wallet (1.1-1) unstable; urgency=medium * New upstream release. - New object type, duo, which creates a UNIX integration with the Duo Security cloud multifactor authentication service. - The owner and getacl commands now return the name of the ACL. - The date passed to expires can be any date format understood by Date::Parse. - wallet-rekey now works properly with keytabs containing multiple principals and does not store new principals in a separate file first. - Fix setting enctype restrictions on keytab objects and populate the reference table for valid enctypes on database creation. - Fix Wallet::Config documentation of ldap_map_principal. - Generate a long, random password when creating new principals in the Heimdal KDC to avoid problems with password quality checks. - Remove erroneous foreign key constraints between the object history and objects table, an incorrect linkage in the ACL history table, and add indices for object type, name, and ACL. - Use DateTime objects uniformly in the database layer. - ACL renames are now recorded in the ACL history. - Fix wallet-backend parsing of the expires command to expect only one argument. - Fix ordering of table drops during wallet-admin destroy to honor foreign key reference constraints. - The initial ADMIN ACL creation is no longer documented in history. * Document in the wallet-server package description that a DBD::* module and corresponding DateTime::Format::* module are required. (There isn't a way to fully represent the required dependency.) * Rebuild Autoconf and Automake files during the build. * Define AUTOMATED_TESTING to enable some additional Perl tests. * Adjust debian/rules for the new Module::Build Perl build system. * Drop now-unneeded dh_builddeb override for xz compression. * Enable uscan verification of the GnuPG signatures on upstream releases in debian/watch. * Update standards version to 3.9.5 (no changes required). -- Russ Allbery Wed, 16 Jul 2014 17:08:35 -0700 wallet (1.0-5) unstable; urgency=low * Cherry-pick upstream commit to randomize the password used for initial Kerberos principal creation when talking to a Heimdal KDC. -- Russ Allbery Thu, 09 Jan 2014 14:05:19 -0800 wallet (1.0-4) unstable; urgency=low * Cherry-pick upstream commit to fix wallet-rekey when used with keytabs that contain multiple principals. * Cherry-pick upstream commit to fix the skipped test count for the ldap-attr verifier test. * Add libauthen-sasl-perl and libnet-ldap-perl to Build-Depends for the test suite. -- Russ Allbery Mon, 06 Jan 2014 21:27:50 -0800 wallet (1.0-3) unstable; urgency=low * Cherry-pick upstream commits to fix ACL history entries with PostgreSQL, an incorrect foreign key constraint for the object history, and bugs in handling of enctype restrictions for keytabs. * Move the DateTime::Format::* Perl modules for various databases to Depends from Recommends and add the Pg and MySQL versions as alternatives. -- Russ Allbery Tue, 05 Nov 2013 13:17:51 -0800 wallet (1.0-2) unstable; urgency=low * Cherry-pick upstream commits to fix the t/admin.t test with the squeeze version of DBIx::Class. -- Russ Allbery Fri, 29 Mar 2013 13:58:42 -0700 wallet (1.0-1) unstable; urgency=low * New upstream release. - New wallet-admin upgrade command to upgrade the schema to the latest version. This should be run manually after upgrading the server. - Owners of wallet objects are now allowed to destroy them by default. - New ACL type ldap-attr to check whether the caller has an attribute in an LDAP directory (needs libauthen-sasl-perl and libnet-ldap-perl and only works with GSS-API binds). - New object type wa-keyring to store WebAuth keyrings (needs libwebauth-perl). - New acl check command that returns whether the named ACL exists. - New comments field for objects and wallet commands to set and retrieve it. * Switch to xz compression for the upstream and Debian tarballs and binary packages. * Update debhelper compatibility level to V9. - Enable all hardening build flags. - Enable parallel builds. * Check for any files left uninstalled by dh_install. * Tag all packages as Multi-Arch: foreign. * Move single-debian-patch to local-options and patch-header to local-patch-header so that they only apply to the packages I build and NMUs get regular version-numbered patches. * Convert debian/copyright to copyright-format 1.0. * Update standards version to 3.9.4. - Indicate the Debian packaging branch in the Vcs-Git header. -- Russ Allbery Wed, 27 Mar 2013 20:06:21 -0700 wallet (0.12-1) unstable; urgency=low * New upstream release. - New wallet-rekey client program to rekey a keytab. - New ACL type krb5-regex for the server. - New objects unused wallet-report report. - New acls duplicate wallet-report report. - Add a help command to wallet-report. * Don't install wallet-summary in /usr/sbin in the wallet-server package and instead install it in /usr/share/doc/wallet-server/examples. This program is Stanford-specific and would require extensive changes for other sites. * Install the other contrib scripts except convert-srvtab-db to the examples directory for wallet-server. * Switch to 3.0 (quilt) source format. Force a single Debian patch and include a custom patch header explaining that it is a rollup of any fixes cherry-picked from upstream and breaking those patches out separately would be work for no gain. * Update standards version to 3.9.1 (no changes required). -- Russ Allbery Wed, 25 Aug 2010 18:49:48 -0700 wallet (0.11-1) unstable; urgency=low * New upstream release. - Verify that deleted ACLs are not referenced. - Add Wallet::Config verify_acl_name function to check ACL names. - Add audit command to wallet-report to check for naming violations. - Add acl unused report to wallet-report. -- Russ Allbery Mon, 08 Mar 2010 10:59:00 -0800 wallet (0.10-1) unstable; urgency=low * New upstream release. - Add support for Heimdal KDCs as well as MIT Kerberos KDCs. New mandatory configuration setting KEYTAB_KRBTYPE which must be set to either MIT or Heimdal. - Remove kaserver synchronization support and kasetkey. - wallet -S now generates a srvtab based on the DES key of the keytab and does not enable synchronization. No synchronization targets are supported now. - The wallet client and wallet-backend server can now handle store of files containing nuls provided that the server uses remctl 2.14 and the remctl configuration is updated to use stdin=last. - Correctly store data that begins with a dash. - Do not log the data passed to store. - New wallet-report script and multiple additional database reports. - Report ACL names as well as numbers in object history. * Update debhelper compatibility level to V7. - Use debhelper rule minimization with overrides. - Add ${misc:Depends} to dependencies. * Clarify in long description that keytab-backend is only needed for MIT Kerberos. * Move wallet-server's dependency on krb5-user to Recommends, since it's only needed for keytab support, and allow libheimdal-kadm5-perl as an alternative. * Recommend remctl-server 2.14 or later for improved store support. * Add Homepage, Vcs-Git, and Vcs-Browser control fields. * Add a watch file. * Update standards version to 3.8.4 (no changes required). -- Russ Allbery Sun, 21 Feb 2010 21:13:40 -0800 wallet (0.9-1) unstable; urgency=low * New upstream release. - The wallet client now supports -f and stdin for store. - kasetkey supports enable, disable, and examine. - Stop setting Stanford-specific server defaults. * The test suite no longer needs libio-string-perl. * Use a separate stamp file for configure and install and use touch $@ to create stamp files. * Update debhelper compatibility level to V5 (no changes required). -- Russ Allbery Thu, 24 Apr 2008 16:09:19 -0700 wallet (0.8-1) unstable; urgency=low * New upstream version. - Fix protocol mismatch between client and server. - Add file object support to the wallet server. - Correctly handle empty objects in the wallet client. - Add -q flag to wallet-backend to suppress syslog logging. - Add class registration to the wallet-admin utility. - Updated design documentation. -- Russ Allbery Wed, 13 Feb 2008 13:59:06 -0800 wallet (0.7-1) unstable; urgency=low * New upstream version. - Add exists and autocreate wallet server interfaces. - Implement autocreation on the client instead of the server. - Make create once again an ADMIN-only function. - Always generate the srvtab from the newly downloaded keys. - Pass kadmin.local ktadd its options in the correct order. - Check naming policy before checking default ACLs. - Work around a bug in Net::Remctl with explicit undef arguments. - Correctly enable syslog logging in wallet-backend. - Fix the remctl configuration for keytab-backend. * Create /var/lib/keytabs in the keytab-backend package. -- Russ Allbery Fri, 08 Feb 2008 11:22:54 -0800 wallet (0.6-1) unstable; urgency=low * New upstream version. - Safer handling of file creation with -f in the client. - The client can get configuration from krb5.conf. - Support get in the client without -f. - Client support for merging keys into an existing keytab. - New client -u option to obtain new Kerberos credentials. - New wallet-admin command-line utility for the server. - The server supports enforcing a local object naming policy. - New wallet-report script (currently Stanford-specific). * Change hard-coded wallet server to wallet.stanford.edu. * Add --enable-reduced-depends to configure to eliminate unnecessary shared library dependencies. -- Russ Allbery Mon, 28 Jan 2008 15:17:25 -0800 wallet (0.5-2) unstable; urgency=low * Hard-code lsdb-new.stanford.edu as the wallet server name for the time being. -- Russ Allbery Mon, 17 Dec 2007 21:17:08 -0800 wallet (0.5-1) unstable; urgency=low * New upstream release. - Allow more valid arguments to wallet-backend. - Load Perl modules for object types and ACL verifiers properly. - Correctly implement clearing attribute values. - Fix keytab principal validation to allow periods. - When writing files from the client, remove old backup files. - Check default creation ACLs before the ADMIN ACL. -- Russ Allbery Thu, 06 Dec 2007 22:26:55 -0800 wallet (0.4-1) unstable; urgency=low * New upstream release. - Globally cache ACL verifiers. - Add the netdb-root ACL verifier, which requires root instances. - Determine object and ACL scheme classes from the database. - Coding style fixes and cleanup. * Update debian/copyright using the information from LICENSE. * Update standards version to 3.7.3 (no changes required). -- Russ Allbery Wed, 05 Dec 2007 17:01:20 -0800 wallet (0.3-1) unstable; urgency=low * New upstream release. * Initial packaging of all components of wallet. -- Russ Allbery Fri, 30 Nov 2007 20:30:30 -0800 wallet (0.1-1) unstable; urgency=low * Initial release building only kasetkey. -- Russ Allbery Thu, 8 Mar 2007 16:07:05 -0800