Add new object type for Duo integrations

A new object type, duo (Wallet::Object::Duo), is now supported.  This
creates an integration with the Duo Security cloud multifactor
authentication service and allows retrieval of the integration key,
secret key, and admin hostname.  Currently, only UNIX integration
types are supported.  The Net::Duo Perl module is required to use this
object type.  New configuration settings are required as well; see
Wallet::Config for more information.  To enable this object type for
an existing wallet database, use wallet-admin to register the new
object.

Change-Id: I2c0dac75e81f526b34d6b509c4bdaecb43dd4a9d
Reviewed-on: https://gerrit.stanford.edu/1516
Reviewed-by: Russ Allbery <rra@stanford.edu>
Tested-by: Russ Allbery <rra@stanford.edu>

1 files changed, 18 insertions, 14 deletions

diff --git a/README b/README
index 6781ff8..85a6299 100644
--- a/README
+++ b/README
@@ -3,10 +3,10 @@
 
                 Written by Russ Allbery <eagle@eyrie.org>
 
-  Copyright 2006, 2007, 2008, 2009, 2010, 2012, 2013 The Board of Trustees
-  of the Leland Stanford Junior University.  This software is distributed
-  under a BSD-style license.  Please see the section LICENSE below for
-  more information.
+  Copyright 2006, 2007, 2008, 2009, 2010, 2012, 2013, 2014 The Board of
+  Trustees of the Leland Stanford Junior University.  This software is
+  distributed under a BSD-style license.  Please see the section LICENSE
+  below for more information.
 
 BLURB
 
@@ -43,15 +43,16 @@ DESCRIPTION
   regexes matching Kerberos principal names, and LDAP attribute checks.
 
   Currently, the object types supported are simple files, Kerberos
-  keytabs, and WebAuth keyrings.  By default, whenever a Kerberos keytab
-  object is retrieved from the wallet, the key is changed in the Kerberos
-  KDC and the wallet returns a keytab for the new key.  However, a keytab
-  object can also be configured to preserve the existing keys when
-  retrieved.  Included in the wallet distribution is a script that can be
-  run via remctl on an MIT Kerberos KDC to extract the existing key for a
-  principal, and the wallet system will use that interface to retrieve the
-  current key if the unchanging flag is set on a Kerberos keytab object
-  for MIT Kerberos.  (Heimdal doesn't require any special support.)
+  keytabs, WebAuth keyrings, and Duo integrations.  By default, whenever a
+  Kerberos keytab object is retrieved from the wallet, the key is changed
+  in the Kerberos KDC and the wallet returns a keytab for the new key.
+  However, a keytab object can also be configured to preserve the existing
+  keys when retrieved.  Included in the wallet distribution is a script
+  that can be run via remctl on an MIT Kerberos KDC to extract the
+  existing key for a principal, and the wallet system will use that
+  interface to retrieve the current key if the unchanging flag is set on a
+  Kerberos keytab object for MIT Kerberos.  (Heimdal doesn't require any
+  special support.)
 
 REQUIREMENTS
 
@@ -104,6 +105,9 @@ REQUIREMENTS
   The WebAuth keyring object support in the wallet server requires the
   WebAuth Perl module from WebAuth 4.4.0 or later.
 
+  The Duo integration object support in the wallet server requires the
+  Net::Duo Perl module.
+
   To support the LDAP attribute ACL verifier, the Authen::SASL and
   Net::LDAP Perl modules must be installed on the server.  This verifier
   only works with LDAP servers that support GSS-API binds.
@@ -323,7 +327,7 @@ LICENSE
   The wallet distribution as a whole is covered by the following copyright
   statement and license:
 
-    Copyright 2006, 2007, 2008, 2009, 2010, 2012, 2013
+    Copyright 2006, 2007, 2008, 2009, 2010, 2012, 2013, 2014
         The Board of Trustees of the Leland Stanford Junior University
 
     Permission is hereby granted, free of charge, to any person obtaining