NEWS 31.3 KB
Newer Older
1
2
                       User-Visible wallet Changes

3
wallet 1.3 (unreleased)
4

5
6
7
8
9
10
11
    A new ACL type, nested (Wallet::ACL::Nested), is now supported.  The
    identifier of this ACL names another ACL, and access is granted if
    that ACL would grant access.  This lets one combine multiple other
    ACLs and apply the union to an object.  To enable this ACL type for an
    existing wallet database, use wallet-admin to register the new
    verifier.

12
13
14
15
16
17
    A new ACL type, external (Wallet::ACL::External), is now supported.
    This ACL runs an external command to check if access is allowed, and
    passes the principal and the ACL identifier to that command.  To
    enable this ACL type for an existing wallet database, use wallet-admin
    to register the new verifier.

18
19
20
21
22
23
24
25
26
    A new variation on the ldap-attr ACL type, ldap-attr-root
    (Wallet::ACL::LDAP::Attribute::Root), is now supported.  This is
    similar to netdb-root (compared to netdb): the authenticated principal
    must end in /root, and the LDAP entry checked will be for the same
    principal without the /root component.  This is useful for limiting
    access to certain privileged objects to Kerberos root instances.  To
    enable this ACL type for an existing wallet database, use wallet-admin
    to register the new verifier.

27
28
    A new object type, password (Wallet::Object::Password), is now
    supported.  This is a subclass of the file object that will randomly
29
    generate content for the object if you do a get before storing any
30
31
    content inside it.  To enable this object type for an existing
    database, use wallet-admin to register the new object.
32

33
    Add a new command to wallet-backend, update.  This will update the
34
    contents of an object before running a get on it, and is only valid
35
36
37
38
39
40
    for objects that can automatically get new content, such as keytab and
    password objects.  A keytab will get a new kvno regardless of the
    unchanging flag if called with update.  In a future release get will
    be changed to never update a keytab, and the unchanging flag will be
    ignored.  Please start moving to use get or update as the situation
    warrants.
41

42
    Add an acl replace command, to change all objects owned by one ACL to
43
44
    be owned by another.  This currently only handles owner, not any of
    the more specific ACLs.
45

46
47
    All ACL operations now refer to the ACL by name rather than ID.

48
49
50
    Add a report for unstored objects to wallet-report, and cleaned up the
    help for the existing unused report that implied it showed unstored as
    well as unused.
51

52
53
54
55
56
57
58
    Add reports that list all object types (types) and all ACL schemes
    (schemes) currently registered in the wallet database.

    Add a report of all ACLs that nest a given ACL.  This requires some
    additional local configuration (and probably some code).  See
    Wallet::Config for more information.

59
60
61
62
    Took contributions from Commerzbank AG to improve wallet history.  Add
    a command to dump all object history for searching on to
    wallet-report, and add a new script for more detailed object history
    operations to the contrib directory.
63

64
65
    Displays of ACLs and ACL entries are now sorted correctly.

66
67
68
69
70
    Initial support for using Active Directory as the KDC for keytab
    creation.  The interface to Active Directory uses a combination of
    direct LDAP queries and the msktutil utility.  This version does
    not support the wallet unchanging flag.  Unchanging requires that
    a keytab be retrieved without changing the password/kvno which is
71
72
    not supported by msktutil.

Russ Allbery's avatar
Russ Allbery committed
73
wallet 1.2 (2014-12-08)
74
75
76
77

    The duo object type has been split into several sub-types, each for a
    specific type of Duo integration.  The old type's functionality has
    been moved to duo-pam (Wallet::Object::Duo::PAM), and new types are
Russ Allbery's avatar
Russ Allbery committed
78
79
80
    supported for Duo's auth proxy configurations for LDAP and Radius, and
    their RDP configuration.  These types are duo-radius, duo-ldap, and
    duo-rdp (Wallet::Object::Duo::RadiusProxy,
81
    Wallet::Object::Duo::LDAPProxy, and Wallet::Object::Duo::RDP).  The
Russ Allbery's avatar
Russ Allbery committed
82
83
84
    old duo type still exists for compatability.  To enable these object
    types for an existing wallet database, use wallet-admin to register the
    new object.
85

Russ Allbery's avatar
Russ Allbery committed
86
87
88
89
90
    New rename command for file type objects.  This will change the name
    of the object itself and move any stored data for the file to the
    correct location for the new name.  Currently, rename is only
    supported for file objects, but may be supported by other backends in
    the future.
91

Russ Allbery's avatar
Russ Allbery committed
92
wallet 1.1 (2014-07-16)
93

94
95
96
97
98
99
100
101
102
103
    A new object type, duo (Wallet::Object::Duo), is now supported.  This
    creates an integration with the Duo Security cloud multifactor
    authentication service and allows retrieval of the integration key,
    secret key, and admin hostname.  Currently, only UNIX integration
    types are supported.  The Net::Duo Perl module is required to use this
    object type.  New configuration settings are required as well; see
    Wallet::Config for more information.  To enable this object type for
    an existing wallet database, use wallet-admin to register the new
    object.

104
105
106
    The owner and getacl commands now return the current name of the ACL
    instead of its numeric ID, matching the documentation of owner.

107
108
109
110
    The date passed to expires can now be any date format understood by
    Date::Parse, and Date::Parse (part of the TimeDate CPAN distribution)
    is now a required prerequisite for the wallet server.

111
112
113
114
115
116
117
118
    Fix wallet-rekey on keytabs containing multiple principals.  Previous
    versions assumed one could concatenate keytab files together to make a
    valid keytab file, which doesn't work with some Kerberos libraries.
    This caused new keys downloaded for principals after the first to be
    discarded.  As a side effect of this fix, wallet-rekey always appends
    new keys directly to the existing keytab file, and never creates a
    backup copy of that file.

119
    Fix the code to set enctype restrictions for keytab objects in the
120
121
    wallet server and populate the reference table for valid enctypes on
    initial database creation.
122

123
124
125
126
    Fix the Wallet::Config documentation for the ldap-attr verifier to
    reference an ldap_map_principal hook, not ldap_map_attribute, matching
    the implementation.

127
128
129
130
131
132
133
    When creating new principals in a Heimdal KDC, generate a long, random
    password as the temporary password of the disabled principal before
    randomizing keys.  This is necessary if password quality is being
    enforced on create calls.  Since the principal is always inactive
    until the keys have been randomized, the password should not need to
    be secure (and indeed is not cryptographically random).

134
135
136
137
138
    Previous versions had erroneous foreign key constraints between the
    object history table and the objects table.  Remove those constraints,
    and an incorrect linkage in the schema for the ACL history, and add
    indices for the object type, name, and ACL instead.

139
140
141
142
143
144
    Pass in DateTime objects for the date fields in the database instead
    of formatted time strings.  This provides better compatibility with
    different database engines.  Document in README the need to install
    the DateTime::Format::* module corresponding to the DBD::* module used
    for the server database.

145
146
    ACL renames are now recorded in the ACL history.

147
148
149
150
151
152
153
    Fix wallet-backend parsing of the expires command to expect only one
    argument as the expiration.  This was correctly documented in the
    wallet client man page, but not in wallet-backend, and it accepted two
    arguments (a date and time).  However, Wallet::Server did not and
    would just ignore the time.  Now wallet-backend correctly requires the
    date and time be passed as a single argument.

154
155
156
157
158
    Fix the ordering of table drops during a wallet-admin destroy action
    to remove tables with foreign key references before the tables they
    are referencing.  Should fix destroy in MySQL and other database
    engines that enforce referential integrity.

159
160
161
162
163
164
165
166
    The wallet server now requires Perl 5.8 or later (instead of 5.006 in
    previous versions) and is now built with Module::Build instead of
    ExtUtils::MakeMaker.  This should be transparent to anyone not working
    with the source code, since Perl 5.8 was released in 2002, but
    Module::Build is now required to build the wallet server.  It is
    included in some versions of Perl, or can be installed separately from
    CPAN, distribution packages, or other sources.

167
168
169
    Add a new contrib script, wallet-rekey-periodic, which is used at
    Stanford to periodically rekey hosts from cron.

170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
    Update to rra-c-util 5.5:

    * Use Lancaster Consensus environment variables to control tests.
    * Use calloc or reallocarray for protection against integer overflows.
    * Suppress warnings from Kerberos headers in non-system paths.
    * Assume calloc initializes pointers to NULL.
    * Assume free(NULL) is properly ignored.
    * Improve error handling in xasprintf and xvasprintf.
    * Check the return status of snprintf and vsnprintf properly.
    * Preserve errno if snprintf fails in vasprintf replacement.

    Update to C TAP Harness 3.1:

    * Reopen standard input to /dev/null when running a test list.
    * Don't leak extraneous file descriptors to tests.
    * Suppress lazy plans and test summaries if the test failed with bail.
    * runtests now treats the command line as a list of tests by default.
    * The full test executable path can now be passed to runtests -o.
    * Improved harness output for tests with lazy plans.
    * Improved harness output to a terminal for some abort cases.
    * Flush harness output after each test even when not on a terminal.

Russ Allbery's avatar
Russ Allbery committed
192
wallet 1.0 (2013-03-27)
193

194
195
196
197
198
    Owners of wallet objects are now allowed to destroy them.  In previous
    versions, a special destroy ACL had to be set and the owner ACL wasn't
    used for destroy actions, but operational experience at Stanford has
    shown that letting owners destroy their own objects is a better model.

199
200
201
202
    wallet-admin has a new sub-command, upgrade, which upgrades the wallet
    database to the latest schema version.  This command should be run
    when deploying any new version of the wallet server.

203
204
205
206
207
208
209
210
211
    A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
    supported.  This ACL type grants access if the LDAP entry
    corresponding to the principal contains the attribute name and value
    specified in the ACL.  The Net::LDAP and Authen::SASL Perl modules are
    required to use this ACL type.  New configuration settings are
    required as well; see Wallet::Config for more information.  To enable
    this ACL type for an existing wallet database, use wallet-admin to
    register the new verifier.

212
213
214
215
216
217
218
    A new object type, wa-keyring (Wallet::Object::WAKeyring), is now
    supported.  This stores a WebAuth keyring and handles both key
    rotation and garbage collection of old keys on retrieval of the
    keyring.  The WebAuth Perl module is required to use this object
    type.  To enable this object type for an existing wallet database, use
    wallet-admin to register the new object.

Russ Allbery's avatar
Russ Allbery committed
219
220
221
222
    Add a new acl check command which, given an ACL ID, prints yes if that
    ACL already exists and no otherwise.  This is parallel to the check
    command for objects.

Russ Allbery's avatar
Russ Allbery committed
223
224
225
226
227
    Add a comment field to objects and corresponding commands to
    wallet-backend and wallet to set and retrieve it.  The comment field
    can only be set by the owner or wallet administrators but can be seen
    by anyone on the show ACL.

228
229
230
231
232
233
    The wallet server backend now uses DBIx::Class for the database layer,
    which means that DBIx::Class and SQL::Translator and all of their
    dependencies now have to be installed for the server to work.  If the
    database in use is SQLite 3, DateTime::Format::SQLite should also be
    installed.

234
235
236
    Add docs/objects-and-schemes, which provides a brief summary of the
    current supported object types and ACL schemes.

237
238
239
240
241
242
243
    The Stanford wallet object and ACL naming policy is now available in
    code form as the Wallet::Policy::Stanford module, which is installed
    as part of the server.  As-is, it is only useful for sites that want
    to adopt an identical naming policy (and will still require overriding
    some of the internal data, like group names), but it may provide a
    useful code example for others wanting to do something similar.

244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
    Update to rra-c-util 4.8:

    * Look for krb5-config in /usr/kerberos/bin after the user's PATH.
    * Kerberos library probing fixes without transitive shared libraries.
    * Fix Autoconf warnings when probing for AIX's bundled Kerberos.
    * Avoid using krb5-config if --with-{krb5,gssapi}-{include,lib} given.
    * Correctly remove -I/usr/include from Kerberos and GSS-API flags.
    * Build on systems where krb5/krb5.h exists but krb5.h does not.
    * Pass --deps to krb5-config unless --enable-reduced-depends was used.
    * Do not use krb5-config results unless gssapi is supported.
    * Fix probing for Heimdal's libroken to work with older versions.
    * Update warning flags for GCC 4.6.1.
    * Update utility library and test suite for newer GCC warnings.
    * Fix broken GCC attribute markers causing compilation problems.
    * Suppress warnings on compilers that support gcc's __attribute__.
    * Add notices to all files copied over from rra-c-util.
    * Fix warnings when reporting memory allocation failure in messages.c.
    * Fix message utility library compiler warnings on 64-bit systems.
    * Include strings.h for additional POSIX functions where found.
    * Use an atexit handler to clean up after Kerberos tests.
    * Kerberos test configuration now goes in tests/config.
    * The principal of the test keytab is determined automatically.
    * Simplify the test suite calls for Kerberos and remctl tests.
    * Check for a missing ssize_t.
    * Improve the xstrndup utility function.
    * Checked asprintf variants are now void functions and cannot fail.
    * Fix use of long long in portable/mkstemp.c.
    * Fix test suite portability to Solaris.
    * Substantial improvements to the POD syntax and spelling checks.

    Update to C TAP Harness 1.12:

    * Fix compliation of runtests with more aggressive warnings.
    * Add a more complete usage message and a -h command-line flag.
    * Flush stderr before printing output from tests.
    * Better handle running shell tests without BUILD and SOURCE set.
    * Fix runtests to honor -s even if BUILD and -b aren't given.
    * runtests now frees all allocated resources on exit.
    * Only use feature-test macros when requested or built with gcc -ansi.
    * Drop is_double from the C TAP library to avoid requiring -lm.
    * Avoid using local in the shell libtap.sh library.
    * Suppress warnings on compilers that support gcc's __attribute__.

Russ Allbery's avatar
Russ Allbery committed
287
wallet 0.12 (2010-08-25)
288

289
290
291
292
293
294
    New client program wallet-rekey that, given a list of keytabs on the
    command line, requests new keytab objects for each principal in the
    local realm and then merges the new objects into that keytab.  The
    current implementation only acquires new keys and doesn't purge any
    old keys.

Russ Allbery's avatar
Russ Allbery committed
295
296
297
298
299
    A new ACL type, krb5-regex, is now supported.  This ACL type is the
    same as krb5 except that the identifier is interpreted as a Perl
    regular expression and matched against the authenticated identity
    attempting to run a wallet command.  Patch from Ian Durkacz.

300
301
302
303
    Add a objects unused report to wallet-report and Wallet::Report,
    returning all objects that have never been downloaded (in other words,
    have never been the target of a get command).

Russ Allbery's avatar
Russ Allbery committed
304
305
306
    Add an acls duplicate report to wallet-report and Wallet::Report,
    returning sets of ACLs that have exactly the same entries.

307
308
309
    Add a help command to wallet-report, which returns a summary of all
    available commands.

310
311
312
313
314
315
316
317
318
319
320
321
322
323
    Update to C TAP Harness 1.5:

    * Better reporting of fatal errors in the test suite.
    * Summarize results at the end of test execution.
    * Add tests/HOWTO from docs/writing-tests in C TAP Harness.

    Update to rra-c-util 2.6:

    * Fix portability to bundled Heimdal on OpenBSD.
    * Improve checking for krb5_kt_free_entry with older MIT Kerberos.
    * Fix portability for missing krb5_get_init_creds_opt_free.
    * Fix header guard for util/xwrite.h.
    * Restore default compiler configuration after GSS-API library probe.

Russ Allbery's avatar
Russ Allbery committed
324
wallet 0.11 (2010-03-08)
325

326
327
328
329
330
331
    When deleting an ACL on the server, verify that the ACL is not
    referenced by any object first.  Database referential integrity should
    also catch this, but not all database backends may enforce referential
    integrity.  This also allows us to return a better error message
    naming an object that's still using that ACL.

332
333
334
335
336
    Wallet::Config now supports an additional local function,
    verify_acl_name, which can be used to enforce ACL naming policies.  If
    set, it is called for any ACL creation or rename and can reject the
    new ACL name.

337
338
339
340
    Add an audit command to wallet-report and two audits: acls name, which
    returns all ACLs that do not pass the local naming policy, and objects
    name, which does the same for objects.  The corresponding
    Wallet::Report method is audit().
341

Russ Allbery's avatar
Russ Allbery committed
342
343
344
    Add the acls unused report to wallet-report and Wallet::Report,
    returning all ACLs not referenced by any database objects.

345
346
347
348
349
350
    Wallet::Config::verify_name may now be called with an undefined third
    argument (normally the user attempting to create an object).  This
    calling convention is used when auditing, and the local policy
    function should select the correct policy to apply for useful audit
    results.

351
352
353
    Fix portability to older Kerberos libraries without
    krb5_free_error_message.

Russ Allbery's avatar
Russ Allbery committed
354
wallet 0.10 (2010-02-21)
355

356
357
358
359
360
361
    Add support for Heimdal KDCs as well as MIT Kerberos KDCs.  There is
    now a mandatory new setting in Wallet::Config: $KEYTAB_KRBTYPE.  It
    should be set to either "MIT" or "Heimdal" depending on the Kerberos
    KDC implementation used.  The Heimdal support requires the
    Heimdal::Kadm5 Perl module.

362
363
364
365
366
367
368
369
    Remove kaserver synchronization support.  It is no longer tested, and
    retaining the code was increasing the complexity of wallet, and some
    specific requirements (such as different realm names between kaserver
    and Kerberos v5 and the kvno handling) were Stanford-specific.  Rather
    than using this support, AFS sites running kaserver will probably find
    deploying Heimdal with its internal kaserver compatibility is probably
    an easier transition approach.

370
371
    Remove the kasetkey client for setting keys in an AFS kaserver.

372
373
374
375
376
377
378
379
    The wallet client no longer enables kaserver synchronization when a
    srvtab is requested with -S.  Instead, it just extracts the DES key
    from the keytab and writes it to a srvtab.  It no longer forces the
    kvno of the srvtab to 0 (a Stanford-specific action) and instead
    preserves the kvno from the key in the keytab.  This should now do the
    right thing for sites that use a KDC that serves both Kerberos v4 and
    Kerberos v5 from the same database.

380
381
382
383
384
385
    The wallet client can now store data containing nul characters and
    wallet-backend will accept it if passed on standard input instead of
    as a command-line argument.  See config/wallet for the new required
    remctld configuration.  Storing data containing nul characters
    requires remctl 2.14 or later.

386
387
388
    Correctly handle storing of data that begins with a dash and don't
    parse it as an argument to wallet-backend.

389
390
391
    Fix logging in wallet-backend and the remctl configuration to not log
    the data passed to store.

392
393
394
395
396
397
    Move all reporting from Wallet::Admin to Wallet::Report and simplify
    the method names since they're now part of a dedicated reporting
    class.  Similarly, create a new wallet-report script to wrap
    Wallet::Report, moving all reporting commands to it from wallet-admin,
    and simplify the commands since they're for a dedicated reporting
    script.
398

399
400
401
402
403
404
405
406
407
    Add additional reports for wallet-report: objects owned by a specific
    ACL, objects owned by no one, objects of a specific type, objects with
    a specific flag, objects for which a specific ACL has privileges, ACLs
    with an entry with a given type and identifier, and ACLs with no
    members.

    Add a new owners command to wallet-report and corresponding owners()
    method to Wallet::Report, which returns all ACL lines on owner ACLs
    for matching objects.
Russ Allbery's avatar
Russ Allbery committed
408

409
410
    Report ACL names as well as numbers in object history.

411
412
413
414
415
416
    The wallet client now uses a temporary disk ticket cache when
    obtaining tickets with the -u option rather than an in-memory cache,
    allowing for a libremctl built against a different Kerberos
    implementation than the wallet client.  This primarily helps with
    testing.

417
    Update to rra-c-util 2.3:
418

419
420
    * Use Kerberos portability layer to support Heimdal.
    * Avoid Kerberos API calls deprecated on Heimdal.
421
422
423
424
425
426
427
428
429
430
    * Sanity-check the results of krb5-config before proceeding.
    * Fall back on manual probing if krb5-config results don't work.
    * Add --with-krb5-include and --with-krb5-lib configure options.
    * Add --with-remctl-include and --with-remctl-lib configure options.
    * Add --with-gssapi-include and --with-gssapi-lib configure options.
    * Don't break if the user clobbers CPPFLAGS at build time.
    * Suppress error output from krb5-config probes.
    * Prefer KRB5_CONFIG over a path constructed from --with-*.
    * Update GSS-API probes for Solaris 10's native implementation.
    * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf.
431
432
    * Use AC_TYPE_LONG_LONG_INT instead of AC_CHECK_TYPES([long long]).
    * Provide a proper bool type with Sun Studio 12 on Solaris 10.
433
    * Break util/util.h into separate header files per module.
434
435
436
437
438
439
440
441
    * Update portable and util tests for C TAP Harness 1.1.

    Update to C TAP Harness 1.1:

    * Remove the need for Autoconf substitution in test programs.
    * Support running a single test program with runtests -o.
    * Properly handle test cases that are skipped in their entirety.
    * Much improved C TAP library more closely matching Test::More.
442

Russ Allbery's avatar
Russ Allbery committed
443
wallet 0.9 (2008-04-24)
444

445
446
447
448
449
    The wallet command-line client now reads the data for store from a
    file (using -f) or from standard input (if -f wasn't given) when the
    data isn't specified on the command line.  The data still must not
    contain nul characters.

450
451
452
453
454
    Add support for enabling and disabling principals (clearing or setting
    the NOTGS flag) and examining principals to kasetkey.  This
    functionality isn't used by wallet (and probably won't be) but is
    convenient for other users of kasetkey such as kadmin-remctl.

455
456
457
    Report the correct error message when addprinc fails while creating a
    keytab object.

458
459
460
461
462
463
464
465
466
467
468
469
    The configure option requesting AFS kaserver support (and thus
    building kasetkey) is now --with-kaserver instead of --with-afs.

    If KRB5_CONFIG was explicitly set in the environment, don't use a
    different krb5-config based on --with-krb4 or --with-krb5.  If
    krb5-config isn't executable, don't use it.  This allows one to
    force library probing by setting KRB5_CONFIG to point to a
    nonexistent file.

    Sanity-check the results of krb5-config before proceeding and error
    out in configure if they don't work.

470
471
472
    Fix Autoconf syntax error when probing for libkrb5support.  Thanks,
    Mike Garrison.

473
474
475
    wallet can now be built in a different directory than the source
    directory.

476
477
478
    Stop setting Stanford-specific compile-time defaults for the wallet
    server and port.

479
480
    Perl 5.8 is required to run the test suite, but IO::String is not.

481
482
    Include Stanford's wallet.conf as an example (examples/stanford.conf).

Russ Allbery's avatar
Russ Allbery committed
483
wallet 0.8 (2008-02-13)
484
485
486

    Fix the wallet client to use check instead of exists.

487
488
    Add file object support to the wallet server.

489
490
491
    Correctly handle get of an empty object in the wallet client.  The
    empty string is valid object content.

492
493
494
495
    Wallet::Config and hence the wallet server now checks for the
    environment variable WALLET_CONFIG and loads configuration from the
    file specified there instead of /etc/wallet/wallet.conf if it is set.

496
497
    wallet-backend now supports a -q flag, which disables syslog logging.

498
499
500
    wallet-admin now supports registering new object or ACL verifier
    implementations in the database.

501
502
503
504
    Remove the restriction that all object implementations must have class
    names of Wallet::Object::* and all ACL verifier implementations must
    have class names of Wallet::ACL::*.

505
506
507
    Add a full end-to-end test suite to catch protocol mismatches between
    the client and server, such as the one fixed in this release.

508
509
510
    Update the design documentation to reflect the current protocol and
    implementation.

Russ Allbery's avatar
Russ Allbery committed
511
wallet 0.7 (2008-02-08)
512

513
514
515
516
517
518
519
520
521
522
    Add new exists and autocreate wallet server interfaces.  The first
    states whether a given object exists and the second attempts to create
    the object using the default owner rules.  Remove default owner
    handling from the create interface, which is now for administrators
    only.  Remove server-side auto-creation of objects on get or store and
    instead have the client check for object existence and call autocreate
    if necessary.  This removes confusion between default ACLs and
    administrative object creation for users who are also on the ADMIN
    ACL.

523
524
525
526
527
528
    When creating a srvtab based on a just-downloaded keytab, extract the
    srvtab key before merging the keytab into an existing file.
    Otherwise, if the new keys had a lower kvno than the old keys
    (possible after deleting and recreating the object), the wrong key
    would be extracted for the srvtab.

529
530
531
    keytab-backend now passes kadmin.local ktadd its options in a specific
    order to satisfy the picky option parser.

532
533
534
535
    Check naming policy on wallet object creation before checking the
    default ACLs to avoid creating and stranding an ACL when the naming
    policy check fails.

536
537
538
539
540
    The current version of Net::Remctl can't handle explicit undef or the
    empty string as a principal argument.  Be careful not to provide a
    principal argument if no principal was set.  This workaround can be
    removed once we depend on a later version of Net::Remctl.

541
542
    Correctly enable syslog logging in wallet-backend.

543
544
545
    Fix the example remctl configuration for keytab-backend to use the
    correct script name.

Russ Allbery's avatar
Russ Allbery committed
546
wallet 0.6 (2008-01-28)
547

548
549
550
551
552
    SECURITY: If -f is used and the output file name with ".new" appended
    already exists, unlink it first and then create it safely rather than
    truncating it.  This is much safer when creating files in a
    world-writable directory.

553
554
555
556
    The wallet client can now get the server, port, principal, and remctl
    type from krb5.conf as well as from compile-time defaults and
    command-line options.

557
558
559
560
    When getting a keytab with the client with no -f option, correctly
    write the keytab to standard output rather than dying with a cryptic
    error.

561
562
563
564
    When downloading a keytab to a file that already exists, merge the new
    keytab keys into that file rather than moving aside the old keytab and
    creating a new keytab with only the new keys.

565
566
567
568
    The wallet client now supports a -u option, saying to obtain Kerberos
    credentials for the given user and use those for authentication rather
    than using an existing ticket cache.

569
570
571
    Add a wallet-admin program which can initialize and destroy the
    database and list all objects and ACLs in the database.

572
573
574
    Support enforcing a naming policy for wallet objects via a Perl
    function in the wallet server configuration file.

575
576
577
578
579
580
    The build system now probes for GSS-API, Kerberos v5 and v4, and AFS
    libraries as necessary rather than hard-coding libraries.  Building
    on systems without strong shared library dependencies and building
    against static libraries should now work.

    Building kasetkey (for AFS kaserver synchronization) is now optional
581
582
583
584
585
586
587
    and not enabled by default.  Pass --with-afs to configure to enable
    it.  This allows wallet to be easily built in an environment without
    AFS.

    Add a sample script (contrib/wallet-report) showing one way of
    reporting on the contents of the wallet database.  This will
    eventually become more general.
588

Russ Allbery's avatar
Russ Allbery committed
589
wallet 0.5 (2007-12-06)
590

591
592
    Allow the empty string in wallet-backend arguments.

593
594
595
    Allow @ in wallet-backend arguments so that principal names can be
    passed in.

596
597
598
    Load the Perl modules for ACL verifiers and object types dynamically
    now that we're reading the class from the database.

599
600
601
    Correctly implement the documented intention that setting an attribute
    to the empty string clears the attribute values.

602
603
604
605
    Fix the keytab principal validation regex to allow instances
    containing periods.  Otherwise, it's hard to manage host keytabs.  Add
    a missing test suite for that method.

606
607
608
609
    When writing to a file in the wallet client program, remove an old
    backup file before creating a new backup and don't fail if the backup
    already exists.

610
611
612
613
    Check a default creation ACL first before the ADMIN ACL when deciding
    whether we can auto-create a non-existent ACL, since creating one with
    the ADMIN ACL doesn't create a useful object.

Russ Allbery's avatar
Russ Allbery committed
614
wallet 0.4 (2007-12-05)
615

616
617
618
619
    Maintain a global cache of ACL verifiers in Wallet::ACL and reuse them
    over the life of the process if we see another ACL line from the same
    scheme, rather than only reusing ACL verifiers within a single ACL.

620
621
622
623
    Add a subclass of the NetDB ACL verifier that requires the principal
    have an instance of "root" and strips that instance before checking
    NetDB roles.

624
625
626
627
628
629
    Determine the class for object and ACL schema implementations from the
    database rather than a hard-coded list and provide Wallet::Schema
    methods for adding new class mappings.

    Add a missing class mapping for the netdb ACL schema verifier.

630
631
632
633
    Various coding style fixes and cleanup based on a much-appreciated
    code audit by Simon Cozens.  I didn't take all of his advise, and he
    shouldn't be blamed for any remaining issues.

634
wallet 0.3 (2007-12-03)
635

636
637
638
    MySQL is now a supported database backend and the full test suite
    passes with MySQL.

639
640
641
642
643
644
    Add support for running a user-defined function whenever an object is
    created by a non-ADMIN user and using the default owner ACL returned
    by that function provided that the calling user is authorized by that
    ACL.  This permits dynamic creation of new objects based on a default
    owner ACL programmatically determined from the name of the object.

645
646
647
    Attempt to create the object with a default owner on get and store
    when the object doesn't exist.

648
649
    Add support for displaying the history of objects and ACLs.

650
651
652
    Add an ACL verifier that checks access against NetDB roles using the
    NetDB remctl interface.

653
654
    The wallet backend script now logs all commands and errors to syslog.

655
656
657
    The keytab backend now supports limiting generated keytabs to
    particular enctypes by setting an attribute on the object.

658
659
660
661
662
    Expiration dates are now expressed in YYYY-MM-DD HH:MM:SS instead of
    seconds since epoch and returned the same way.  Timestamps are now
    stored in the database as correct date and time types rather than
    seconds since epoch to work properly with MySQL.

663
664
665
    The wallet backend test suite now supports using a database other than
    SQLite for testing.

Russ Allbery's avatar
Russ Allbery committed
666
wallet 0.2 (2007-10-08)
667
668
669
670
671
672
673
674
675

    First public alpha release.  Only tested with SQLite 3, no history
    support, no object list support, and only keytab object and krb5 ACL
    support.

wallet 0.1 (2007-03-08)

    Internal release containing only kasetkey, a stub client, and design
    documentation.