wallet 0.6 released

[Russ Allbery]

I'm pleased to announce release 0.6 of wallet.  This is beta-quality
software and should be treated with caution.  It is currently being tested
for production deployment at Stanford.

The wallet is a system for managing secure data, authorization rules to
retrieve or change that data, and audit rules for documenting actions
taken on that data.  Objects of various types may be stored in the wallet
or generated on request and retrieved by authorized users.  The wallet
tracks ACLs, metadata, and trace information.  It is built on top of the
remctl protocol and uses Kerberos GSS-API authentication.  One of the
object types it supports is Kerberos keytabs, making it suitable as a
user-accessible front-end to Kerberos kadmind with richer ACL and metadata
operations.

Changes from previous release:

    SECURITY: If -f is used and the output file name with ".new" appended
    already exists, unlink it first and then create it safely rather than
    truncating it.  This is much safer when creating files in a
    world-writable directory.

    The wallet client can now get the server, port, principal, and remctl
    type from krb5.conf as well as from compile-time defaults and
    command-line options.

    When getting a keytab with the client with no -f option, correctly
    write the keytab to standard output rather than dying with a cryptic
    error.

    When downloading a keytab to a file that already exists, merge the new
    keytab keys into that file rather than moving aside the old keytab and
    creating a new keytab with only the new keys.

    The wallet client now supports a -u option, saying to obtain Kerberos
    credentials for the given user and use those for authentication rather
    than using an existing ticket cache.

    Add a wallet-admin program which can initialize and destroy the
    database and list all objects and ACLs in the database.

    Support enforcing a naming policy for wallet objects via a Perl
    function in the wallet server configuration file.

    The build system now probes for GSS-API, Kerberos v5 and v4, and AFS
    libraries as necessary rather than hard-coding libraries.  Building
    on systems without strong shared library dependencies and building
    against static libraries should now work.

    Building kasetkey (for AFS kaserver synchronization) is now optional
    and not enabled by default.  Pass --with-afs to configure to enable
    it.  This allows wallet to be easily built in an environment without
    AFS.

    Add a sample script (contrib/wallet-report) showing one way of
    reporting on the contents of the wallet database.  This will
    eventually become more general.

You can download it from:

    <http://www.eyrie.org/~eagle/software/wallet/>

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>