wallet (1.3-1) UNRELEASED; urgency=medium * New upstream release. - Initial experimental support for Active Directory as the KDC by setting KEYTAB_KRBTYPE to AD. - New nested ACL scheme to group other ACLs. - New external ACL scheme that runs an external command. - New variation on the ldap-attr ACL scheme, ldap-attr-root, that requires the principal end in /root and removes that part of the principal name when checking LDAP. - New password object type that generates a new, random password if no password was previously stored. - New update wallet command that always updates the contents of an object before returning it, even if it is marked unchanging. In the long term, the unchanging flag will be replaced by this distinction between get and update. - New acl replace wallet command that changes all objects owned by one ACL to be owned by a different ACL. This currently only handles owner, not the more specific ACLs. - All ACL operations now refer to the ACL by name instead of ID. - New report for unstored objects. - New report to list all object types and ACL schemes. - New report to list all ACLs that nest another ACL. - New report that dumps all object history. - Displays of ACLs and ACL entries are now sorted correctly. * Change the branch layout to follow DEP-14. * Run wrap-and-sort -ast on the package. -- Russ Allbery Sun, 17 Jan 2016 19:40:54 -0800 wallet (1.2-1) unstable; urgency=medium * New upstream release. - New object types duo-radius, duo-ldap, and duo-rdp. - New rename command for file objects. * Add a gbp.conf file to reflect the branch layout and settings of the normal packaging repository. * Update standards version to 3.9.6 (no changes required). -- Russ Allbery Mon, 08 Dec 2014 21:13:21 -0800 wallet (1.1-1) unstable; urgency=medium * New upstream release. - New object type, duo, which creates a UNIX integration with the Duo Security cloud multifactor authentication service. - The owner and getacl commands now return the name of the ACL. - The date passed to expires can be any date format understood by Date::Parse. - wallet-rekey now works properly with keytabs containing multiple principals and does not store new principals in a separate file first. - Fix setting enctype restrictions on keytab objects and populate the reference table for valid enctypes on database creation. - Fix Wallet::Config documentation of ldap_map_principal. - Generate a long, random password when creating new principals in the Heimdal KDC to avoid problems with password quality checks. - Remove erroneous foreign key constraints between the object history and objects table, an incorrect linkage in the ACL history table, and add indices for object type, name, and ACL. - Use DateTime objects uniformly in the database layer. - ACL renames are now recorded in the ACL history. - Fix wallet-backend parsing of the expires command to expect only one argument. - Fix ordering of table drops during wallet-admin destroy to honor foreign key reference constraints. - The initial ADMIN ACL creation is no longer documented in history. * Document in the wallet-server package description that a DBD::* module and corresponding DateTime::Format::* module are required. (There isn't a way to fully represent the required dependency.) * Rebuild Autoconf and Automake files during the build. * Define AUTOMATED_TESTING to enable some additional Perl tests. * Adjust debian/rules for the new Module::Build Perl build system. * Drop now-unneeded dh_builddeb override for xz compression. * Enable uscan verification of the GnuPG signatures on upstream releases in debian/watch. * Update standards version to 3.9.5 (no changes required). -- Russ Allbery Wed, 16 Jul 2014 17:08:35 -0700 wallet (1.0-5) unstable; urgency=low * Cherry-pick upstream commit to randomize the password used for initial Kerberos principal creation when talking to a Heimdal KDC. -- Russ Allbery Thu, 09 Jan 2014 14:05:19 -0800 wallet (1.0-4) unstable; urgency=low * Cherry-pick upstream commit to fix wallet-rekey when used with keytabs that contain multiple principals. * Cherry-pick upstream commit to fix the skipped test count for the ldap-attr verifier test. * Add libauthen-sasl-perl and libnet-ldap-perl to Build-Depends for the test suite. -- Russ Allbery Mon, 06 Jan 2014 21:27:50 -0800 wallet (1.0-3) unstable; urgency=low * Cherry-pick upstream commits to fix ACL history entries with PostgreSQL, an incorrect foreign key constraint for the object history, and bugs in handling of enctype restrictions for keytabs. * Move the DateTime::Format::* Perl modules for various databases to Depends from Recommends and add the Pg and MySQL versions as alternatives. -- Russ Allbery Tue, 05 Nov 2013 13:17:51 -0800 wallet (1.0-2) unstable; urgency=low * Cherry-pick upstream commits to fix the t/admin.t test with the squeeze version of DBIx::Class. -- Russ Allbery Fri, 29 Mar 2013 13:58:42 -0700 wallet (1.0-1) unstable; urgency=low * New upstream release. - New wallet-admin upgrade command to upgrade the schema to the latest version. This should be run manually after upgrading the server. - Owners of wallet objects are now allowed to destroy them by default. - New ACL type ldap-attr to check whether the caller has an attribute in an LDAP directory (needs libauthen-sasl-perl and libnet-ldap-perl and only works with GSS-API binds). - New object type wa-keyring to store WebAuth keyrings (needs libwebauth-perl). - New acl check command that returns whether the named ACL exists. - New comments field for objects and wallet commands to set and retrieve it. * Switch to xz compression for the upstream and Debian tarballs and binary packages. * Update debhelper compatibility level to V9. - Enable all hardening build flags. - Enable parallel builds. * Check for any files left uninstalled by dh_install. * Tag all packages as Multi-Arch: foreign. * Move single-debian-patch to local-options and patch-header to local-patch-header so that they only apply to the packages I build and NMUs get regular version-numbered patches. * Convert debian/copyright to copyright-format 1.0. * Update standards version to 3.9.4. - Indicate the Debian packaging branch in the Vcs-Git header. -- Russ Allbery Wed, 27 Mar 2013 20:06:21 -0700 wallet (0.12-1) unstable; urgency=low * New upstream release. - New wallet-rekey client program to rekey a keytab. - New ACL type krb5-regex for the server. - New objects unused wallet-report report. - New acls duplicate wallet-report report. - Add a help command to wallet-report. * Don't install wallet-summary in /usr/sbin in the wallet-server package and instead install it in /usr/share/doc/wallet-server/examples. This program is Stanford-specific and would require extensive changes for other sites. * Install the other contrib scripts except convert-srvtab-db to the examples directory for wallet-server. * Switch to 3.0 (quilt) source format. Force a single Debian patch and include a custom patch header explaining that it is a rollup of any fixes cherry-picked from upstream and breaking those patches out separately would be work for no gain. * Update standards version to 3.9.1 (no changes required). -- Russ Allbery Wed, 25 Aug 2010 18:49:48 -0700 wallet (0.11-1) unstable; urgency=low * New upstream release. - Verify that deleted ACLs are not referenced. - Add Wallet::Config verify_acl_name function to check ACL names. - Add audit command to wallet-report to check for naming violations. - Add acl unused report to wallet-report. -- Russ Allbery Mon, 08 Mar 2010 10:59:00 -0800 wallet (0.10-1) unstable; urgency=low * New upstream release. - Add support for Heimdal KDCs as well as MIT Kerberos KDCs. New mandatory configuration setting KEYTAB_KRBTYPE which must be set to either MIT or Heimdal. - Remove kaserver synchronization support and kasetkey. - wallet -S now generates a srvtab based on the DES key of the keytab and does not enable synchronization. No synchronization targets are supported now. - The wallet client and wallet-backend server can now handle store of files containing nuls provided that the server uses remctl 2.14 and the remctl configuration is updated to use stdin=last. - Correctly store data that begins with a dash. - Do not log the data passed to store. - New wallet-report script and multiple additional database reports. - Report ACL names as well as numbers in object history. * Update debhelper compatibility level to V7. - Use debhelper rule minimization with overrides. - Add ${misc:Depends} to dependencies. * Clarify in long description that keytab-backend is only needed for MIT Kerberos. * Move wallet-server's dependency on krb5-user to Recommends, since it's only needed for keytab support, and allow libheimdal-kadm5-perl as an alternative. * Recommend remctl-server 2.14 or later for improved store support. * Add Homepage, Vcs-Git, and Vcs-Browser control fields. * Add a watch file. * Update standards version to 3.8.4 (no changes required). -- Russ Allbery Sun, 21 Feb 2010 21:13:40 -0800 wallet (0.9-1) unstable; urgency=low * New upstream release. - The wallet client now supports -f and stdin for store. - kasetkey supports enable, disable, and examine. - Stop setting Stanford-specific server defaults. * The test suite no longer needs libio-string-perl. * Use a separate stamp file for configure and install and use touch $@ to create stamp files. * Update debhelper compatibility level to V5 (no changes required). -- Russ Allbery Thu, 24 Apr 2008 16:09:19 -0700 wallet (0.8-1) unstable; urgency=low * New upstream version. - Fix protocol mismatch between client and server. - Add file object support to the wallet server. - Correctly handle empty objects in the wallet client. - Add -q flag to wallet-backend to suppress syslog logging. - Add class registration to the wallet-admin utility. - Updated design documentation. -- Russ Allbery Wed, 13 Feb 2008 13:59:06 -0800 wallet (0.7-1) unstable; urgency=low * New upstream version. - Add exists and autocreate wallet server interfaces. - Implement autocreation on the client instead of the server. - Make create once again an ADMIN-only function. - Always generate the srvtab from the newly downloaded keys. - Pass kadmin.local ktadd its options in the correct order. - Check naming policy before checking default ACLs. - Work around a bug in Net::Remctl with explicit undef arguments. - Correctly enable syslog logging in wallet-backend. - Fix the remctl configuration for keytab-backend. * Create /var/lib/keytabs in the keytab-backend package. -- Russ Allbery Fri, 08 Feb 2008 11:22:54 -0800 wallet (0.6-1) unstable; urgency=low * New upstream version. - Safer handling of file creation with -f in the client. - The client can get configuration from krb5.conf. - Support get in the client without -f. - Client support for merging keys into an existing keytab. - New client -u option to obtain new Kerberos credentials. - New wallet-admin command-line utility for the server. - The server supports enforcing a local object naming policy. - New wallet-report script (currently Stanford-specific). * Change hard-coded wallet server to wallet.stanford.edu. * Add --enable-reduced-depends to configure to eliminate unnecessary shared library dependencies. -- Russ Allbery Mon, 28 Jan 2008 15:17:25 -0800 wallet (0.5-2) unstable; urgency=low * Hard-code lsdb-new.stanford.edu as the wallet server name for the time being. -- Russ Allbery Mon, 17 Dec 2007 21:17:08 -0800 wallet (0.5-1) unstable; urgency=low * New upstream release. - Allow more valid arguments to wallet-backend. - Load Perl modules for object types and ACL verifiers properly. - Correctly implement clearing attribute values. - Fix keytab principal validation to allow periods. - When writing files from the client, remove old backup files. - Check default creation ACLs before the ADMIN ACL. -- Russ Allbery Thu, 06 Dec 2007 22:26:55 -0800 wallet (0.4-1) unstable; urgency=low * New upstream release. - Globally cache ACL verifiers. - Add the netdb-root ACL verifier, which requires root instances. - Determine object and ACL scheme classes from the database. - Coding style fixes and cleanup. * Update debian/copyright using the information from LICENSE. * Update standards version to 3.7.3 (no changes required). -- Russ Allbery Wed, 05 Dec 2007 17:01:20 -0800 wallet (0.3-1) unstable; urgency=low * New upstream release. * Initial packaging of all components of wallet. -- Russ Allbery Fri, 30 Nov 2007 20:30:30 -0800 wallet (0.1-1) unstable; urgency=low * Initial release building only kasetkey. -- Russ Allbery Thu, 8 Mar 2007 16:07:05 -0800