                            remctl To-Do List

Protocol:

 * REMCTL-3: Add support for running commands as filters, passing standard
   input asynchronously from the client.  This requires significant
   re-engineering of the client loop and should wait for better
   configuration since we don't want to do this with every command.  It
   also introduces out-of-order responses and possible deadlocks to the
   protocol.  docs/protocol-v4 has an initial draft.

 * REMCTL-4: Support authentication via anonymous PKINIT.  This may
   already work, but the asserted identity should be documented and it's
   not clear whether this should match an ANYUSER ACL.

 * REMCTL-30: Add a capabilities command to the protocol so that the
   client can retrieve the list of supported commands rather than assuming
   based on the protocol version.

 * REMCTL-40: Support locating remctl services via SRV records, probably
   _<service>._remctl._tcp.<domain>.

 * REMCTL-43: Modify the server to not allow MESSAGE_COMMAND split in the
   middle of a length element and require that commands be split in the
   middle or at the end of argument data.

Server:

 * REMCTL-5: Add a way of explicitly specifying the null command or
   subcommand in the remctl configuration annd then permit it rather than
   returning a syntax error.

 * REMCTL-6: Maximum argument count, maximum data size in MESSAGE_COMMAND,
   and inactivity timeouts for commands should be configurable parameters
   of the server rather than hard-coded values.

 * REMCTL-7: Support LDAP-based ACLs in addition to file system ACLs.
   Probably need to support both entitlement and group-based ACLs.

 * REMCTL-8: Add support for external ACL checking programs.  If the
   program exits with a zero status, access is granted.  If it exits 1,
   access is not granted but checking continues.  If it exits with any
   other exit status, access is not granted and checking aborts.

   Ideally, for writing generic ACL checking programs, the program should
   get the type and service of the remctl command as well as any
   arguments.  However, it would also be good to support passing other
   arguments into the program as specified in the ACL file.

 * REMCTL-9: Sort the files in a directory before processing them so that
   the order is deterministic.  Affects both configuration (earlier
   entries override later ones) and ACL rules in the presence of deny
   ACLs.

 * REMCTL-10: Add a timeout for commands after which the server kills the
   command.

 * REMCTL-11: The server should call gss_inquire_context to retrieve the
   mechanism OID and then pass that in to calls to gssapi_error_string
   rather than hard-coding the Kerberos v5 OID.

 * REMCTL-12: Add option to mask all arguments.

 * REMCTL-13: Track all the children spawned by remctld in stand-alone
   mode.  On receipt of SIGTERM or SIGINT, send SIGUSR1 to all children.
   In the children, on receipt of SIGUSR1, exit as soon as the current
   command in progress (if any) stops running.  (SIGTERM or SIGINT
   directly to a child should kill it outright.)

 * REMCTL-32: Support masking the argument following a particular string
   so that the argument to a particular flag can be masked regardless of
   its location on the command line.

 * REMCTL-37: Add server support for persistent child processes that the
   server communicates with over a UNIX domain socket.  The best protocol
   for communication is probably FastCGI, since that will allow the child
   processes to be written in a wide variety of languages and take
   advantage of existing libraries.  This will probably require a new
   implementation of the FastCGI server-side protocol.

 * REMCTL-41: In long-running remctld processes, check for configuration
   file changes and reload the configuration automatically.

 * REMCTL-42: Consider dropping the client remctl connection when the
   client's authentication credentials have expired.  Otherwise, remctld
   potentially violates the security properties of the Kerberos protocol
   by using authenticators beyond their stated lifetime.

Client:

 * REMCTL-14: Implement file upload in the remctl client.

 * REMCTL-15: Add readline support to the remctl client for multiple
   commands to the same server in the same authenticated session.

 * REMCTL-16: Add an option that prompts the user, with echo disabled, for
   a piece of secure data, prompting twice to ensure both times match, and
   then sends that as the last argument to the command.  This would be
   useful for remctl interfaces to change passwords.

 * REMCTL-17: Allow sending the empty command in the command-line client
   once the server supports it.

Client library:

 * REMCTL-18: The client should ideally not specify an OID for the
   authentication mechanism and instead permit GSS-API to negotiate an
   appropriate mechanism.  It should then call gss_inquire_context to
   retrieve the mechanism OID and then pass that in to calls to
   gssapi_error_string rather than hard-coding the Kerberos v5 OID.

 * REMCTL-31: Provide a mechanism in the remctl client library to import
   GSS credentials that will be used for subsequent server connections.

Perl library:

 * REMCTL-33: Add Net::Remctl::Backend support for obtaining a Kerberos
   ticket from a given keytab file before running a command.

 * REMCTL-34: Add Net::Remctl::Backend support for creating a PAG and
   obtaining AFS tokens before running a command.

 * REMCTL-38: Add support for per-command help (possibly extracted from
   the POD documentation with some additional markup) to implement the
   help server configuration.

Build system:

 * REMCTL-20: Incorporate a program that can generate a Kerberos ticket
   cache from a keytab and use that for running the Kerberos tests instead
   of requiring the user to generate a keytab.

Documentation:

 * REMCTL-28: Remove the description of the version 1 remctl protocol from
   the current protocol specification and put it in its own, separate
   specification document.  Most people will no longer care how this
   works.

 * REMCTL-29: Submit the remctl protocol as an IETF Internet-Draft.

 * REMCTL-39: Document conventions for the configuration in the remctld
   manual.

Portability layer:

 * REMCTL-21: Refactor getopt to be easier to understand and less deeply
   nested.

Test suite:

 * REMCTL-22: Add tests to ensure that no child processes of the remctld
   server are still running when the test command finishes for cases like
   server/timeout or server/invalid where we've previously stranded child
   processes for long periods.

Windows port:

 * REMCTL-23: With more modifications, it should be possible to build
   remctl against SSPI, the GSS-API-like interface built into Windows, and
   remove the dependency on MIT Kerberos for Windows.  However,
   limitations surrounding realm trusts in the Kerberos implementation in
   versions of Windows prior to Vista would make this a less general
   solution.  Alternately, a separate client protocol implementation in
   .NET (either C# or C++) may be easier than trying to build the current
   source base on Windows with SSPI.

 * REMCTL-24: Support the remctl server.

Java implementation:

 * REMCTL-1: Integrate the new Java client implementation.

 * REMCTL-25: Integrate the Java build into the rest of the build system
   so that it is enabled using an --enable-java flag similar to the
   bindings, finds maven and a JAVA_HOME in configure, and does the JAR
   build in the main Makefile using maven.

 * REMCTL-26: Java cannot obtain tickets from a ticket cache created using
   the k5.conf file included in the java directory using the current MIT
   Kerberos on Debian.  It has to prompt for a password and get tickets
   itself.  Figure out why and fix it.
