Imported Upstream version 1.0

13 files changed, 146 insertions, 67 deletions

diff --git a/client/file.c b/client/file.c
index 861da6a..511c995 100644
--- a/client/file.c
+++ b/client/file.c
@@ -2,7 +2,8 @@
  * File handling for the wallet client.
  *
  * Written by Russ Allbery <rra@stanford.edu>
- * Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2007, 2008, 2010
+ *     The Board of Trustees of the Leland Stanford Junior University
  *
  * See LICENSE for licensing terms.
  */
@@ -15,7 +16,6 @@
 #include <sys/stat.h>
 
 #include <client/internal.h>
-#include <util/concat.h>
 #include <util/messages.h>
 #include <util/xmalloc.h>
 
@@ -82,8 +82,8 @@ write_file(const char *name, const void *data, size_t length)
 {
     char *temp, *backup;
 
-    temp = concat(name, ".new", (char *) 0);
-    backup = concat(name, ".bak", (char *) 0);
+    xasprintf(&temp, "%s.new", name);
+    xasprintf(&backup, "%s.bak", name);
     overwrite_file(temp, data, length);
     if (access(name, F_OK) == 0) {
         if (access(backup, F_OK) == 0)
diff --git a/client/internal.h b/client/internal.h
index c8e5802..24dd875 100644
--- a/client/internal.h
+++ b/client/internal.h
@@ -2,7 +2,8 @@
  * Internal support functions for the wallet client.
  *
  * Written by Russ Allbery <rra@stanford.edu>
- * Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2007, 2008, 2010
+ *     The Board of Trustees of the Leland Stanford Junior University
  *
  * See LICENSE for licensing terms.
  */
diff --git a/client/keytab.c b/client/keytab.c
index 9a7734e..d7106e1 100644
--- a/client/keytab.c
+++ b/client/keytab.c
@@ -2,7 +2,8 @@
  * Implementation of keytab handling for the wallet client.
  *
  * Written by Russ Allbery <rra@stanford.edu>
- * Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2007, 2008, 2010, 2013
+ *     The Board of Trustees of the Leland Stanford Junior University
  *
  * See LICENSE for licensing terms.
  */
@@ -14,7 +15,6 @@
 #include <remctl.h>
 
 #include <client/internal.h>
-#include <util/concat.h>
 #include <util/messages-krb5.h>
 #include <util/messages.h>
 #include <util/xmalloc.h>
@@ -106,7 +106,7 @@ merge_keytab(krb5_context ctx, const char *newfile, const char *file)
     krb5_error_code status;
 
     memset(&entry, 0, sizeof(entry));
-    oldfile = concat("WRFILE:", file, (char *) 0);
+    xasprintf(&oldfile, "WRFILE:%s", file);
     status = krb5_kt_resolve(ctx, oldfile, &old);
     if (status != 0)
         die_krb5(ctx, status, "cannot open keytab %s", file);
@@ -188,7 +188,7 @@ get_keytab(struct remctl *r, krb5_context ctx, const char *type,
         return 255;
     }
     if (access(file, F_OK) == 0) {
-        tempfile = concat(file, ".new", (char *) 0);
+        xasprintf(&tempfile, "%s.new", file);
         overwrite_file(tempfile, data, length);
         if (srvtab != NULL)
             write_srvtab(ctx, srvtab, name, tempfile);
@@ -224,7 +224,7 @@ rekey_keytab(struct remctl *r, krb5_context ctx, const char *type,
     bool error = false, rekeyed = false;
     struct principal_name *names, *current;
 
-    tempfile = concat(file, ".new", (char *) 0);
+    xasprintf(&tempfile, "%s.new", file);
     krb5_get_default_realm(ctx, &realm);
     names = keytab_principals(ctx, file, realm);
     for (current = names; current != NULL; current = current->next) {
@@ -252,12 +252,14 @@ rekey_keytab(struct remctl *r, krb5_context ctx, const char *type,
      * keys.  If there is an error, first make a backup of the current keytab
      * file as keytab.old.
      */
-    if (access(file, F_OK) != 0)
-        link(tempfile, file);
-    else {
+    if (access(file, F_OK) != 0) {
+        if (link(tempfile, file) < 0)
+            sysdie("rename of temporary keytab %s to %s failed", tempfile,
+                   file);
+    } else {
         if (error) {
             data = read_file(file, &length);
-            backupfile = concat(file, ".old", (char *) 0);
+            xasprintf(&backupfile, "%s.old", file);
             overwrite_file(backupfile, data, length);
             warn("partial failure to rekey keytab %s, old keytab left in %s",
                  file, backupfile);
diff --git a/client/krb5.c b/client/krb5.c
index aad39f6..dde37ed 100644
--- a/client/krb5.c
+++ b/client/krb5.c
@@ -6,7 +6,10 @@
  * client.
  *
  * Written by Russ Allbery <rra@stanford.edu>
- * Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2007, 2008, 2010
+ *     The Board of Trustees of the Leland Stanford Junior University
+ *
+ * See LICENSE for licensing terms.
  */
 
 #include <config.h>
diff --git a/client/options.c b/client/options.c
index 2f1de70..67ecb7f 100644
--- a/client/options.c
+++ b/client/options.c
@@ -6,7 +6,7 @@
  *
  * Written by Russ Allbery <rra@stanford.edu>
  * Copyright 2006, 2007, 2008, 2010
- *     Board of Trustees, Leland Stanford Jr. University
+ *     The Board of Trustees of the Leland Stanford Junior University
  *
  * See LICENSE for licensing terms.
  */
diff --git a/client/remctl.c b/client/remctl.c
index 5a541d5..071e410 100644
--- a/client/remctl.c
+++ b/client/remctl.c
@@ -2,7 +2,8 @@
  * remctl interface for the wallet client.
  *
  * Written by Russ Allbery <rra@stanford.edu>
- * Copyright 2007, 2010 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2007, 2010
+ *     The Board of Trustees of the Leland Stanford Junior University
  *
  * See LICENSE for licensing terms.
  */
diff --git a/client/srvtab.c b/client/srvtab.c
index b26e6fc..73277e9 100644
--- a/client/srvtab.c
+++ b/client/srvtab.c
@@ -2,7 +2,8 @@
  * Implementation of srvtab handling for the wallet client.
  *
  * Written by Russ Allbery <rra@stanford.edu>
- * Copyright 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2007, 2008, 2010
+ *     The Board of Trustees of the Leland Stanford Junior University
  *
  * See LICENSE for licensing terms.
  */
diff --git a/client/wallet-rekey.1 b/client/wallet-rekey.1
index 965a123..10bc7fa 100644
--- a/client/wallet-rekey.1
+++ b/client/wallet-rekey.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.14)
+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.26)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET-REKEY 1"
-.TH WALLET-REKEY 1 "2010-08-25" "0.12" "wallet"
+.TH WALLET-REKEY 1 "2013-03-27" "1.0" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -257,6 +257,18 @@ implementation detail and the default (\f(CW\*(C`wallet\*(C'\fR) should be fine.
 sometimes be useful to use a different prefix for testing a different
 version of the wallet code on the server.  The \fB\-c\fR command-line option
 overrides this setting.
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Russ Allbery <rra@stanford.edu>
+.SH "COPYRIGHT AND LICENSE"
+.IX Header "COPYRIGHT AND LICENSE"
+Copyright 2010, 2013 The Board of Trustees of the Leland Stanford Junior
+University
+.PP
+Copying and distribution of this file, with or without modification, are
+permitted in any medium without royalty provided the copyright notice and
+this notice are preserved.  This file is offered as-is, without any
+warranty.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIkadmin\fR\|(8), \fIkinit\fR\|(1), \fIkrb5.conf\fR\|(5), \fIremctl\fR\|(1), \fIremctld\fR\|(8), \fIwallet\fR\|(1)
@@ -266,6 +278,3 @@ from <http://www.eyrie.org/~eagle/software/wallet/>.
 .PP
 \&\fBwallet-rekey\fR uses the remctl protocol.  For more information about
 remctl, see <http://www.eyrie.org/~eagle/software/remctl/>.
-.SH "AUTHOR"
-.IX Header "AUTHOR"
-Russ Allbery <rra@stanford.edu>
diff --git a/client/wallet-rekey.c b/client/wallet-rekey.c
index 3a9687c..5007f41 100644
--- a/client/wallet-rekey.c
+++ b/client/wallet-rekey.c
@@ -3,7 +3,8 @@
  *
  * Written by Russ Allbery <rra@stanford.edu>
  *        and Jon Robertson <jonrober@stanford.edu>
- * Copyright 2010 Board of Trustees, Leland Stanford Jr. University
+ * Copyright 2010
+ *     The Board of Trustees of the Leland Stanford Junior University
  *
  * See LICENSE for licensing terms.
  */
diff --git a/client/wallet-rekey.pod b/client/wallet-rekey.pod
index efe9a0b..47413ad 100644
--- a/client/wallet-rekey.pod
+++ b/client/wallet-rekey.pod
@@ -148,6 +148,20 @@ overrides this setting.
 
 =back
 
+=head1 AUTHOR
+
+Russ Allbery <rra@stanford.edu>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright 2010, 2013 The Board of Trustees of the Leland Stanford Junior
+University
+
+Copying and distribution of this file, with or without modification, are
+permitted in any medium without royalty provided the copyright notice and
+this notice are preserved.  This file is offered as-is, without any
+warranty.
+
 =head1 SEE ALSO
 
 kadmin(8), kinit(1), krb5.conf(5), remctl(1), remctld(8), wallet(1)
@@ -158,8 +172,4 @@ from L<http://www.eyrie.org/~eagle/software/wallet/>.
 B<wallet-rekey> uses the remctl protocol.  For more information about
 remctl, see L<http://www.eyrie.org/~eagle/software/remctl/>.
 
-=head1 AUTHOR
-
-Russ Allbery <rra@stanford.edu>
-
 =cut
diff --git a/client/wallet.1 b/client/wallet.1
index 0e02fe9..959105d 100644
--- a/client/wallet.1
+++ b/client/wallet.1
@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.14)
+.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.26)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -124,7 +124,7 @@
 .\" ========================================================================
 .\"
 .IX Title "WALLET 1"
-.TH WALLET 1 "2010-08-25" "0.12" "wallet"
+.TH WALLET 1 "2013-03-27" "1.0" "wallet"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -260,30 +260,37 @@ options and commands are ignored.
 .SH "COMMANDS"
 .IX Header "COMMANDS"
 As mentioned above, most commands are only available to wallet
-administrators.  The exceptions are \f(CW\*(C`get\*(C'\fR, \f(CW\*(C`store\*(C'\fR, \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`destroy\*(C'\fR,
-\&\f(CW\*(C`flag clear\*(C'\fR, \f(CW\*(C`flag set\*(C'\fR, \f(CW\*(C`getattr\*(C'\fR, \f(CW\*(C`setattr\*(C'\fR, and \f(CW\*(C`history\*(C'\fR.  All
-of those commands have their own ACLs except \f(CW\*(C`getattr\*(C'\fR and \f(CW\*(C`history\*(C'\fR,
-which use the \f(CW\*(C`show\*(C'\fR \s-1ACL\s0, and \f(CW\*(C`setattr\*(C'\fR, which uses the \f(CW\*(C`store\*(C'\fR \s-1ACL\s0.
-If the appropriate \s-1ACL\s0 is set, it alone is checked to see if the user has
-access.  Otherwise, \f(CW\*(C`get\*(C'\fR, \f(CW\*(C`store\*(C'\fR, \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`getattr\*(C'\fR, \f(CW\*(C`setattr\*(C'\fR, and
-\&\f(CW\*(C`history\*(C'\fR access is permitted if the user is authorized by the owner \s-1ACL\s0
-of the object.
+administrators.  The exceptions are \f(CW\*(C`acl check\*(C'\fR, \f(CW\*(C`check\*(C'\fR, \f(CW\*(C`get\*(C'\fR,
+\&\f(CW\*(C`store\*(C'\fR, \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`destroy\*(C'\fR, \f(CW\*(C`flag clear\*(C'\fR, \f(CW\*(C`flag set\*(C'\fR, \f(CW\*(C`getattr\*(C'\fR,
+\&\f(CW\*(C`setattr\*(C'\fR, and \f(CW\*(C`history\*(C'\fR.  \f(CW\*(C`acl check\*(C'\fR and \f(CW\*(C`check\*(C'\fR can be run by
+anyone.  All of the rest of those commands have their own ACLs except
+\&\f(CW\*(C`getattr\*(C'\fR and \f(CW\*(C`history\*(C'\fR, which use the \f(CW\*(C`show\*(C'\fR \s-1ACL\s0, \f(CW\*(C`setattr\*(C'\fR, which
+uses the \f(CW\*(C`store\*(C'\fR \s-1ACL\s0, and \f(CW\*(C`comment\*(C'\fR, which uses the owner or \f(CW\*(C`show\*(C'\fR \s-1ACL\s0
+depending on whether one is setting or retrieving the comment.  If the
+appropriate \s-1ACL\s0 is set, it alone is checked to see if the user has access.
+Otherwise, \f(CW\*(C`destroy\*(C'\fR, \f(CW\*(C`get\*(C'\fR, \f(CW\*(C`store\*(C'\fR, \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`getattr\*(C'\fR, \f(CW\*(C`setattr\*(C'\fR,
+\&\f(CW\*(C`history\*(C'\fR, and \f(CW\*(C`comment\*(C'\fR access is permitted if the user is authorized
+by the owner \s-1ACL\s0 of the object.
 .PP
 Administrators can run any command on any object or \s-1ACL\s0 except for \f(CW\*(C`get\*(C'\fR
-and \f(CW\*(C`store\*(C'\fR.  For \f(CW\*(C`get\*(C'\fR and \f(CW\*(C`show\*(C'\fR, they must still be authorized by
+and \f(CW\*(C`store\*(C'\fR.  For \f(CW\*(C`get\*(C'\fR and \f(CW\*(C`store\*(C'\fR, they must still be authorized by
 either the appropriate specific \s-1ACL\s0 or the owner \s-1ACL\s0.
 .PP
 If the locked flag is set on an object, no commands can be run on that
 object that change data except the \f(CW\*(C`flags\*(C'\fR commands, nor can the \f(CW\*(C`get\*(C'\fR
 command be used on that object.  \f(CW\*(C`show\*(C'\fR, \f(CW\*(C`history\*(C'\fR, \f(CW\*(C`getacl\*(C'\fR,
-\&\f(CW\*(C`getattr\*(C'\fR, and \f(CW\*(C`owner\*(C'\fR or \f(CW\*(C`expires\*(C'\fR without an argument can still be
-used on that object.
+\&\f(CW\*(C`getattr\*(C'\fR, and \f(CW\*(C`owner\*(C'\fR, \f(CW\*(C`expires\*(C'\fR, or \f(CW\*(C`comment\*(C'\fR without an argument
+can still be used on that object.
 .PP
 For more information on attributes, see \s-1ATTRIBUTES\s0.
 .IP "acl add <id> <scheme> <identifier>" 4
 .IX Item "acl add <id> <scheme> <identifier>"
-Adds an entry with <scheme> and <identifier> to the \s-1ACL\s0 <id>.  <id> may be
+Add an entry with <scheme> and <identifier> to the \s-1ACL\s0 <id>.  <id> may be
 either the name of an \s-1ACL\s0 or its numeric identifier.
+.IP "acl check <id>" 4
+.IX Item "acl check <id>"
+Check whether an \s-1ACL\s0 with the \s-1ID\s0 <id> already exists.  If it does, prints
+\&\f(CW\*(C`yes\*(C'\fR; if not, prints \f(CW\*(C`no\*(C'\fR.
 .IP "acl create <name>" 4
 .IX Item "acl create <name>"
 Create a new, empty \s-1ACL\s0 with name <name>.  When setting an \s-1ACL\s0 on an
@@ -335,6 +342,14 @@ already exist.
 .IX Item "check <type> <name>"
 Check whether an object of type <type> and name <name> already exists.  If
 it does, prints \f(CW\*(C`yes\*(C'\fR; if not, prints \f(CW\*(C`no\*(C'\fR.
+.IP "comment <type> <name> [<comment>]" 4
+.IX Item "comment <type> <name> [<comment>]"
+If <comment> is not given, displays the current comment for the object
+identified by <type> and <name>, or \f(CW\*(C`No comment set\*(C'\fR if none is set.
+.Sp
+If <comment> is given, sets the comment on the object identified by
+<type> and <name> to <comment>.  If <comment> is the empty string, clears
+the comment.
 .IP "create <type> <name>" 4
 .IX Item "create <type> <name>"
 Create a new object of type <type> with name <name>.  With some backends,
@@ -507,6 +522,18 @@ implementation detail and the default (\f(CW\*(C`wallet\*(C'\fR) should be fine.
 sometimes be useful to use a different prefix for testing a different
 version of the wallet code on the server.  The \fB\-c\fR command-line option
 overrides this setting.
+.SH "AUTHOR"
+.IX Header "AUTHOR"
+Russ Allbery <rra@stanford.edu>
+.SH "COPYRIGHT AND LICENSE"
+.IX Header "COPYRIGHT AND LICENSE"
+Copyright 2007, 2008, 2010, 2011, 2012, 2013 The Board of Trustees of the
+Leland Stanford Junior University
+.PP
+Copying and distribution of this file, with or without modification, are
+permitted in any medium without royalty provided the copyright notice and
+this notice are preserved.  This file is offered as-is, without any
+warranty.
 .SH "SEE ALSO"
 .IX Header "SEE ALSO"
 \&\fIkadmin\fR\|(8), \fIkinit\fR\|(1), \fIkrb5.conf\fR\|(5), \fIremctl\fR\|(1), \fIremctld\fR\|(8)
@@ -516,6 +543,3 @@ from <http://www.eyrie.org/~eagle/software/wallet/>.
 .PP
 \&\fBwallet\fR uses the remctl protocol.  For more information about remctl,
 see <http://www.eyrie.org/~eagle/software/remctl/>.
-.SH "AUTHOR"
-.IX Header "AUTHOR"
-Russ Allbery <rra@stanford.edu>
diff --git a/client/wallet.c b/client/wallet.c
index dc04dcd..c5a7877 100644
--- a/client/wallet.c
+++ b/client/wallet.c
@@ -3,7 +3,7 @@
  *
  * Written by Russ Allbery <rra@stanford.edu>
  * Copyright 2006, 2007, 2008, 2010
- *     Board of Trustees, Leland Stanford Jr. University
+ *     The Board of Trustees of the Leland Stanford Junior University
  *
  * See LICENSE for licensing terms.
  */
diff --git a/client/wallet.pod b/client/wallet.pod
index 45969b2..214a157 100644
--- a/client/wallet.pod
+++ b/client/wallet.pod
@@ -1,11 +1,11 @@
-=head1 NAME
-
-wallet - Client for retrieving secure data from a central server
-
 =for stopwords
 -hv srvtab arg keytabs metadata keytab ACL PTS kinit klist remctl PKINIT
 acl timestamp autocreate backend-specific setacl enctypes enctype ktadd
-KDC appdefaults remctld Allbery uuencode getacl backend ACL's
+KDC appdefaults remctld Allbery uuencode getacl backend ACL's DES
+
+=head1 NAME
+
+wallet - Client for retrieving secure data from a central server
 
 =head1 SYNOPSIS
 
@@ -151,24 +151,27 @@ options and commands are ignored.
 =head1 COMMANDS
 
 As mentioned above, most commands are only available to wallet
-administrators.  The exceptions are C<get>, C<store>, C<show>, C<destroy>,
-C<flag clear>, C<flag set>, C<getattr>, C<setattr>, and C<history>.  All
-of those commands have their own ACLs except C<getattr> and C<history>,
-which use the C<show> ACL, and C<setattr>, which uses the C<store> ACL.
-If the appropriate ACL is set, it alone is checked to see if the user has
-access.  Otherwise, C<get>, C<store>, C<show>, C<getattr>, C<setattr>, and
-C<history> access is permitted if the user is authorized by the owner ACL
-of the object.
+administrators.  The exceptions are C<acl check>, C<check>, C<get>,
+C<store>, C<show>, C<destroy>, C<flag clear>, C<flag set>, C<getattr>,
+C<setattr>, and C<history>.  C<acl check> and C<check> can be run by
+anyone.  All of the rest of those commands have their own ACLs except
+C<getattr> and C<history>, which use the C<show> ACL, C<setattr>, which
+uses the C<store> ACL, and C<comment>, which uses the owner or C<show> ACL
+depending on whether one is setting or retrieving the comment.  If the
+appropriate ACL is set, it alone is checked to see if the user has access.
+Otherwise, C<destroy>, C<get>, C<store>, C<show>, C<getattr>, C<setattr>,
+C<history>, and C<comment> access is permitted if the user is authorized
+by the owner ACL of the object.
 
 Administrators can run any command on any object or ACL except for C<get>
-and C<store>.  For C<get> and C<show>, they must still be authorized by
+and C<store>.  For C<get> and C<store>, they must still be authorized by
 either the appropriate specific ACL or the owner ACL.
 
 If the locked flag is set on an object, no commands can be run on that
 object that change data except the C<flags> commands, nor can the C<get>
 command be used on that object.  C<show>, C<history>, C<getacl>,
-C<getattr>, and C<owner> or C<expires> without an argument can still be
-used on that object.
+C<getattr>, and C<owner>, C<expires>, or C<comment> without an argument
+can still be used on that object.
 
 For more information on attributes, see L<ATTRIBUTES>.
 
@@ -176,9 +179,14 @@ For more information on attributes, see L<ATTRIBUTES>.
 
 =item acl add <id> <scheme> <identifier>
 
-Adds an entry with <scheme> and <identifier> to the ACL <id>.  <id> may be
+Add an entry with <scheme> and <identifier> to the ACL <id>.  <id> may be
 either the name of an ACL or its numeric identifier.
 
+=item acl check <id>
+
+Check whether an ACL with the ID <id> already exists.  If it does, prints
+C<yes>; if not, prints C<no>.
+
 =item acl create <name>
 
 Create a new, empty ACL with name <name>.  When setting an ACL on an
@@ -238,6 +246,15 @@ already exist.
 Check whether an object of type <type> and name <name> already exists.  If
 it does, prints C<yes>; if not, prints C<no>.
 
+=item comment <type> <name> [<comment>]
+
+If <comment> is not given, displays the current comment for the object
+identified by <type> and <name>, or C<No comment set> if none is set.
+
+If <comment> is given, sets the comment on the object identified by
+<type> and <name> to <comment>.  If <comment> is the empty string, clears
+the comment.
+
 =item create <type> <name>
 
 Create a new object of type <type> with name <name>.  With some backends,
@@ -440,6 +457,20 @@ overrides this setting.
 
 =back
 
+=head1 AUTHOR
+
+Russ Allbery <rra@stanford.edu>
+
+=head1 COPYRIGHT AND LICENSE
+
+Copyright 2007, 2008, 2010, 2011, 2012, 2013 The Board of Trustees of the
+Leland Stanford Junior University
+
+Copying and distribution of this file, with or without modification, are
+permitted in any medium without royalty provided the copyright notice and
+this notice are preserved.  This file is offered as-is, without any
+warranty.
+
 =head1 SEE ALSO
 
 kadmin(8), kinit(1), krb5.conf(5), remctl(1), remctld(8)
@@ -450,8 +481,4 @@ from L<http://www.eyrie.org/~eagle/software/wallet/>.
 B<wallet> uses the remctl protocol.  For more information about remctl,
 see L<http://www.eyrie.org/~eagle/software/remctl/>.
 
-=head1 AUTHOR
-
-Russ Allbery <rra@stanford.edu>
-
 =cut