We have a few uses where I work for a way to execute programs on one computer, triggered by a user on another computer, without interactive authentication. Rshd and sshd are sometimes options (and we use them in some cases) but are insufficient in certain cases. (For example, when we don't allow login shells on the server, to prevent execution of arbitrary code on the server, but we do want to allow particular commands to be run.) This can be overcome with fancy sshd configurations, but usually on a per-user basis, not sitewide. Besides, the overhead of an sshd can be a bit much for what we want.

For us, the outstanding example of this is for IMAP preauthentication: allowing a user who has already authenticated to harper, the login server, to remotely execute imapd on nsit-imap, the IMAP server, without needing to present new credentials. But there are others, so the idea arises to create a generic tool for authenticating command execution using the RFC 931 ident protocol. If you're running an identd on your computer, then any server you connect to can query back to find out which username owns the connection. When the two machines (and the network between them) are mutually trusted, this can be considered a secure authentication.

Auth931 is such a generic program. It listens on a port for a connection, authenticates that connection, then executes a specified program. It does not invoke an interactive shell; it runs only what the server administrator tells it to run. It logs a lot of information, and it's pretty flexible. It can additionally be configured with libwrap (tcp_wrappers style hosts.allow) support. If you can't install a trusted network path, this can at least give you some finer control over which open clients you trust.

• Auth931 is under an open license.
• We have manual.
• Download version 0.1.2 ^[PGP] (Wouldn't you know it, 0.1 had some documentation bugs that made the manual confusing.)