1 User-Visible wallet Changes
3 wallet 1.5 (unreleased)
5 Fix the table drop order for wallet-admin destroy to avoid violating
6 foreign key constraints. Patch from macrotex.
8 In Wallet::Policy::Stanford, fix the default_owner logic for password
9 objects that are group-based rather than host-based. Thanks,
12 Update to rra-c-util 8.2:
14 * Implement explicit_bzero with memset if it is not available.
15 * Reformat all C source using clang-format 10.
16 * Work around Test::Strict not skipping .git directories.
17 * Fix warnings with perltidy 20190601 and Perl::Critic 1.134.
18 * Fix warnings with Clang 10, GCC 10, and the Clang static analyzer.
20 Update to C TAP Harness 4.7:
22 * Fix warnings with GCC 10.
23 * Reformat all C source using clang-format 10.
24 * Fixed malloc error checking in bstrndup.
26 wallet 1.4 (2018-06-03)
28 Substantial improvements to Active Directory support: Add a
29 contrib/ad-keytab script that assists with initial setup and examining
30 the Active Directory objects, rename some configuration variables to
31 reflect that they are relative distinguished names, add a
32 configuration variable for the base DN, make sure userPrincipalName is
33 created for all keytabs and use it to search, allow creation of a
34 service principal, and truncate and make unique long names in AD if
35 necessary. This support should still be considered experimental.
37 When getting configuration values from krb5.conf, pass the default
38 local realm into the Kerberos appdefault functions. This will produce
39 more correct results with krb5.conf files that specify wallet
40 configuration for multiple realms.
42 Remove stray references to strlcpy and strlcat that broke builds on
43 platforms where those functions are part of libc. Thanks to Karl
44 Kornel for the report.
46 Detect the path to Perl during configure, allowing an override by
47 setting the PERL environment or configure variable, and use that path
48 for all Perl scripts. This allows wallet to use a version of Perl at
49 a non-standard path. Patches from Karl Kornel.
51 Rename the script to bootstrap from a Git checkout to bootstrap,
52 matching the emerging consensus in the Autoconf world.
54 Add SPDX-License-Identifier headers to all substantial source files.
56 Update to rra-c-util 7.2:
58 * Improve configure output for krb5-config testing.
59 * Define UINT32_MAX for systems that don't have it.
60 * Add SPDX-License-Identifier headers to all substantial source files.
61 * Fix new warnings from GCC 7 and Clang warnings.
62 * Require Test::Strict 0.25 or later to run those tests.
63 * Fix off-by-one error in return-value checks for snprintf.
64 * Use Autoconf to probe for supported warning flags.
65 * Fix running module-version-t -u with current versions of Perl.
66 * Use C_TAP_SOURCE and C_TAP_BUILD instead of SOURCE and BUILD.
68 Update to C TAP Harness 4.3:
70 * Add support for valgrind and libtool in test lists.
71 * Report test failures as left and right, not wanted and expected.
72 * Fix string comparisons with NULL pointers and the string "(null)".
73 * Add SPDX-License-Identifier headers to all substantial source files.
74 * Avoid zero-length realloc allocations in breallocarray.
75 * Fix new warnings from GCC 7 and Clang warnings.
76 * Use C_TAP_SOURCE and C_TAP_BUILD instead of SOURCE and BUILD.
78 wallet 1.3 (2016-01-17)
80 All Duo object implementations have been merged into a single Perl
81 module. Duo objects should continue to behave as before, but the
82 database must be updated to map the object names to the correct Perl
83 modules. Run perl/sql/wallet-1.3-update-duo.sql on your database to
84 fix the Duo object type registrations if you were using Duo. Many
85 more Duo object types are now supported and can be manually registered
86 with wallet-admin register object.
88 This release adds initial, experimental support for using Active
89 Directory as the KDC for keytab creation. The interface to Active
90 Directory uses a combination of direct LDAP queries and the msktutil
91 utility. This version does not support the wallet unchanging flag.
92 Unchanging requires that a keytab be retrieved without changing the
93 password/kvno which is not supported by msktutil. Active Directory
94 can be selected by setting KEYTAB_KRBTYPE to AD in the wallet
95 configuration. Multiple other configuration options must also be set;
96 see Wallet::Config for more information and README for the additional
97 Perl modules required. Thanks to Bill MacAllister for the
100 A new ACL type, nested (Wallet::ACL::Nested), is now supported. The
101 identifier of this ACL names another ACL, and access is granted if
102 that ACL would grant access. This lets one combine multiple other
103 ACLs and apply the union to an object. To enable this ACL type for an
104 existing wallet database, use wallet-admin to register the new
107 A new ACL type, external (Wallet::ACL::External), is now supported.
108 This ACL runs an external command to check if access is allowed, and
109 passes the principal, type and name of the object, and the ACL
110 identifier to that command. To enable this ACL type for an existing
111 wallet database, use wallet-admin to register the new verifier.
113 A new variation on the ldap-attr ACL type, ldap-attr-root
114 (Wallet::ACL::LDAP::Attribute::Root), is now supported. This is
115 similar to netdb-root (compared to netdb): the authenticated principal
116 must end in /root, and the LDAP entry checked will be for the same
117 principal without the /root component. This is useful for limiting
118 access to certain privileged objects to Kerberos root instances. To
119 enable this ACL type for an existing wallet database, use wallet-admin
120 to register the new verifier.
122 A new object type, password (Wallet::Object::Password), is now
123 supported. This is a subclass of the file object that will randomly
124 generate content for the object if you do a get before storing any
125 content inside it. To enable this object type for an existing
126 database, use wallet-admin to register the new object.
128 Add a new command to wallet-backend, update. This will update the
129 contents of an object before running a get on it, and is only valid
130 for objects that can automatically get new content, such as keytab and
131 password objects. A keytab will get a new kvno regardless of the
132 unchanging flag if called with update. In a future release get will
133 be changed to never update a keytab, and the unchanging flag will be
134 ignored. Please start moving to use get or update as the situation
137 Add an acl replace command, to change all objects owned by one ACL to
138 be owned by another. This currently only handles owner, not any of
139 the more specific ACLs.
141 All ACL operations now refer to the ACL by name rather than ID.
143 Add a report for unstored objects to wallet-report, and cleaned up the
144 help for the existing unused report that implied it showed unstored as
147 Add reports that list all object types (types) and all ACL schemes
148 (schemes) currently registered in the wallet database.
150 Add a report of all ACLs that nest a given ACL. This requires some
151 additional local configuration (and probably some code). See
152 Wallet::Config for more information.
154 Took contributions from Commerzbank AG to improve wallet history. Add
155 a command to dump all object history for searching on to
156 wallet-report, and add a new script for more detailed object history
157 operations to the contrib directory.
159 Displays of ACLs and ACL entries are now sorted correctly.
161 The versions of all of the wallet Perl modules now match the overall
162 package version except for Wallet::Schema, which is used to version
165 Update to rra-c-util 5.10:
167 * Add missing va_end to xasprintf implementation.
168 * Fix Perl test suite framework for new Automake relative paths.
169 * Improve portability to Kerberos included in Solaris 10.
170 * Use appropriate warning flags with Clang (currently not warning clean).
172 Update to C TAP Harness 3.4:
174 * Fix segfault in runtests with an empty test list.
175 * Display verbose test results with -v or C_TAP_VERBOSE.
176 * Test infrastructure builds cleanly with Clang warnings.
177 * Support comments and blank lines in test lists.
179 wallet 1.2 (2014-12-08)
181 The duo object type has been split into several sub-types, each for a
182 specific type of Duo integration. The old type's functionality has
183 been moved to duo-pam (Wallet::Object::Duo::PAM), and new types are
184 supported for Duo's auth proxy configurations for LDAP and Radius, and
185 their RDP configuration. These types are duo-radius, duo-ldap, and
186 duo-rdp (Wallet::Object::Duo::RadiusProxy,
187 Wallet::Object::Duo::LDAPProxy, and Wallet::Object::Duo::RDP). The
188 old duo type still exists for compatability. To enable these object
189 types for an existing wallet database, use wallet-admin to register the
192 New rename command for file type objects. This will change the name
193 of the object itself and move any stored data for the file to the
194 correct location for the new name. Currently, rename is only
195 supported for file objects, but may be supported by other backends in
198 wallet 1.1 (2014-07-16)
200 A new object type, duo (Wallet::Object::Duo), is now supported. This
201 creates an integration with the Duo Security cloud multifactor
202 authentication service and allows retrieval of the integration key,
203 secret key, and admin hostname. Currently, only UNIX integration
204 types are supported. The Net::Duo Perl module is required to use this
205 object type. New configuration settings are required as well; see
206 Wallet::Config for more information. To enable this object type for
207 an existing wallet database, use wallet-admin to register the new
210 The owner and getacl commands now return the current name of the ACL
211 instead of its numeric ID, matching the documentation of owner.
213 The date passed to expires can now be any date format understood by
214 Date::Parse, and Date::Parse (part of the TimeDate CPAN distribution)
215 is now a required prerequisite for the wallet server.
217 Fix wallet-rekey on keytabs containing multiple principals. Previous
218 versions assumed one could concatenate keytab files together to make a
219 valid keytab file, which doesn't work with some Kerberos libraries.
220 This caused new keys downloaded for principals after the first to be
221 discarded. As a side effect of this fix, wallet-rekey always appends
222 new keys directly to the existing keytab file, and never creates a
223 backup copy of that file.
225 Fix the code to set enctype restrictions for keytab objects in the
226 wallet server and populate the reference table for valid enctypes on
227 initial database creation.
229 Fix the Wallet::Config documentation for the ldap-attr verifier to
230 reference an ldap_map_principal hook, not ldap_map_attribute, matching
233 When creating new principals in a Heimdal KDC, generate a long, random
234 password as the temporary password of the disabled principal before
235 randomizing keys. This is necessary if password quality is being
236 enforced on create calls. Since the principal is always inactive
237 until the keys have been randomized, the password should not need to
238 be secure (and indeed is not cryptographically random).
240 Previous versions had erroneous foreign key constraints between the
241 object history table and the objects table. Remove those constraints,
242 and an incorrect linkage in the schema for the ACL history, and add
243 indices for the object type, name, and ACL instead.
245 Pass in DateTime objects for the date fields in the database instead
246 of formatted time strings. This provides better compatibility with
247 different database engines. Document in README the need to install
248 the DateTime::Format::* module corresponding to the DBD::* module used
249 for the server database.
251 ACL renames are now recorded in the ACL history.
253 Fix wallet-backend parsing of the expires command to expect only one
254 argument as the expiration. This was correctly documented in the
255 wallet client man page, but not in wallet-backend, and it accepted two
256 arguments (a date and time). However, Wallet::Server did not and
257 would just ignore the time. Now wallet-backend correctly requires the
258 date and time be passed as a single argument.
260 Fix the ordering of table drops during a wallet-admin destroy action
261 to remove tables with foreign key references before the tables they
262 are referencing. Should fix destroy in MySQL and other database
263 engines that enforce referential integrity.
265 The wallet server now requires Perl 5.8 or later (instead of 5.006 in
266 previous versions) and is now built with Module::Build instead of
267 ExtUtils::MakeMaker. This should be transparent to anyone not working
268 with the source code, since Perl 5.8 was released in 2002, but
269 Module::Build is now required to build the wallet server. It is
270 included in some versions of Perl, or can be installed separately from
271 CPAN, distribution packages, or other sources.
273 Add a new contrib script, wallet-rekey-periodic, which is used at
274 Stanford to periodically rekey hosts from cron.
276 Update to rra-c-util 5.5:
278 * Use Lancaster Consensus environment variables to control tests.
279 * Use calloc or reallocarray for protection against integer overflows.
280 * Suppress warnings from Kerberos headers in non-system paths.
281 * Assume calloc initializes pointers to NULL.
282 * Assume free(NULL) is properly ignored.
283 * Improve error handling in xasprintf and xvasprintf.
284 * Check the return status of snprintf and vsnprintf properly.
285 * Preserve errno if snprintf fails in vasprintf replacement.
287 Update to C TAP Harness 3.1:
289 * Reopen standard input to /dev/null when running a test list.
290 * Don't leak extraneous file descriptors to tests.
291 * Suppress lazy plans and test summaries if the test failed with bail.
292 * runtests now treats the command line as a list of tests by default.
293 * The full test executable path can now be passed to runtests -o.
294 * Improved harness output for tests with lazy plans.
295 * Improved harness output to a terminal for some abort cases.
296 * Flush harness output after each test even when not on a terminal.
298 wallet 1.0 (2013-03-27)
300 Owners of wallet objects are now allowed to destroy them. In previous
301 versions, a special destroy ACL had to be set and the owner ACL wasn't
302 used for destroy actions, but operational experience at Stanford has
303 shown that letting owners destroy their own objects is a better model.
305 wallet-admin has a new sub-command, upgrade, which upgrades the wallet
306 database to the latest schema version. This command should be run
307 when deploying any new version of the wallet server.
309 A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now
310 supported. This ACL type grants access if the LDAP entry
311 corresponding to the principal contains the attribute name and value
312 specified in the ACL. The Net::LDAP and Authen::SASL Perl modules are
313 required to use this ACL type. New configuration settings are
314 required as well; see Wallet::Config for more information. To enable
315 this ACL type for an existing wallet database, use wallet-admin to
316 register the new verifier.
318 A new object type, wa-keyring (Wallet::Object::WAKeyring), is now
319 supported. This stores a WebAuth keyring and handles both key
320 rotation and garbage collection of old keys on retrieval of the
321 keyring. The WebAuth Perl module is required to use this object
322 type. To enable this object type for an existing wallet database, use
323 wallet-admin to register the new object.
325 Add a new acl check command which, given an ACL ID, prints yes if that
326 ACL already exists and no otherwise. This is parallel to the check
329 Add a comment field to objects and corresponding commands to
330 wallet-backend and wallet to set and retrieve it. The comment field
331 can only be set by the owner or wallet administrators but can be seen
332 by anyone on the show ACL.
334 The wallet server backend now uses DBIx::Class for the database layer,
335 which means that DBIx::Class and SQL::Translator and all of their
336 dependencies now have to be installed for the server to work. If the
337 database in use is SQLite 3, DateTime::Format::SQLite should also be
340 Add docs/objects-and-schemes, which provides a brief summary of the
341 current supported object types and ACL schemes.
343 The Stanford wallet object and ACL naming policy is now available in
344 code form as the Wallet::Policy::Stanford module, which is installed
345 as part of the server. As-is, it is only useful for sites that want
346 to adopt an identical naming policy (and will still require overriding
347 some of the internal data, like group names), but it may provide a
348 useful code example for others wanting to do something similar.
350 Update to rra-c-util 4.8:
352 * Look for krb5-config in /usr/kerberos/bin after the user's PATH.
353 * Kerberos library probing fixes without transitive shared libraries.
354 * Fix Autoconf warnings when probing for AIX's bundled Kerberos.
355 * Avoid using krb5-config if --with-{krb5,gssapi}-{include,lib} given.
356 * Correctly remove -I/usr/include from Kerberos and GSS-API flags.
357 * Build on systems where krb5/krb5.h exists but krb5.h does not.
358 * Pass --deps to krb5-config unless --enable-reduced-depends was used.
359 * Do not use krb5-config results unless gssapi is supported.
360 * Fix probing for Heimdal's libroken to work with older versions.
361 * Update warning flags for GCC 4.6.1.
362 * Update utility library and test suite for newer GCC warnings.
363 * Fix broken GCC attribute markers causing compilation problems.
364 * Suppress warnings on compilers that support gcc's __attribute__.
365 * Add notices to all files copied over from rra-c-util.
366 * Fix warnings when reporting memory allocation failure in messages.c.
367 * Fix message utility library compiler warnings on 64-bit systems.
368 * Include strings.h for additional POSIX functions where found.
369 * Use an atexit handler to clean up after Kerberos tests.
370 * Kerberos test configuration now goes in tests/config.
371 * The principal of the test keytab is determined automatically.
372 * Simplify the test suite calls for Kerberos and remctl tests.
373 * Check for a missing ssize_t.
374 * Improve the xstrndup utility function.
375 * Checked asprintf variants are now void functions and cannot fail.
376 * Fix use of long long in portable/mkstemp.c.
377 * Fix test suite portability to Solaris.
378 * Substantial improvements to the POD syntax and spelling checks.
380 Update to C TAP Harness 1.12:
382 * Fix compliation of runtests with more aggressive warnings.
383 * Add a more complete usage message and a -h command-line flag.
384 * Flush stderr before printing output from tests.
385 * Better handle running shell tests without BUILD and SOURCE set.
386 * Fix runtests to honor -s even if BUILD and -b aren't given.
387 * runtests now frees all allocated resources on exit.
388 * Only use feature-test macros when requested or built with gcc -ansi.
389 * Drop is_double from the C TAP library to avoid requiring -lm.
390 * Avoid using local in the shell libtap.sh library.
391 * Suppress warnings on compilers that support gcc's __attribute__.
393 wallet 0.12 (2010-08-25)
395 New client program wallet-rekey that, given a list of keytabs on the
396 command line, requests new keytab objects for each principal in the
397 local realm and then merges the new objects into that keytab. The
398 current implementation only acquires new keys and doesn't purge any
401 A new ACL type, krb5-regex, is now supported. This ACL type is the
402 same as krb5 except that the identifier is interpreted as a Perl
403 regular expression and matched against the authenticated identity
404 attempting to run a wallet command. Patch from Ian Durkacz.
406 Add a objects unused report to wallet-report and Wallet::Report,
407 returning all objects that have never been downloaded (in other words,
408 have never been the target of a get command).
410 Add an acls duplicate report to wallet-report and Wallet::Report,
411 returning sets of ACLs that have exactly the same entries.
413 Add a help command to wallet-report, which returns a summary of all
416 Update to C TAP Harness 1.5:
418 * Better reporting of fatal errors in the test suite.
419 * Summarize results at the end of test execution.
420 * Add tests/HOWTO from docs/writing-tests in C TAP Harness.
422 Update to rra-c-util 2.6:
424 * Fix portability to bundled Heimdal on OpenBSD.
425 * Improve checking for krb5_kt_free_entry with older MIT Kerberos.
426 * Fix portability for missing krb5_get_init_creds_opt_free.
427 * Fix header guard for util/xwrite.h.
428 * Restore default compiler configuration after GSS-API library probe.
430 wallet 0.11 (2010-03-08)
432 When deleting an ACL on the server, verify that the ACL is not
433 referenced by any object first. Database referential integrity should
434 also catch this, but not all database backends may enforce referential
435 integrity. This also allows us to return a better error message
436 naming an object that's still using that ACL.
438 Wallet::Config now supports an additional local function,
439 verify_acl_name, which can be used to enforce ACL naming policies. If
440 set, it is called for any ACL creation or rename and can reject the
443 Add an audit command to wallet-report and two audits: acls name, which
444 returns all ACLs that do not pass the local naming policy, and objects
445 name, which does the same for objects. The corresponding
446 Wallet::Report method is audit().
448 Add the acls unused report to wallet-report and Wallet::Report,
449 returning all ACLs not referenced by any database objects.
451 Wallet::Config::verify_name may now be called with an undefined third
452 argument (normally the user attempting to create an object). This
453 calling convention is used when auditing, and the local policy
454 function should select the correct policy to apply for useful audit
457 Fix portability to older Kerberos libraries without
458 krb5_free_error_message.
460 wallet 0.10 (2010-02-21)
462 Add support for Heimdal KDCs as well as MIT Kerberos KDCs. There is
463 now a mandatory new setting in Wallet::Config: $KEYTAB_KRBTYPE. It
464 should be set to either "MIT" or "Heimdal" depending on the Kerberos
465 KDC implementation used. The Heimdal support requires the
466 Heimdal::Kadm5 Perl module.
468 Remove kaserver synchronization support. It is no longer tested, and
469 retaining the code was increasing the complexity of wallet, and some
470 specific requirements (such as different realm names between kaserver
471 and Kerberos v5 and the kvno handling) were Stanford-specific. Rather
472 than using this support, AFS sites running kaserver will probably find
473 deploying Heimdal with its internal kaserver compatibility is probably
474 an easier transition approach.
476 Remove the kasetkey client for setting keys in an AFS kaserver.
478 The wallet client no longer enables kaserver synchronization when a
479 srvtab is requested with -S. Instead, it just extracts the DES key
480 from the keytab and writes it to a srvtab. It no longer forces the
481 kvno of the srvtab to 0 (a Stanford-specific action) and instead
482 preserves the kvno from the key in the keytab. This should now do the
483 right thing for sites that use a KDC that serves both Kerberos v4 and
484 Kerberos v5 from the same database.
486 The wallet client can now store data containing nul characters and
487 wallet-backend will accept it if passed on standard input instead of
488 as a command-line argument. See config/wallet for the new required
489 remctld configuration. Storing data containing nul characters
490 requires remctl 2.14 or later.
492 Correctly handle storing of data that begins with a dash and don't
493 parse it as an argument to wallet-backend.
495 Fix logging in wallet-backend and the remctl configuration to not log
496 the data passed to store.
498 Move all reporting from Wallet::Admin to Wallet::Report and simplify
499 the method names since they're now part of a dedicated reporting
500 class. Similarly, create a new wallet-report script to wrap
501 Wallet::Report, moving all reporting commands to it from wallet-admin,
502 and simplify the commands since they're for a dedicated reporting
505 Add additional reports for wallet-report: objects owned by a specific
506 ACL, objects owned by no one, objects of a specific type, objects with
507 a specific flag, objects for which a specific ACL has privileges, ACLs
508 with an entry with a given type and identifier, and ACLs with no
511 Add a new owners command to wallet-report and corresponding owners()
512 method to Wallet::Report, which returns all ACL lines on owner ACLs
513 for matching objects.
515 Report ACL names as well as numbers in object history.
517 The wallet client now uses a temporary disk ticket cache when
518 obtaining tickets with the -u option rather than an in-memory cache,
519 allowing for a libremctl built against a different Kerberos
520 implementation than the wallet client. This primarily helps with
523 Update to rra-c-util 2.3:
525 * Use Kerberos portability layer to support Heimdal.
526 * Avoid Kerberos API calls deprecated on Heimdal.
527 * Sanity-check the results of krb5-config before proceeding.
528 * Fall back on manual probing if krb5-config results don't work.
529 * Add --with-krb5-include and --with-krb5-lib configure options.
530 * Add --with-remctl-include and --with-remctl-lib configure options.
531 * Add --with-gssapi-include and --with-gssapi-lib configure options.
532 * Don't break if the user clobbers CPPFLAGS at build time.
533 * Suppress error output from krb5-config probes.
534 * Prefer KRB5_CONFIG over a path constructed from --with-*.
535 * Update GSS-API probes for Solaris 10's native implementation.
536 * Change AC_TRY_* to AC_*_IFELSE as recommended by Autoconf.
537 * Use AC_TYPE_LONG_LONG_INT instead of AC_CHECK_TYPES([long long]).
538 * Provide a proper bool type with Sun Studio 12 on Solaris 10.
539 * Break util/util.h into separate header files per module.
540 * Update portable and util tests for C TAP Harness 1.1.
542 Update to C TAP Harness 1.1:
544 * Remove the need for Autoconf substitution in test programs.
545 * Support running a single test program with runtests -o.
546 * Properly handle test cases that are skipped in their entirety.
547 * Much improved C TAP library more closely matching Test::More.
549 wallet 0.9 (2008-04-24)
551 The wallet command-line client now reads the data for store from a
552 file (using -f) or from standard input (if -f wasn't given) when the
553 data isn't specified on the command line. The data still must not
554 contain nul characters.
556 Add support for enabling and disabling principals (clearing or setting
557 the NOTGS flag) and examining principals to kasetkey. This
558 functionality isn't used by wallet (and probably won't be) but is
559 convenient for other users of kasetkey such as kadmin-remctl.
561 Report the correct error message when addprinc fails while creating a
564 The configure option requesting AFS kaserver support (and thus
565 building kasetkey) is now --with-kaserver instead of --with-afs.
567 If KRB5_CONFIG was explicitly set in the environment, don't use a
568 different krb5-config based on --with-krb4 or --with-krb5. If
569 krb5-config isn't executable, don't use it. This allows one to
570 force library probing by setting KRB5_CONFIG to point to a
573 Sanity-check the results of krb5-config before proceeding and error
574 out in configure if they don't work.
576 Fix Autoconf syntax error when probing for libkrb5support. Thanks,
579 wallet can now be built in a different directory than the source
582 Stop setting Stanford-specific compile-time defaults for the wallet
585 Perl 5.8 is required to run the test suite, but IO::String is not.
587 Include Stanford's wallet.conf as an example (examples/stanford.conf).
589 wallet 0.8 (2008-02-13)
591 Fix the wallet client to use check instead of exists.
593 Add file object support to the wallet server.
595 Correctly handle get of an empty object in the wallet client. The
596 empty string is valid object content.
598 Wallet::Config and hence the wallet server now checks for the
599 environment variable WALLET_CONFIG and loads configuration from the
600 file specified there instead of /etc/wallet/wallet.conf if it is set.
602 wallet-backend now supports a -q flag, which disables syslog logging.
604 wallet-admin now supports registering new object or ACL verifier
605 implementations in the database.
607 Remove the restriction that all object implementations must have class
608 names of Wallet::Object::* and all ACL verifier implementations must
609 have class names of Wallet::ACL::*.
611 Add a full end-to-end test suite to catch protocol mismatches between
612 the client and server, such as the one fixed in this release.
614 Update the design documentation to reflect the current protocol and
617 wallet 0.7 (2008-02-08)
619 Add new exists and autocreate wallet server interfaces. The first
620 states whether a given object exists and the second attempts to create
621 the object using the default owner rules. Remove default owner
622 handling from the create interface, which is now for administrators
623 only. Remove server-side auto-creation of objects on get or store and
624 instead have the client check for object existence and call autocreate
625 if necessary. This removes confusion between default ACLs and
626 administrative object creation for users who are also on the ADMIN
629 When creating a srvtab based on a just-downloaded keytab, extract the
630 srvtab key before merging the keytab into an existing file.
631 Otherwise, if the new keys had a lower kvno than the old keys
632 (possible after deleting and recreating the object), the wrong key
633 would be extracted for the srvtab.
635 keytab-backend now passes kadmin.local ktadd its options in a specific
636 order to satisfy the picky option parser.
638 Check naming policy on wallet object creation before checking the
639 default ACLs to avoid creating and stranding an ACL when the naming
642 The current version of Net::Remctl can't handle explicit undef or the
643 empty string as a principal argument. Be careful not to provide a
644 principal argument if no principal was set. This workaround can be
645 removed once we depend on a later version of Net::Remctl.
647 Correctly enable syslog logging in wallet-backend.
649 Fix the example remctl configuration for keytab-backend to use the
652 wallet 0.6 (2008-01-28)
654 SECURITY: If -f is used and the output file name with ".new" appended
655 already exists, unlink it first and then create it safely rather than
656 truncating it. This is much safer when creating files in a
657 world-writable directory.
659 The wallet client can now get the server, port, principal, and remctl
660 type from krb5.conf as well as from compile-time defaults and
661 command-line options.
663 When getting a keytab with the client with no -f option, correctly
664 write the keytab to standard output rather than dying with a cryptic
667 When downloading a keytab to a file that already exists, merge the new
668 keytab keys into that file rather than moving aside the old keytab and
669 creating a new keytab with only the new keys.
671 The wallet client now supports a -u option, saying to obtain Kerberos
672 credentials for the given user and use those for authentication rather
673 than using an existing ticket cache.
675 Add a wallet-admin program which can initialize and destroy the
676 database and list all objects and ACLs in the database.
678 Support enforcing a naming policy for wallet objects via a Perl
679 function in the wallet server configuration file.
681 The build system now probes for GSS-API, Kerberos v5 and v4, and AFS
682 libraries as necessary rather than hard-coding libraries. Building
683 on systems without strong shared library dependencies and building
684 against static libraries should now work.
686 Building kasetkey (for AFS kaserver synchronization) is now optional
687 and not enabled by default. Pass --with-afs to configure to enable
688 it. This allows wallet to be easily built in an environment without
691 Add a sample script (contrib/wallet-report) showing one way of
692 reporting on the contents of the wallet database. This will
693 eventually become more general.
695 wallet 0.5 (2007-12-06)
697 Allow the empty string in wallet-backend arguments.
699 Allow @ in wallet-backend arguments so that principal names can be
702 Load the Perl modules for ACL verifiers and object types dynamically
703 now that we're reading the class from the database.
705 Correctly implement the documented intention that setting an attribute
706 to the empty string clears the attribute values.
708 Fix the keytab principal validation regex to allow instances
709 containing periods. Otherwise, it's hard to manage host keytabs. Add
710 a missing test suite for that method.
712 When writing to a file in the wallet client program, remove an old
713 backup file before creating a new backup and don't fail if the backup
716 Check a default creation ACL first before the ADMIN ACL when deciding
717 whether we can auto-create a non-existent ACL, since creating one with
718 the ADMIN ACL doesn't create a useful object.
720 wallet 0.4 (2007-12-05)
722 Maintain a global cache of ACL verifiers in Wallet::ACL and reuse them
723 over the life of the process if we see another ACL line from the same
724 scheme, rather than only reusing ACL verifiers within a single ACL.
726 Add a subclass of the NetDB ACL verifier that requires the principal
727 have an instance of "root" and strips that instance before checking
730 Determine the class for object and ACL schema implementations from the
731 database rather than a hard-coded list and provide Wallet::Schema
732 methods for adding new class mappings.
734 Add a missing class mapping for the netdb ACL schema verifier.
736 Various coding style fixes and cleanup based on a much-appreciated
737 code audit by Simon Cozens. I didn't take all of his advise, and he
738 shouldn't be blamed for any remaining issues.
740 wallet 0.3 (2007-12-03)
742 MySQL is now a supported database backend and the full test suite
745 Add support for running a user-defined function whenever an object is
746 created by a non-ADMIN user and using the default owner ACL returned
747 by that function provided that the calling user is authorized by that
748 ACL. This permits dynamic creation of new objects based on a default
749 owner ACL programmatically determined from the name of the object.
751 Attempt to create the object with a default owner on get and store
752 when the object doesn't exist.
754 Add support for displaying the history of objects and ACLs.
756 Add an ACL verifier that checks access against NetDB roles using the
757 NetDB remctl interface.
759 The wallet backend script now logs all commands and errors to syslog.
761 The keytab backend now supports limiting generated keytabs to
762 particular enctypes by setting an attribute on the object.
764 Expiration dates are now expressed in YYYY-MM-DD HH:MM:SS instead of
765 seconds since epoch and returned the same way. Timestamps are now
766 stored in the database as correct date and time types rather than
767 seconds since epoch to work properly with MySQL.
769 The wallet backend test suite now supports using a database other than
772 wallet 0.2 (2007-10-08)
774 First public alpha release. Only tested with SQLite 3, no history
775 support, no object list support, and only keytab object and krb5 ACL
778 wallet 0.1 (2007-03-08)
780 Internal release containing only kasetkey, a stub client, and design