wallet 1.1 released

Russ Allbery eagle at eyrie.org
Wed Jul 16 20:35:43 EDT 2014


I'm pleased to announce release 1.1 of wallet.

The wallet is a system for managing secure data, authorization rules to
retrieve or change that data, and audit rules for documenting actions
taken on that data.  Objects of various types may be stored in the wallet
or generated on request and retrieved by authorized users.  The wallet
tracks ACLs, metadata, and trace information.  It is built on top of the
remctl protocol and uses Kerberos GSS-API authentication.  One of the
object types it supports is Kerberos keytabs, making it suitable as a
user-accessible front-end to Kerberos kadmind with richer ACL and metadata
operations.

Changes from previous release:

    A new object type, duo (Wallet::Object::Duo), is now supported.  This
    creates an integration with the Duo Security cloud multifactor
    authentication service and allows retrieval of the integration key,
    secret key, and admin hostname.  Currently, only UNIX integration
    types are supported.  The Net::Duo Perl module is required to use this
    object type.  New configuration settings are required as well; see
    Wallet::Config for more information.  To enable this object type for
    an existing wallet database, use wallet-admin to register the new
    object.

    The owner and getacl commands now return the current name of the ACL
    instead of its numeric ID, matching the documentation of owner.

    The date passed to expires can now be any date format understood by
    Date::Parse, and Date::Parse (part of the TimeDate CPAN distribution)
    is now a required prerequisite for the wallet server.

    Fix wallet-rekey on keytabs containing multiple principals.  Previous
    versions assumed one could concatenate keytab files together to make a
    valid keytab file, which doesn't work with some Kerberos libraries.
    This caused new keys downloaded for principals after the first to be
    discarded.  As a side effect of this fix, wallet-rekey always appends
    new keys directly to the existing keytab file, and never creates a
    backup copy of that file.

    Fix the code to set enctype restrictions for keytab objects in the
    wallet server and populate the reference table for valid enctypes on
    initial database creation.

    Fix the Wallet::Config documentation for the ldap-attr verifier to
    reference an ldap_map_principal hook, not ldap_map_attribute, matching
    the implementation.

    When creating new principals in a Heimdal KDC, generate a long, random
    password as the temporary password of the disabled principal before
    randomizing keys.  This is necessary if password quality is being
    enforced on create calls.  Since the principal is always inactive
    until the keys have been randomized, the password should not need to
    be secure (and indeed is not cryptographically random).

    Previous versions had erroneous foreign key constraints between the
    object history table and the objects table.  Remove those constraints,
    and an incorrect linkage in the schema for the ACL history, and add
    indices for the object type, name, and ACL instead.

    Pass in DateTime objects for the date fields in the database instead
    of formatted time strings.  This provides better compatibility with
    different database engines.  Document in README the need to install
    the DateTime::Format::* module corresponding to the DBD::* module used
    for the server database.

    ACL renames are now recorded in the ACL history.

    Fix wallet-backend parsing of the expires command to expect only one
    argument as the expiration.  This was correctly documented in the
    wallet client man page, but not in wallet-backend, and it accepted two
    arguments (a date and time).  However, Wallet::Server did not and
    would just ignore the time.  Now wallet-backend correctly requires the
    date and time be passed as a single argument.

    Fix the ordering of table drops during a wallet-admin destroy action
    to remove tables with foreign key references before the tables they
    are referencing.  Should fix destroy in MySQL and other database
    engines that enforce referential integrity.

    The wallet server now requires Perl 5.8 or later (instead of 5.006 in
    previous versions) and is now built with Module::Build instead of
    ExtUtils::MakeMaker.  This should be transparent to anyone not working
    with the source code, since Perl 5.8 was released in 2002, but
    Module::Build is now required to build the wallet server.  It is
    included in some versions of Perl, or can be installed separately from
    CPAN, distribution packages, or other sources.

    Add a new contrib script, wallet-rekey-periodic, which is used at
    Stanford to periodically rekey hosts from cron.

    Update to rra-c-util 5.5:

    * Use Lancaster Consensus environment variables to control tests.
    * Use calloc or reallocarray for protection against integer overflows.
    * Suppress warnings from Kerberos headers in non-system paths.
    * Assume calloc initializes pointers to NULL.
    * Assume free(NULL) is properly ignored.
    * Improve error handling in xasprintf and xvasprintf.
    * Check the return status of snprintf and vsnprintf properly.
    * Preserve errno if snprintf fails in vasprintf replacement.

    Update to C TAP Harness 3.1:

    * Reopen standard input to /dev/null when running a test list.
    * Don't leak extraneous file descriptors to tests.
    * Suppress lazy plans and test summaries if the test failed with bail.
    * runtests now treats the command line as a list of tests by default.
    * The full test executable path can now be passed to runtests -o.
    * Improved harness output for tests with lazy plans.
    * Improved harness output to a terminal for some abort cases.
    * Flush harness output after each test even when not on a terminal.

You can download it from:

    <http://www.eyrie.org/~eagle/software/wallet/>

This package is maintained using Git; see the instructions on the above
page to access the Git repository.

Please let me know of any problems or feature requests not already listed
in the TODO file.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list