevent for the event loop that processes
    output from a command.  This is primarily an internal change to
    improve maintainability, but it does have some noticable if minor
    benefits: primarily, no need to poll for child process exit every five
    seconds, and therefore faster responsiveness and less resource usage
    in each remctld process.  libevent 1.4.4 or later is now required to
    build remctl.

    Rather than capping the data returned by the server in one
    MESSAGE_OUTPUT token at the rather arbitrary length of 65,000 octets,
    send up to the maximum amount of data permitted by the protocol.  This
    also slightly increases the maximum length of the output returned
    under the version one protocol.

    Fix a minor memory leak in the server when processing help commands.

    Fix a GSS-API context leak in the remctl client when failing to send a
    protocol version one token.

    Use a temporary file and atomic rename when writing the server PID
    file to avoid racing with a process monitor that tries to read the PID
    out of the file before it's written.

    Update to rra-c-util 5.2:

    * Assume calloc initializes pointers to NULL.
    * Assume free(NULL) is properly ignored.
    * Suppress shell errors from systemd probes without pkg-config.
    * Better logging and shutdown of subprocesses during testing.

    Update to C TAP Harness 3.0:

    * Reopen standard input to /dev/null when running a test list.
    * Don't leak extraneous file descriptors to tests.

remctl 3.7 (2014-01-06)

    Fix a client memory leak when remctl_set_ccache is used with a
    Kerberos library that supports gss_krb5_import_cred.  The credential
    was never freed, leaking memory with each remctl client call, and a
    Kerberos ticket cache struct could also be leaked in some situations.

    Fix Net::Remctl::Backend argument count validation when one of the
    arguments is coming from standard input.  The count of arguments was
    previously not updated properly after splicing in the extra argument.

    Add support for systemd.  If built on a system with systemd installed,
    remctl will install (but not enable) systemd units to start remctld
    via socket activation.  remctld will also notify systemd when its
    initialization is complete if started by systemd with service
    notification enabled.

    Add support for upstart's expect stop daemon synchronization method.
    When starting remctld in stand-alone mode with upstart, pass the new
    -Z option to remctld, and it will raise SIGSTOP when ready to accept
    connections, signaling to upstart that the daemon has fully started.

    Work around a bug in the Module::Build version that comes with RHEL 5
    in passing compiler and linker flags to the Perl module build.

    Net::Remctl and related classes now check that the class argument is
    not undef and croak if it is, rather than dereferencing a NULL
    pointer.  Caught by clang --analyze.

    Update to rra-c-util 5.1:

    * Suppress a dummy symbol in the client library that could leak.
    * Don't attempt to use Kerberos if no Kerberos error APIs were found.
    * Improve error handling in xasprintf and xvasprintf.
    * Check the return status of snprintf and vsnprintf properly.
    * Preserve errno if snprintf fails in vasprintf replacement.
    * Improve error handling of network_bind_* functions.
    * vector_free and cvector_free now can be passed NULL.
    * Abort remctl tests if the PID file already exists.

    Update to C TAP Harness 2.4:

    * Suppress lazy plans and test summaries if the test failed with bail.

remctl 3.6 (2013-08-14)

    If the client specifies a timeout, restart the wait for a nonblocking
    connect when interrupted by a signal.  This can mean that a connect
    can take longer than the timeout if interrupted; hopefully both
    timeouts and catching signals are rare enough that this won't pose a
    serious issue.

    The help output from Net::Remctl::Backend now checks for commands
    whose syntax is excessively long and does not let them influence the
    formatting of the summary.  This keeps commands with a long syntax
    from forcing all the summary output into a skinny column against the
    right margin and allows proper help output for commands with a syntax
    longer than 80 columns.

    Fix compilation problems with Kerberos libraries that don't have
    gss_krb5_import_cred, including Mac OS X and older Red Hat.  Patch
    from Ken Dreyer.

    Fix problems with PCRE detection on platforms that have the library
    but not pcre-config or the pcre.h header file, such as Mac OS X.

    Update to rra-c-util 4.9:

    * Fix GCC warnings of casts that could increase alignment.
    * Add a portable replacement for a missing strndup.

    Update to C TAP Harness 2.2:

    * bail and sysbail now exit with status 255 to match Test::More.

remctl 3.5 (2013-06-28)

    Fix a long-standing race condition in remctld (introduced in remctl
    2.7) that could truncate large backend output if the backend program
    exits immediately after sending that output.  On systems with pipe
    buffers larger than 64KB, remctld could discard some buffered output
    after determining that the child had exited.  remctld now polls for
    and continues to process output from the child until no more is
    immediately available, even after the child has exited.

    If a Kerberos library and gss_krb5_import_cred are available at build
    time, libremctl now uses them to implement remctl_set_ccache to avoid
    affecting global program GSS-API state.  If those requirements are
    met, remctl_set_ccache will only affect the remctl context on which
    it's called.

    The version numbers of the Net::Remctl and Net::Remctl::Backend Perl
    modules now match the versions of the remctl package, but with at
    least two digits for the minor version so that, for example, 3.9
    (which becomes 3.09) and 3.10 will sort properly as numbers.  This
    means that, from Perl's perspective, the version numbers have gone
    backwards in this release relative to earlier 3.0 releases.  This is a
    one-time adjustment to a more reliable versioning scheme.

remctl 3.4 (2013-03-26)

    Add new C APIs for establishing a remctl connection given a sockaddr,
    a list of struct addrinfo, or an already-open socket.  Patch from
    Jeffrey Hutzelman.

    The Perl bindings now include a new module, Net::Remctl::Backend,
    which handles the setup, dispatch, and help output for the recommended
    style for remctl backend scripts written in Perl.  See its
    documentation for more information.

    Following Perl Best Practices, remove prototypes from all Net::Remctl
    functions.  The confusion caused by changing context away from how
    Perl normally works is not worth any diagnostic value.

    The Net::Remctl Perl bindings now require Perl 5.8 or later (instead
    of 5.006 in previous versions) and are now built with Module::Build
    instead of ExtUtils::MakeMaker.  This should be transparent to anyone
    not working with the source code, since Perl 5.8 was released in 2002,
    but Module::Build and ExtUtils::CBuilder are now required to build
    Net::Remctl.  They are included in Perl 5.10 or later and can be
    installed separately for older versions of Perl.

    Return an error if an empty command is passed into remctl_command
    rather than attempting to malloc zero bytes.

    Update to rra-c-util 4.8:

    * Fix probing for Heimdal's libroken to work with older versions.
    * Improve POD and Perl module tests.
    * Cleanly passes clang --analyze.

    Update to C TAP Harness 2.1:

    * runtests now treats the command line as a list of tests by default.
    * The full test executable path can now be passed to runtests -o.
    * Improved harness output for tests with lazy plans.
    * Improved harness output to a terminal for some abort cases.
    * Flush harness output after each test even when not on a terminal.

remctl 3.3 (2012-09-25)

    Fix a file descriptor leak when checking ACL files.  This would cause
    long-running remctld processes to eventually run out of available file
    descriptors.

    Fix some memory leaks when reloading the remctld configuration and
    several memory leaks when closing or reusing client connections in
    libremctl.

    Don't create the remctld PID file until the network socket is bound
    and listening.  This helps init scripts starting the daemon to know
    when startup is complete and the service is available.

    Remove prototypes from the Perl remctl() function.  With prototypes,
    the connection and command information could not be provided via an
    array, since the prototype forces it into scalar context.

    Fix build dependencies for language bindings to work with parallel
    builds and pass CPPFLAGS down to the language binding build systems.

    Update to rra-c-util 4.6:

    * Drop concat from the util library in favor of asprintf.
    * Fail on any error in [bx]asprintf and [bx]vasprintf.

remctl 3.2 (2012-06-19)

    Add new summary option to the remctld configuration.  If remctld
    receives a command of "help" with no arguments and no command by that
    name has been defined, the server will look through the configuration
    for any command with a summary option set, a subcommand of ALL, and
    which the user would have been allowed to run.  If any such commands
    are found, the server will run each with the subcommand specified by
    the summary option, sending the results to the user.  This allows
    display of a command summary to the user based on which commands that
    user is authorized to run.  Written by Jon Robertson.

    Add new help option to the remctld configuration.  If remctld receives
    a command of "help" with either one or two arguments and no command by
    that name has been defined, it takes the arguments to the command as a
    command and subcommand and checks for an entry in the configuration
    file that matches.  If such an entry is found, the help option is set
    for that command, and the user is authorized to run it, remctld runs
    the command, passing the value of the help option as the subcommand
    and the arguments to help as additional arguments.  This permits a
    standard interface to get additional help for a particular remctl
    command.  Written by Jon Robertson.

    remctld now always closes the client connection after low-level errors
    reading or sending tokens.  Previously, it would attempt to continue
    after some socket or GSS-API errors, which may have caused hanging
    remctld processes in some circumstances.

    Fix remctld segfault when the configuration does not define any
    commands.  Thanks to Andrew Mortensen for the report.

    Fix GSS-API header probes when configure was told to build with a
    specific GSS-API library in a non-default path.  Previously, configure
    still used the compiler to probe for the correct header names, which
    could pick up incorrect headers from the default include path.  Thanks
    to Jeffrey Hutzelman for the suggested solution.

    Solaris can return ECONNRESET instead of EPIPE on write when the other
    end of the network connection closes it.  Handle that error properly
    in the remctld server.  Patch from Jeffrey Hutzelman.

    Fix multiple portability issues in the test suite on Solaris and old
    versions of Heimdal.  Thanks to Jeffrey Hutzelman for the series of
    patches.

    Update to rra-c-util 4.5:

    * Pass --deps to krb5-config in the non-reduced-dependencies case.
    * Silence __attribute__ warnings on more compilers.

    Update to C TAP Harness 1.12:

    * Only use feature-test macros when requested or built with gcc -ansi.
    * Drop is_double from the C TAP library to avoid requiring -lm.
    * Avoid using local in the shell libtap.sh library.
    * Silence __attribute__ warnings on more compilers.

remctl 3.1 (2012-02-29)

    Add new remctl_set_timeout function to the remctl library API and the
    Perl, PHP, Python, and Ruby bindings.  Call this function any time
    after remctl_new to set a network timeout in seconds for all
    subsequent operations.  The client must then receive a reply from the
    server in no more than that number of seconds or will abort whatever
    action is in progress with a timeout error.  The timeout also applies
    to the initial connection if remctl_set_timeout is called before
    remctl_open.

    The remctld server now supports an additional configuration option,
    user, which sets the user as which to run a command.  If this option
    is set for a command configuration, remctld will run the command as
    that user (including their primary and supplemental groups).  The user
    may be specified as either a username or a UID.  Patch from Andrew
    Mortensen.

    The remctld server now imposes a one-hour timeout between messages
    from the client rather than a one-hour limit on the entire session,
    allowing clients to continue to send commands for as long as they stay
    connected and not idle.

    The PHP bindings no longer output a PHP warning if remctl_output
    fails.  This was inconsistent with the other API calls (remctl_open
    and remctl_command can also fail but didn't result in warnings), may
    be expected and handled by the caller, and made testing difficult.

    The internal _remctl.remctl_output function in the Python bindings now
    returns an empty tuple on error instead of a bool.  This change will
    not affect callers that only use the recommended public remctl
    interface.

    Update to rra-c-util 4.2:

    * Fix error reporting for non-blocking connect.
    * Fix network test when short listen queues don't cause timeout.
    * Handle DNS failure in the getaddrinfo test suite.
    * Ensure config.h is included for portable/stdbool.h.
    * Fix compiler warnings when built with -D_FORTIFY_SOURCE=2.
    * Add test wrappers around asprintf and vasprintf.

    Update to C TAP Harness 1.10:

    * Add test_tmpdir and test_tmpdir_free to TAP library.
    * Add bstrndup function to the C TAP library.
    * runtests now frees all allocated resources on exit.

remctl 3.0 (2011-10-31)

    New protocol version 3, which introduces a new NOOP message.  When the
    client sends this message, the server replies with a NOOP message.
    This can be used to keep a persistent remctl connection alive despite
    network session timeouts.  Add new remctl_noop function to the remctl
    library API and the Perl, PHP, Python, and Ruby bindings to send the
    NOOP message and read the response.

    Be more explicit in the protocol about handling of continuation
    commands.  Do not allow any messages from the client after a continued
    command except the continuation of that command or a QUIT message.
    Explicitly document that a QUIT message abandons the partial command.
    Add the new ERROR_UNEXPECTED_MESSAGE error code, used when the client
    sends incorrect messages during a command continuation.

    The server no longer closes the connection after version or error
    replies.  The connection will now stay open until MESSAGE_COMMAND is
    sent without keepalive or MESSAGE_QUIT is sent.

    Add new remctl_set_source_ip function to the remctl library API and
    the Perl, PHP, Python, and Ruby bindings.  Call this function after
    remctl_new and before remctl_open to set the source IP address that
    will be used for subequent client connections to a remctl server.  For
    the Ruby bindings, this is implemented as the source_ip class variable
    rather than a separate method.

    Add new -b option to the remctl command-line client to specify the
    source IP for client connections.

    Add new remctl_set_ccache function to the remctl library API and the
    Perl, PHP, Python, and Ruby bindings.  Call this function after
    remctl_new and before remctl_open to set the Kerberos credential cache
    that will be used for client authentication, overriding KRB5CCNAME.
    Be aware that this will normally change the default credential cache
    for all other GSS-API operations in this context or thread, not just
    for that remctl object, due to GSS-API limitations.  For the Ruby
    bindings, this is implemented as the ccache class variable rather than
    a separate method.

    In the client, only check the negotiated GSS-API context flags after
    the context has been fully established.  Current versions of Heimdal,
    including the system Kerberos libraries in Mac OS X Lion, only declare
    mutual authentication once the context negotiation is complete.

    Close a client memory leak caused by the GSS-API context not being
    freed by the client in remctl_close.

    When calling remctl_open on an existing struct remctl object, send
    QUIT to the server if a connection is already open.

    remctld can be configured to pass the subcommand on standard input,
    but the documentation said this was not allowed.  Fix the
    documentation to match the implementation.

    Use PATH_KRB5_CONFIG as the environment variable to set the path to
    krb5-config rather than KRB5_CONFIG when running configure, since the
    latter is used by the Kerberos libraries to specify an alternative
    path to krb5.conf.

    Fix the Ruby bindings test suite to test against the newly-built
    libremctl and Ruby module rather than any installed on the system.

    Update to rra-c-util 3.10:

    * Add notices in each file copied from rra-c-util.
    * Prefer gssapi/gssapi.h to gssapi.h.
    * Include strings.h if it exists for strncasecmp on some platforms.
    * getaddrinfo replacement now portable to systems with bad netdb.h.
    * Avoid krb5-config if --with-gssapi-{include,lib} are given.
    * Add Windows implementation of fdflag_nonblocking.
    * The network_connect utility functions now take an optional timeout.
    * Wait longer for remctld to start in remctl tests.
    * Use an atexit handler to clean up after Kerberos tests.
    * Use typedef instead of #define for socklen_t and sig_atomic_t.
    * Stop providing or using INADDR_LOOPBACK for portability reasons.
    * Don't override a user's existing AFS tokens while testing.
    * Fix removal of -I/usr/include from GSS-API CPPFLAGS.
    * Provide ssize_t on platforms without it, such as Windows.
    * Fix vector_join and cvector_join with empty vectors.

    Update to C TAP Harness 1.8:

    * Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions.
    * Fix runtests to still honor SOURCE and -s without BUILD and -b.

remctl 2.18 (2011-05-31)

    Fix uninitialized variable in the remctld standalone server code that
    could cause all remote connections to fail and add a more complete
    test suite for remote address handling.

remctl 2.17 (2011-05-31)

    Fix construction of the return object for the Python bindings to the
    simple remctl interface.  Patch from Andrew Mortensen.

    The remctld server now supports a -b command-line option specifying
    which local addresses to which to bind.  This option may be given
    multiple times to bind to multiple local addresses.

    When run as a standalone daemon, remctld now binds to both IPv4 and
    IPv6 addresses rather than only IPv4.

    The remctl client library also installs a pkg-config configuration
    file for the use of software that wants to link against it.  Thanks to
    Tollef Fog Heen for the assistance in writing it.

    Remove reference to the defunct messages-die.c source file in the
    Windows build system.

    Fix broken GCC attribute markers causing problems with compilation on
    Windows (and likely any non-GCC compiler).

    Symbol versioning is now enabled on any system using GNU ld, rather
    than only Linux and related platforms, and a Libtool symbol list is
    used as a fallback to prevent leaking symbols with other linkers where
    possible.

    Set the PHP extension test suite to be noninteractive so that the user
    is not prompted to send results to the PHP QA group.

    Skip portable/getaddrinfo test on systems where invalid hostnames
    still resolve.

    Update to rra-c-util 3.5:

    * Check for krb5-config in /usr/kerberos/bin as well as PATH.
    * Avoid configure warnings when building with AIX bundled Kerberos.
    * Initialize sockaddr structs more correctly.
    * Correctly detect Heimdal GSS-API on OpenBSD without libroken.
    * Fix underquoting in m4/socket.m4.
    * Update warning flags for GCC 4.6.1.

    Update to C TAP Harness 1.7:

    * Add tests/HOWTO documenting how to add new tests.
    * More correct handling of system-specific errors in output checking.
    * Ensure correct output ordering in test results.
    * Add -h and a better usage message to tests/runtests.

remctl 2.16 (2010-05-02)

    Add Ruby bindings contributed by Anthony M. Martinez, enabled with
    --enable-ruby at configure time.  These bindings are tested with Ruby
    1.8 and may not work with older versions.  See ruby/README for more
    information.

    remctld now includes support for a PCRE (Perl-compatible regular
    expressions) ACL type if the PCRE library is found at configure time.
    A PCRE ACL matches any user whose identity matches the given
    Perl-compatible regular expression.  Based on work contributed by
    Anton Lundin.

    remctld now includes support for a POSIX regex ACL type if the system
    supports the POSIX regex API.  A regex ACL matches any user whose
    identity matches the given POSIX extended regular expression.  Based
    on work contributed by Anton Lundin.

    remctld now sets the environment variable REMCTL_COMMAND to the
    command (not subcommand or arguments) that causes a program to be
    run.  Thanks, Thomas L. Kula.

    remctld -h now reports the list of supported ACL methods for that
    build of remctld.

    Add an example SMF manifest for the remctld daemon in
    examples/remctld.xml.  Contributed by Peter Eriksson.

    Fix PHP test suite to work with PHP 5.3, which no longer passes
    environment variables down to the running test program.

    Stop passing GCC-specific warning suppression flags into the language
    binding build systems unless the compiler used to build remctl is GCC.
    This still isn't quite right, since the language bindings may use a
    different compiler than the main remctl build, but it should be closer
    than the previous behavior of using GCC flags unconditionally.

    Update to rra-c-util 2.4:

    * Improve network error handling with unknown address domains.
    * Disable xmalloc test except for maintainers.
    * Break util/util.h apart into separate header files.
    * Add additional GCC function attributes to utility libraries.
    * Use AC_TYPE_LONG_LONG_INT instead of AC_CHECK_TYPES([long long]).

    Update to C TAP Harness 1.2:

    * Summarize results at the end of test execution.
    * Add diag and sysdiag functions to the basic TAP library.
    * Clean up data types in the basic C TAP library.
    * Add the GCC nonnull attribute to the TAP library bail functions.

remctl 2.15 (2009-11-29)

    Allow subcommand to be omitted on the remctl command line, which sends
    a command without a subcommand.  This makes available on the command
    line functionality that was already available via the library API.

    Add the special keyword EMPTY for the subcommand field in the remctld
    configuration file, specifying that this line should only match
    commands with no subcommands.

    Allow use of ALL in the command field in the remctld configuration
    file as well as the subcommand field, matching all commands.

    Fix read of uninitialized memory caused by moving one character beyond
    the beginning of the buffer when parsing blank lines in ACL files.

    Use a socket_type typedef rather than int directly to store the file
    descriptors of sockets and, on Windows, typedef that to SOCKET instead
    of int.  Update the function signatures of the network utility
    functions appropriately.  Compare socket_type variables against an
    INVALID_SOCKET define instead of -1.  Fixes portability issues to
    64-bit Windows.  Thanks, Jeffrey Altman.

    For the Windows build, get the current version number from
    configure.ac rather than configure so that the Windows build scripts
    work from a Git checkout.  Link with the correct GSS-API library for
    64-bit Windows builds.  Correct or suppress multiple warnings.
    Thanks, Jeffrey Altman.

    Enable Automake silent rules.  For a quieter build, pass the
    --enable-silent-rules option to configure or build with make V=0.

    Update to rra-c-util 2.1:

    * Revert separation of die into a separate object file.
    * Fall back on manual library probing if krb5-config doesn't work.
    * Don't try to use a non-executable krb5-config for GSS-API probes.
    * Suppress error output from krb5-config GSS-API probes.
    * Prefer KRB5_CONFIG over a path constructed from --with-gssapi.
    * Fix network test suite failures when IPv6 is available but disabled.

remctl 2.14 (2009-05-22)

    The remctld configuration file may now specify that one argument to a
    command is passed on standard input instead of on the command line
    using the stdin= option.  This option allows passing data to commands
    that's too long to fit into a command-line argument or that contains
    nul characters.

    remctld logging of commands or arguments now replaces unprintable
    characters (characters between ASCII 0 and 31 and ASCII 127) with
    periods rather than assuming syslog will cope with them correctly.

    Use command and subcommand as the names for the first two parameters
    to the remctl client and the first two strings in a remctl command
    instead of the unintuitive "type" and "service" terminology borrowed
    from sysctl.  This only changes documentation and some internal
    variable names; no external APIs should be affected.

    Declare message_fatal_cleanup extern in util.h.  Fixes compilation
    problems on Mac OS X and probably elsewhere.

    Diagnose and explicitly reject on the server nul characters in command
    arguments that don't support them rather than truncating the argument
    silently.

    Plug several memory leaks in the remctld server.  (These would have
    little practical effect unless a client stayed connected and issued
    multiple commands.)

    The protocol now permits commands with no arguments.  remctld
    currently doesn't support them, but now returns ERROR_UNKNOWN_COMMAND
    instead of ERROR_BAD_COMMAND when receiving one.

    Add documentation on extending remctl in docs/extending.

    Add initial protocol version three draft in docs/protocol-v3.

    Better check logmask options when parsing the server configuration
    file and report errors instead of silently ignoring them.  Masking the
    command is also no longer supported (it previously worked by
    accident).

    Support building against Solaris 10's native generic GSS-API
    libraries.  Thanks, Peter Eriksson.

    Update to rra-c-util 1.0:

    * Fix open call parameters in daemon portability test.
    * Fix AI_ADDRCONFIG portability on BSD/OS systems.
    * Split die into a separate object to not link it in shared libraries.
    * Don't break if the user clobbers CPPFLAGS at build time.
    * Correctly set -L options with --with-gssapi-lib, not -I.
    * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf.
    * Update portable and util test suite for C TAP Harness 1.0.
    * Use native Kerberos instead of forking kinit in test suite.

    Update to C TAP Harness 1.0:

    * Rewrite of all test cases to use the new TAP library support.
    * Much improved and simplified builddir != srcdir test suite support.
    * Support running a single test with tests/runtests -o.
    * Correctly handle completely skipped tests, like client/pod.
    * Better reporting of fatal errors in the test suite.

remctl 2.13 (2008-11-14)

    Add support for ACL methods in the remctld server.  The supported
    schemes in this release are file and princ, which together provide the
    same functionality as earlier releases, plus deny to explicitly reject
    a user who matches another ACL and support for the CMU GPUT
    authorization system.  There is now a framework in place for adding
    new ACL methods in the future.  This work was contributed by Jeffrey
    Hutzelman.

    When processing the include of a directory for configuration files or
    ACL files, limit the files read to those whose names contain only
    characters in [a-zA-Z0-9_-].  This replaces the previous exclusion of
    files containing periods and also excludes Emacs backup and temporary
    files.  Thanks, Timothy G. Abbott.

    Add a PHP remctl PECL module from Andrew Mortensen, enabled with
    --enable-php at configure time.  These bindings are only tested with
    PHP 5.

    Add Python bindings from Thomas L. Kula, enabled with --enable-python
    at configure time.  These bindings are tested with Python 2.5 but
    should work with versions back to 2.3.

    Include all *.class files in the JAR file built by java/Makefile,
    making the resulting JAR actually useful.  Thanks, Marcus Watts.

    Add an ant build configuration for the Java remctl implementation.
    It also has the capability to generate a distribution of just the Java
    implementation using a file layout more similar to an Apache Jakarta
    project than the layout of the java subdirectory.

    Several Windows fixes from Matthew Loar, plus really include
    portable/winsock.c in the distribution.  This version should now build
    and run on Windows.

    With --with-gssapi, attempt to determine if the library directory is
    lib32 or lib64 instead of lib and set LDFLAGS accordingly.  Based on
    an idea from the CMU Autoconf macros.

    Add --with-gssapi-include and --with-gssapi-lib options to set the
    include and library paths separately if needed.

    Restore GSS-API portability checks for old versions of MIT Kerberos
    accidentally dropped in the previous release.

    Provide a proper bool type when built with Sun Studio 12 on Solaris
    10.  Thanks, Jeffrey Hutzelman.

    Sanity-check the results of krb5-config before proceeding and error
    out in configure if they don't work.

    Fix Autoconf syntax error when probing for libkrb5support.  Thanks,
    Mike Garrison.

    Create the docs directory in the build tree if it's missing, fixing a
    build failure when builddir != srcdir.  Thanks, Jeffrey Hutzelman.

    In standalone mode, close the main server socket immediately in the
    child handler processes.  Since the socket was already marked close on
    exec, this probably only matters for consistent test suite results,
    ensuring that the port is released immediately, but it's more correct.

remctl 2.12 (2008-04-04)

    If no server principal is specified on the remctl command line or in
    the remctl() or remctl_open() C or Perl library interfaces, remctl now
    uses a host-based service name for the server instead of a Kerberos
    principal of host/server.  The practical effect of this is that
    domain-realm mapping rules will be applied rather than assuming the
    server's principal is in the local domain and, for the C and Perl
    library interfaces, server name canonicalization will be done if
    configured in the GSS-API library.  Users of the C or Perl library
    interfaces will find that remctl now authenticates to a principal for
    the host after a forward and reverse DNS lookup instead of the host
    specified in the API call with most GSS-API libraries.  To disable
    this canonicalization behavior, see your GSS-API library
    documentation; setting rdns in [libdefaults] to false works for MIT
    Kerberos.  The remctl command-line client continues to canonicalize
    its host argument always prior to any network connection or GSS-API
    calls.

    Add documentation of hostname canonicalization and the choice of
    authentication principals to the remctl client, remctl() and
    remctl_open() C API, and Net::Remctl Perl API documentation.

    Fix a place in libremctl where the library would call exit rather than
    returning an error on memory allocation failure.

    Standardize on lowercase first characters in library error strings.

    Include the Windows port of the client done by Matthew Loar.  See
    README for information on requirements and compilation.  Only the
    client shared library and command-line utility are supported or built
    currently.  I cannot easily test this code and probably broke it when
    integrating the patch; please report any problems so that they can be
    fixed in subsequent releases.

    When running the server in standalone mode, set the network file
    descriptors close-on-exec so that they're not inherited by commands
    run by remctl.  Also close the low-numbered file descriptors before
    running a command to catch the replay cache file, which isn't marked
    close-on-exec in older versions of MIT Kerberos.

    When passing a variable set to undef into remctl_open in the Perl API,
    the principal was converted to the empty string.  Adjust Net::Remctl
    to recognize the empty string as an unspecified principal.

    The configure option to specify the path to the GSS-API libraries is
    now --with-gssapi instead of --with-kerberos and the GSS-API probes
    should be more robust.

    Delete the man page symlinks before recreating them so that reinstalls
    work.  Thanks, Nicholas Riley.

    Belatedly bump the libtool versioning for libremctl for the port
    number change in the previous release.  (This is primarily for
    documentation purposes and doesn't change the library SONAME.)

remctl 2.11 (2007-11-09)

    remctl now has an official port registered with IANA (4373), replacing
    the original, poorly-chosen port of 4444.  The previous port conflicts
    with the krb524 service.  The remctld server and example configuration
    files have been changed to bind to port 4373 by default if no port is
    specified.  The client will attempt to connect to port 4373 first if
    no port is specified and then fall back to trying 4444.  All sites
    running remctl are encouraged to upgrade their clients and then
    migrate their servers to the new port.  Support for the old port
    without explicit configuration will be phased out in a future release.

    Stop using stdout and stderr as structure members, fixing compilation
    problems on AIX, NetBSD, and other platforms.

    Fix (non-exploitable) segfaults in remctld when sent a command with a
    type and no service (not permitted by the command-line client but
    possible with the library API).  Thanks to Marcus Watts for the
    analysis.

    Port to the Kerberos GSS-API implementation shipped with AIX 5.2.
    Thanks to Sandor Sklar for bug reports and testing.

    Improve the configuration file documentation in the remctld man page.
    Document the first-match properties.

remctl 2.10 (2007-08-26)

    Include a rewritten Java client and a Java server implementation, both
    by Marcus Watts.  The rewritten Java client supports protocol version
    two and works with Sun Java 1.4.2, 5, and 6.

    Fix a (non-exploitable) remctld crash when the client sent more
    command arguments than it claimed it was going to send.  Thanks,
    Marcus Watts.  Also added a test with a variety of malformed command
    tokens in an effort to keep bugs like this from going unnoticed in the
    future.

    The remctl client now also requests sequence protection, but the
    client and server do not insist on it or on replay protection since
    Heimdal 0.6 doesn't support replay protection.  This has been
    documented in the protocol specification as well.

    remctld when running in stand-alone mode now removes the PID file (if
    any) and exits cleanly after receiving SIGINT or SIGTERM.  Based on a
    patch by Marcus Watts.

    remctld when running in stand-alone mode now re-reads its
    configuration file file after receiving a SIGHUP.

    Don't self-destruct after an hour in stand-alone mode, fixing a bug
    introduced in 2.8.

    The libremctl client library now uses symbol versioning on Linux.

    Allow port and principal to be omitted in calls to Net::Remctl::open,
    matching the documentation.  Thanks, Marcus Watts.

    Include a dummy symbol in libportable so that it always contains at
    least one object.  Fixes compilation problems on Mac OS X 10.4 and
    Solaris 10.

    Fix builds outside the source directory by creating the docs directory
    properly, based on a patch by Marcus Watts.  Also fix make clean and
    the POD tests when run outside the source directory.

    Change the Net::Remctl documentation for remctl() to suggest 0 and the
    empty string as default values for port and principal, since this
    avoids Perl warnings.

    Check for the MIT Kerberos GSS-API library first in reduced dependency
    mode for improved reproducibility of the Debian build.

remctl 2.9 (2007-06-29)

    Fix remctl client library crashes due to an uninitialized variable
    when the network connection fails.

    Added complete C API documentation (as section 3 manual pages) for the
    libremctl library.

    Fix several inaccuracies in the Net::Remctl API documentation.
    Thanks, Alf Wachsmann.

    Pass DESTDIR to the Perl module installation as well.  Thanks, Darren
    Patterson.

remctl 2.8 (2007-06-27)

    Add a Net::Remctl Perl module, optionally compiled (and enabled with
    the --enable-perl configure flag), that provides native Perl bindings
    to the libremctl client library.

    Fix various null pointer dereferences in the simplified remctl client
    library call when the server returns an error.

    When running in stand-alone mode, remctld now forks a new child for
    each incoming connection and can therefore handle multiple
    simultaneous connections.  This makes stand-alone mode useful for more
    than just testing.  Also, remctld now backgrounds itself by default in
    stand-alone mode; disable this with the -F flag.  Based on a patch by
    Andrew Mortensen.

    Add a new -k flag to remctld to tell it to use a non-default keytab.
    Thanks, Andrew Mortensen.

    Default to port 4444 in the library if a port of 0 is passed in, and
    (following the documentation) default to host/<hostname> if a NULL
    principal is passed in.

    remctld now exits properly when it can't parse its configuration file
    rather than proceeding with a null configuration.

    Fix problems with the parameter types for GSS-API memory freeing
    functions in some error cases.

    In the test suite, fix the kinit flags for MIT Kerberos 1.6.

remctl 2.7 (2007-03-25)

    In remctld, consider the command complete once the child process
    exits.  Do not wait for its standard output and error to be closed,
    since the child process may have spawned a long-running daemon that
    doesn't clean up its file descriptors properly.

    When the command-line remctl client canonicalizes the name of the
    server host to get the right principal, it then needs to connect to
    the canonical hostname.  Otherwise, DNS schemes that return a
    different answer each time one asks for a given host may cause remctl
    to connect to a different host than the canonical name used for the
    principal, resulting in authentication failure.

    Fixed a subtle bookkeeping error when sending commands larger than the
    maximum token size that would have resulted in malformed tokens for
    boundary cases of argument lengths.

    Fixed memory and file descriptor leaks in remctld that only become
    apparent when the server runs many commands before exiting.

    Various minor fixes so that make warnings and make check work on a
    Solaris 8 system without IPv6 configured.

    Use a portability wrapper around the GSS-API header to avoid repeating
    the same portability code in every file.

remctl 2.6 (2007-02-03)

    SECURITY: If an ACL listed for a command didn't exist, the
    authorization check was treated as a success instead of a failure.
    This had, embarassingly, apparently been broken since at least 2.0.

remctl 2.5 (2007-02-03)

    Automatically use a continued MESSAGE_COMMAND if the total command
    length is larger than 64KB (minus token overhead).  The remctl client
    library can now send arbitrarily large commands, at some cost in
    memory consumption on the client and server.  The server is still
    limited by the OS-imposed maximum length of a command line.

    When the server runs a command, open /dev/null for standard input
    rather than leaving standard input closed.  Some programs don't cope
    with a closed standard input.

    Audited memory handling of buffers sent to and read from the network
    and closed several memory leaks.

    Use the same limit (1MB) on token size everywhere.  Enforce the
    protocol limit on unencrypted data size (64KB) in both the server and
    when sending messages in the client.

    Correctly handle a zero-length argument at the end of a command in the
    server.  Previously, that argument was ignored.

    Check that the expected argument count matches the count of arguments
    seen in the server and that all of the client data was consumed when
    parsing arguments.

    Add a newline to the end of error messages when converting to protocol
    version one replies.  The old remctl client didn't add a newline.

    Document the limits on token size and unencrypted data size in the
    protocol specification.  Improve the protocol documentation for the
    continue status for MESSAGE_COMMAND.  Use octet instead of byte
    uniformly.

remctl 2.4 (2007-01-17)

    IPv6 support is now automatically enabled on systems that support it.
    The remctl code uniformly uses the new IPv6-aware host and address
    functions, using replacements on systems that don't provide them in
    libc.  Thanks to Jonathan Kollasch for the initial patch.

    When sending tokens, correctly check for network errors rather than
    ignoring them due to a miswritten test.

    In the remctl command-line client, print a newline after protocol
    error messages from the server.

    Add error messages to the protocol specification for sending too many
    arguments in a command and sending too much data with a command.
    Return the more specific error message if the number of command
    arguments exceed the current hard-coded limit rather than just
    reporting a bad command token.

    Don't use $< in non-pattern rules (again), fixing a build error on
    some systems with non-GNU make (although since the generated man
    pages are part of the distribution, only those modifying the POD
    source would have seen this error).

remctl 2.3 (2006-12-06)

    Increase the maximum number of arguments the server will accept for a
    command to 4096 from 64.  This is an arbitrary limit to protect
    against memory-consumption denial-of-service attacks.

    Document the exit status of the remctl client.

    Add the -S flag to remctld, which tells it to log to standard output
    and standard error rather than syslog.  Use this flag in the test
    suite so that make check doesn't spew into a system's syslog.

    Require Automake 1.10 and Autoconf 2.60 and use AC_CONFIG_LIBOBJ_DIR
    to locate replacements for missing system functions.  This means that
    an Automake patch is no longer required for bootstrapping and remctl
    will now work with stock Autoconf and Automake.

remctl 2.2 (2006-09-08)

    Add appropriate casts when passing size_t variables to printf on
    64-bit systems.

    Include <sys/socket.h> in appropriate places for socklen_t on Solaris.

    Make the xmalloc test suite indifferent to filename differences from
    builddir != srcdir builds.

    Work around strange GCC 4.1 behavior on AMD64 that creates a const
    temporary variable in the macro expansion of the W* wait macros on
    glibc systems, causing the build of runtests to fail.  For some reason
    this apparently only affects AMD64.

    Redirect /dev/null into kinit in the test suite so that the Heimdal
    syntax doesn't cause an MIT kinit to hang.

    Try all kinit varients in the remctl client test as well as the C API
    tests.

remctl 2.1 (2006-08-22)

    Set REMOTE_USER in the environment for commands run by remctld, using
    the same value as REMUSER.  This makes it easier to use programs that
    also run as CGI scripts.  Also set REMOTE_ADDR to the IP address of
    the remote host and set REMOTE_HOST to the hostname if available.

    Stop setting SCPRINCIPAL in the environment.  This was for backward
    compatibility with sysctl and it's highly unlikely that anyone still
    cares (not to mention that the value was qualified with the realm and
    therefore didn't match sysctld's setting anyway).

    Properly nul-terminate error replies when using the simplified remctl
    client API.

    Support make check with builddir != srcdir builds.  Thanks to Ralf
    Wildenhues for the help in identifying the issues.

remctl 2.0 (2006-08-09)

    Implement a new version 2 protocol, with automatic down-negotiation
    to the old protocol for backward compatibility.  The new protocol is
    more binary-safe for command arguments, supports streaming output
    from the server, allows distinguishing between stdout output and
    stderr output, has no arbitrary limits on output size, and supports
    persistant connections.

    Document the details of the remctl protocol, both the old version 1
    protocol and the new version 2 protocol, in hopefully sufficient
    detail for anyone else to implement it.

    Don't consider inclusion of empty directories in a configuration file
    an error.

    Add the -P flag to remctld to write its PID to a file when invoked in
    stand-alone mode.

    Add an automated test suite.

    Completely rewrite the build system to use Automake, a supporting
    utility library, separate subdirectories for different parts of the
    source tree, and a wrapper include file for system headers.

    Don't use $< in non-pattern rules, fixing a build error on some
    systems with non-GNU make.

remctl 1.12 (2006-01-01)

    Initialize memory properly when parsing the server configuration file.

    Library probes with --enable-static cannot use krb5-config, since we
    can't distinguish between the Kerberos libraries that should be static
    and the system library dependencies that must not be made static.

remctl 1.11 (2005-12-22)

    Support include directives in remctld ACL files with the same syntax
    and semantics as include directives in configuration files.

    Stop option parsing at the first non-option on Linux (this is the
    standard behavior of getopt on other platforms).  Otherwise, calling
    remote programs that take options is annoying.

    Use krb5-config where available to get Kerberos libraries and compiler
    flags unless --enable-reduced-depends is used.

    Fix builds and installs where builddir != srcdir.

    Initial port to Heimdal.  remctl now compiles but isn't able to talk
    to a server built with MIT Kerberos, so further porting is still
    needed.

    Remove some debugging code for displaying the GSS-API OID as a string
    that isn't supported by the Heimdal API and is of questionable
    usefulness regardless.

remctl 1.10 (2005-12-01)

    Move the -v option to remctl and remctld to -d (debug), since the
    verbose output or logging is only really useful when debugging.

    Add -h (show usage) and -v (show version) options to both remctl
    and remctld and add real option parsing (so combining multiple options
    in one switch should now work).

    Overhaul error and status reporting in remctl and remctld.  Among
    other advantages, this should eliminate any lingering format string
    worries and get rid of the trailing newlines in syslog messages from
    remctld, as well as regularize the text of the error messages and the
    priority of syslog messages.

remctl 1.9 (2005-05-10)

    Fix serious bug with inclusion of configuration directories.  When
    reading any file after the first, remctl would use random bits of
    memory as the file name.

remctl 1.8 (2005-05-04)

    Support include <file> in the configuration file.  Also support
    including a directory, which includes every file in that directory
    that doesn't have a period in the name.

    Support continuation lines (using backslash) in the configuration
    file, and clean up the parser to be more flexible about whitespace on
    otherwise empty lines or comment lines.

    Change the default remctl.conf location to be relative to sysconfdir
    (<prefix>/etc by default) instead of the current directory.

    remctld now only logs the initial connection authentication and the
    argument count if -v was given, reducing to one the number of syslog
    messages per command.

    Improve the remctld man page, documenting all of the supported options
    including stand-alone mode.

remctl 1.7 (2005-02-22)

    Close extra file descriptors before spawning a child process in
    remctl.  The only file descriptors open should be standard output and
    standard error.  This will fix problems with using remctld to start
    long-running daemons; before, remctld would never realize that the
    child process had exited.

    Use select to wait for child output in remctld rather than
    busy-waiting so as not to burn CPU cycles when the child takes a while
    to produce output.

    Document the -p option for the client.

remctl 1.6 (2004-05-18)

    Fix format string vulnerabilities when logging the remote command.

remctl 1.5 (2004-03-04)

    Fix a bug in remctld where it would segfault when trying to check the
    ACLs for a command not present in the configuration file.

    Portability fix to return the exit status of the command in network
    byte order.

remctl 1.4 (2003-11-12)

    Add support for a logmask=n option in the configuration file that
    masks those arguments in the logging output (used when some of the
    options for that command contain private information).

    Add optimizations in the GSS code to do fewer network writes.

    Significant improvements to the Java client.

    Some minor cleanups to logging, installation, and the configure
    script.

remctl 1.3 (2003-07-21)

    Exit with non-zero status if the remote command failed rather than
    always exiting with zero status if the network exchange worked
    successfully.

    Adjust logging priorities and include some additional information in
    the log of the command.

    Improved the README and added a make dist target to the makefile.

remctl 1.2 (2003-04-04)

    Read from both standard out and standard error of the spawned command
    in turn to better prevent deadlock.

    Set the REMUSER environment variable to the remote authenticated user
    (and continue setting SCPRINCIPAL as well for backward compatibility).

remctl 1.1 (2003-02-28)

    Add an snprintf implementation for systems that don't have it and use
    it for log messages.

    Additional fleshing out of the Java client.

    Lots of code cleanup and style fixes.

remctl 1.0 (2002-11-22)

    Initial release.