diff options
| -rw-r--r-- | debian/changelog | 134 | ||||
| -rw-r--r-- | debian/compat | 1 | ||||
| -rw-r--r-- | debian/control | 58 | ||||
| -rw-r--r-- | debian/copyright | 209 | ||||
| -rw-r--r-- | debian/keytab-backend.dirs | 2 | ||||
| -rw-r--r-- | debian/keytab-backend.docs | 2 | ||||
| -rw-r--r-- | debian/keytab-backend.install | 6 | ||||
| -rwxr-xr-x | debian/rules | 18 | ||||
| -rw-r--r-- | debian/wallet-client.docs | 2 | ||||
| -rw-r--r-- | debian/wallet-client.install | 2 | ||||
| -rw-r--r-- | debian/wallet-server.dirs | 1 | ||||
| -rw-r--r-- | debian/wallet-server.docs | 8 | ||||
| -rw-r--r-- | debian/wallet-server.install | 12 | ||||
| -rw-r--r-- | debian/watch | 2 |
14 files changed, 457 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..1ffd746 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,134 @@ +wallet (0.10-1) unstable; urgency=low + + * New upstream release. + - Add support for Heimdal KDCs as well as MIT Kerberos KDCs. New + mandatory configuration setting KEYTAB_KRBTYPE which must be set to + either MIT or Heimdal. + - Remove kaserver synchronization support and kasetkey. + - wallet -S now generates a srvtab based on the DES key of the keytab + and does not enable synchronization. No synchronization targets are + supported now. + - The wallet client and wallet-backend server can now handle store of + files containing nuls provided that the server uses remctl 2.14 and + the remctl configuration is updated to use stdin=last. + - Correctly store data that begins with a dash. + - Do not log the data passed to store. + - New wallet-report script and multiple additional database reports. + - Report ACL names as well as numbers in object history. + * Update debhelper compatibility level to V7. + - Use debhelper rule minimization with overrides. + - Add ${misc:Depends} to dependencies. + * Clarify in long description that keytab-backend is only needed for MIT + Kerberos. + * Move wallet-server's dependency on krb5-user to Recommends, since it's + only needed for keytab support, and allow libheimdal-kadm5-perl as an + alternative. + * Recommend remctl-server 2.14 or later for improved store support. + * Add Homepage, Vcs-Git, and Vcs-Browser control fields. + * Add a watch file. + * Update standards version to 3.8.4 (no changes required). + + -- Russ Allbery <rra@debian.org> Sun, 21 Feb 2010 21:13:40 -0800 + +wallet (0.9-1) unstable; urgency=low + + * New upstream release. + - The wallet client now supports -f and stdin for store. + - kasetkey supports enable, disable, and examine. + - Stop setting Stanford-specific server defaults. + * The test suite no longer needs libio-string-perl. + * Use a separate stamp file for configure and install and use touch $@ + to create stamp files. + * Update debhelper compatibility level to V5 (no changes required). + + -- Russ Allbery <rra@debian.org> Thu, 24 Apr 2008 16:09:19 -0700 + +wallet (0.8-1) unstable; urgency=low + + * New upstream version. + - Fix protocol mismatch between client and server. + - Add file object support to the wallet server. + - Correctly handle empty objects in the wallet client. + - Add -q flag to wallet-backend to suppress syslog logging. + - Add class registration to the wallet-admin utility. + - Updated design documentation. + + -- Russ Allbery <rra@debian.org> Wed, 13 Feb 2008 13:59:06 -0800 + +wallet (0.7-1) unstable; urgency=low + + * New upstream version. + - Add exists and autocreate wallet server interfaces. + - Implement autocreation on the client instead of the server. + - Make create once again an ADMIN-only function. + - Always generate the srvtab from the newly downloaded keys. + - Pass kadmin.local ktadd its options in the correct order. + - Check naming policy before checking default ACLs. + - Work around a bug in Net::Remctl with explicit undef arguments. + - Correctly enable syslog logging in wallet-backend. + - Fix the remctl configuration for keytab-backend. + * Create /var/lib/keytabs in the keytab-backend package. + + -- Russ Allbery <rra@debian.org> Fri, 08 Feb 2008 11:22:54 -0800 + +wallet (0.6-1) unstable; urgency=low + + * New upstream version. + - Safer handling of file creation with -f in the client. + - The client can get configuration from krb5.conf. + - Support get in the client without -f. + - Client support for merging keys into an existing keytab. + - New client -u option to obtain new Kerberos credentials. + - New wallet-admin command-line utility for the server. + - The server supports enforcing a local object naming policy. + - New wallet-report script (currently Stanford-specific). + * Change hard-coded wallet server to wallet.stanford.edu. + * Add --enable-reduced-depends to configure to eliminate unnecessary + shared library dependencies. + + -- Russ Allbery <rra@debian.org> Mon, 28 Jan 2008 15:17:25 -0800 + +wallet (0.5-2) unstable; urgency=low + + * Hard-code lsdb-new.stanford.edu as the wallet server name for the time + being. + + -- Russ Allbery <rra@debian.org> Mon, 17 Dec 2007 21:17:08 -0800 + +wallet (0.5-1) unstable; urgency=low + + * New upstream release. + - Allow more valid arguments to wallet-backend. + - Load Perl modules for object types and ACL verifiers properly. + - Correctly implement clearing attribute values. + - Fix keytab principal validation to allow periods. + - When writing files from the client, remove old backup files. + - Check default creation ACLs before the ADMIN ACL. + + -- Russ Allbery <rra@debian.org> Thu, 06 Dec 2007 22:26:55 -0800 + +wallet (0.4-1) unstable; urgency=low + + * New upstream release. + - Globally cache ACL verifiers. + - Add the netdb-root ACL verifier, which requires root instances. + - Determine object and ACL scheme classes from the database. + - Coding style fixes and cleanup. + * Update debian/copyright using the information from LICENSE. + * Update standards version to 3.7.3 (no changes required). + + -- Russ Allbery <rra@debian.org> Wed, 05 Dec 2007 17:01:20 -0800 + +wallet (0.3-1) unstable; urgency=low + + * New upstream release. + * Initial packaging of all components of wallet. + + -- Russ Allbery <rra@debian.org> Fri, 30 Nov 2007 20:30:30 -0800 + +wallet (0.1-1) unstable; urgency=low + + * Initial release building only kasetkey. + + -- Russ Allbery <rra@debian.org> Thu, 8 Mar 2007 16:07:05 -0800 + diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..7f8f011 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +7 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..e015cbe --- /dev/null +++ b/debian/control @@ -0,0 +1,58 @@ +Source: wallet +Section: net +Priority: extra +Maintainer: Russ Allbery <rra@debian.org> +Build-Depends: debhelper (>= 7.0.50~), libdbi-perl, libdbd-sqlite3-perl, + libkrb5-dev, libremctl-dev, libtest-pod-perl, perl +Standards-Version: 3.8.4 +Homepage: http://www.eyrie.org/~eagle/software/wallet/ +Vcs-Git: git://git.eyrie.org/kerberos/wallet.git +Vcs-Browser: http://git.eyrie.org/?p=kerberos/wallet.git + +Package: keytab-backend +Architecture: all +Depends: ${misc:Depends}, ${perl:Depends}, krb5-admin-server, perl, + remctl-server +Description: Provide existing MIT Kerberos keytabs via remctl + keytab-backend is a service that runs under remctld and allows + authenticated clients to download Kerberos keytabs from an MIT Kerberos + KDC without changing the key stored in the Kerberos KDC. It must run on + the same host as the Kerberos KDC and uses kadmin.local to extract the + existing key. It applies additional ACLs to limit which keys may be + extracted in this way. This interface is not needed for Heimdal. + +Package: wallet-client +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Kerberos-authenticated secure data management client + The wallet is a system for managing secure data, authorization rules to + retrieve or change that data, and audit rules for documenting actions + taken on that data. Objects of various types may be stored in the + wallet or generated on request and retrieved by authorized users. The + wallet tracks ACLs, metadata, and trace information. It uses Kerberos + authentication. One of the object types it supports is Kerberos keytabs, + making it suitable as a user-accessible front-end to Kerberos kadmind + with richer ACL and metadata operations. + . + This package contains the wallet client, which talks to a remote wallet + server to store, download, and manage objects. + +Package: wallet-server +Architecture: all +Depends: ${misc:Depends}, ${perl:Depends}, libdbi-perl, + libdbd-sqlite3-perl | libdbd-mysql-perl, remctl-server +Recommends: krb5-user | libheimdal-kadm5-perl, remctl-server (>= 2.14) +Suggests: libnet-remctl-perl +Description: Kerberos-authenticated secure data management server + The wallet is a system for managing secure data, authorization rules to + retrieve or change that data, and audit rules for documenting actions + taken on that data. Objects of various types may be stored in the + wallet or generated on request and retrieved by authorized users. The + wallet tracks ACLs, metadata, and trace information. It uses Kerberos + authentication. One of the object types it supports is Kerberos keytabs, + making it suitable as a user-accessible front-end to Kerberos kadmind + with richer ACL and metadata operations. + . + This package contains the wallet server, which runs under remctl, + maintains the database of object metadata and secure objects, and + responds to requests from the wallet client. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..853b70a --- /dev/null +++ b/debian/copyright @@ -0,0 +1,209 @@ +Packaged for Debian by Russ Allbery <rra@debian.org> 2007-03-08 + +It was downloaded from: + + <http://www.eyrie.org/~eagle/software/wallet/> + +Upstream author: + + Russ Allbery <rra@stanford.edu> + +Debian packaging copyright: + + Copyright 2006, 2007, 2008, 2010 Board of Trustees, Leland Stanford Jr. + University. + + All files and modifications related to Debian packaging are covered + under the same license terms as the rest of the package. + +The wallet package as a whole is: + + Copyright 2006, 2007, 2008 Board of Trustees, Leland Stanford Jr. + University. All rights reserved. + +and released under the following license: + + Permission to use, copy, modify, and distribute this software and its + documentation for any purpose and without fee is hereby granted, + provided that the above copyright notice appear in all copies and that + both that copyright notice and this permission notice appear in + supporting documentation, and that the name of Stanford University not + be used in advertising or publicity pertaining to distribution of the + software without specific, written prior permission. Stanford + University makes no representations about the suitability of this + software for any purpose. It is provided "as is" without express or + implied warranty. + + THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +All individual files with no other license statement are released under +this license. Some files have additional copyright dates from earlier +releases or may be owned by other copyright holders as noted in those +files. + +Collected copyright notices for the entire package: + + Copyright 1994, 1998, 1999, 2000, 2002, 2003, 2004, 2005, 2006, 2007, + 2008 Board of Trustees, Leland Stanford Jr. University + Copyright 2000, 2001, 2004, 2006, 2007, 2008 + Russ Allbery <rra@stanford.edu> + Copyright 2004, 2005, 2006, 2007 + by Internet Systems Consortium, Inc. ("ISC") + Copyright 1991, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, + 2002, 2003 by The Internet Software Consortium and Rich Salz + Copyright 1995 Patrick Powell + Copyright 1996, 1997 Brandon Long <blong@fiction.net> + Copyright 1998 Thomas Roessler <roessler@guug.de> + Copyright 1998 Michael Elkins <me@cs.hmc.edu> + Copyright 1998 Andrew Tridgell <tridge@samba.org> + Copyright 2000, 2005 Hrvoje Niksic <hniksic@xemacs.org> + Copyright 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, + 2002, 2003, 2004, 2005, 2006, 2007, 2008 + Free Software Foundation, Inc. + Copyright 1994 X Consortium + +The files tests/libtest.c, tests/libtest.h, tests/portable/snprintf-t.c, +tests/portable/strlcat-t.c, tests/portable/strlcpy-t.c, +tests/util/concat-t.c, tests/util/messages-t.c, tests/util/xmalloc-t, and +tests/util/xmalloc.c are released under the following copyright and +license: + + Copyright 2008 Board of Trustees, Leland Stanford Jr. University + Copyright (c) 2004, 2005, 2006, 2007 + by Internet Systems Consortium, Inc. ("ISC") + Copyright (c) 1991, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, + 2002, 2003 by The Internet Software Consortium and Rich Salz + + This code is derived from software contributed to the Internet Software + Consortium by Rich Salz. + + Permission to use, copy, modify, and distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + + THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY + SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +The files portable/asprintf.c, portable/dummy.c, portable/macros.h, +portable/stdbool.h, portable/strlcat.c, portable/strlcpy.c, +portable/uio.h, and util/concat.c have been placed in the public domain by +their author. + +The file portable/snprintf.c is released under the following license: + + This code is based on code written by Patrick Powell (papowell@astart.com) + It may be used for any purpose as long as this notice remains intact + on all source code distributions + +The file tests/runtests.c is released under the following copyright and +license: + + Copyright 2000, 2001, 2004, 2006, 2007, 2008 + Russ Allbery <rra@stanford.edu> + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +The files Makefile.in and aclocal.m4 are generated by GNU Automake and +released under the following copyright and license: + + Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, + 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. + This file is free software; the Free Software Foundation + gives unlimited permission to copy and/or distribute it, + with or without modifications, as long as this notice is preserved. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY, to the extent permitted by law; without + even the implied warranty of MERCHANTABILITY or FITNESS FOR A + PARTICULAR PURPOSE. + +The file configure is generated by GNU Autoconf and is released under the +following copyright and license: + + Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, + 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. + This configure script is free software; the Free Software Foundation + gives unlimited permission to copy, distribute and modify it. + +The files build-aux/compile, build-aux/depcomp, and build-aux/missing are +taken from GNU Automake and are released under the following copyright and +license: + + Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006 + Free Software Foundation, Inc. + + This program is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation; either version 2, or (at your option) any + later version. + + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + As a special exception to the GNU General Public License, if you + distribute this file as part of a program that contains a configuration + script generated by Autoconf, you may include it under the same + distribution terms that you use for the rest of that program. + +For the wallet distribution, the option described in the last paragraph +has been accepted and these files are distributed under the same terms as +the wallet package as a whole, as described at the top of this file. You +can find the GPL version 2 in /usr/share/common-licenses/GPL-2 on Debian +systems. + +The file build-aux/install-sh is released under the following copyright +and license: + + Copyright (C) 1994 X Consortium + + Permission is hereby granted, free of charge, to any person obtaining a + copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + + The above copyright notice and this permission notice shall be included + in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR + OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, + ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR + OTHER DEALINGS IN THE SOFTWARE. + + Except as contained in this notice, the name of the X Consortium shall + not be used in advertising or otherwise to promote the sale, use or + other dealings in this Software without prior written authorization + from the X Consortium. + + FSF changes to this file are in the public domain. diff --git a/debian/keytab-backend.dirs b/debian/keytab-backend.dirs new file mode 100644 index 0000000..c601e1a --- /dev/null +++ b/debian/keytab-backend.dirs @@ -0,0 +1,2 @@ +/etc/remctl/acl +/var/lib/keytabs diff --git a/debian/keytab-backend.docs b/debian/keytab-backend.docs new file mode 100644 index 0000000..724e084 --- /dev/null +++ b/debian/keytab-backend.docs @@ -0,0 +1,2 @@ +README +TODO diff --git a/debian/keytab-backend.install b/debian/keytab-backend.install new file mode 100644 index 0000000..666b71c --- /dev/null +++ b/debian/keytab-backend.install @@ -0,0 +1,6 @@ +debian/tmp/etc/remctl/acl/keytab +debian/tmp/usr/sbin/keytab-backend +debian/tmp/usr/share/man/man8/keytab-backend.8 + +config/allow-extract etc/krb5kdc +config/keytab etc/remctl/conf.d diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..e920649 --- /dev/null +++ b/debian/rules @@ -0,0 +1,18 @@ +#!/usr/bin/make -f + +%: + dh $@ + +override_dh_auto_configure: + dh_auto_configure -- --enable-reduced-depends + +# We rebuild the perl directory Makefile to encode the correct installation +# paths, since otherwise it defaults to using the local site module path. +override_dh_auto_install: + cd perl && perl Makefile.PL INSTALLDIRS=vendor + dh_auto_install + install -d debian/tmp/etc/remctl/acl + install -m 0644 config/keytab.acl debian/tmp/etc/remctl/acl/keytab + +override_dh_installchangelogs: + dh_installchangelogs NEWS diff --git a/debian/wallet-client.docs b/debian/wallet-client.docs new file mode 100644 index 0000000..724e084 --- /dev/null +++ b/debian/wallet-client.docs @@ -0,0 +1,2 @@ +README +TODO diff --git a/debian/wallet-client.install b/debian/wallet-client.install new file mode 100644 index 0000000..ec2d8c7 --- /dev/null +++ b/debian/wallet-client.install @@ -0,0 +1,2 @@ +debian/tmp/usr/bin/wallet +debian/tmp/usr/share/man/man1/wallet.1 diff --git a/debian/wallet-server.dirs b/debian/wallet-server.dirs new file mode 100644 index 0000000..0e856f2 --- /dev/null +++ b/debian/wallet-server.dirs @@ -0,0 +1 @@ +/etc/wallet diff --git a/debian/wallet-server.docs b/debian/wallet-server.docs new file mode 100644 index 0000000..ceecb82 --- /dev/null +++ b/debian/wallet-server.docs @@ -0,0 +1,8 @@ +README +TODO +docs/design +docs/design-acl +docs/design-api +docs/netdb-role-api +docs/notes +docs/setup diff --git a/debian/wallet-server.install b/debian/wallet-server.install new file mode 100644 index 0000000..ca3e49d --- /dev/null +++ b/debian/wallet-server.install @@ -0,0 +1,12 @@ +debian/tmp/usr/sbin/wallet-admin +debian/tmp/usr/sbin/wallet-backend +debian/tmp/usr/sbin/wallet-report +debian/tmp/usr/share/man/man3/*.3pm +debian/tmp/usr/share/man/man8/wallet-admin.8 +debian/tmp/usr/share/man/man8/wallet-backend.8 +debian/tmp/usr/share/man/man8/wallet-report.8 +debian/tmp/usr/share/perl5 + +config/wallet etc/remctl/conf.d +contrib/wallet-summary usr/sbin +contrib/wallet-summary.8 usr/share/man/man8 diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..95945db --- /dev/null +++ b/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://archives.eyrie.org/software/kerberos/wallet-(.*)\.tar\.gz |