| < wallet README | Russ Allbery > Software > wallet | wallet Setup > |
Substantial improvements to Active Directory support: Add a contrib/ad-keytab script that assists with initial setup and examining the Active Directory objects, rename some configuration variables to reflect that they are relative distinguished names, add a configuration variable for the base DN, make sure userPrincipalName is created for all keytabs and use it to search, allow creation of a service principal, and truncate and make unique long names in AD if necessary. This support should still be considered experimental.
When getting configuration values from krb5.conf, pass the default local realm into the Kerberos appdefault functions. This will produce more correct results with krb5.conf files that specify wallet configuration for multiple realms.
Remove stray references to strlcpy and strlcat that broke builds on platforms where those functions are part of libc. Thanks to Karl Kornel for the report.
Detect the path to Perl during configure, allowing an override by setting the PERL environment or configure variable, and use that path for all Perl scripts. This allows wallet to use a version of Perl at a non-standard path. Patches from Karl Kornel.
Rename the script to bootstrap from a Git checkout to bootstrap, matching the emerging consensus in the Autoconf world.
Add SPDX-License-Identifier headers to all substantial source files.
Update to rra-c-util 7.2:
Update to C TAP Harness 4.3:
All Duo object implementations have been merged into a single Perl module. Duo objects should continue to behave as before, but the database must be updated to map the object names to the correct Perl modules. Run perl/sql/wallet-1.3-update-duo.sql on your database to fix the Duo object type registrations if you were using Duo. Many more Duo object types are now supported and can be manually registered with wallet-admin register object.
This release adds initial, experimental support for using Active Directory as the KDC for keytab creation. The interface to Active Directory uses a combination of direct LDAP queries and the msktutil utility. This version does not support the wallet unchanging flag. Unchanging requires that a keytab be retrieved without changing the password/kvno which is not supported by msktutil. Active Directory can be selected by setting KEYTAB_KRBTYPE to AD in the wallet configuration. Multiple other configuration options must also be set; see Wallet::Config for more information and README for the additional Perl modules required. Thanks to Bill MacAllister for the implementation.
A new ACL type, nested (Wallet::ACL::Nested), is now supported. The identifier of this ACL names another ACL, and access is granted if that ACL would grant access. This lets one combine multiple other ACLs and apply the union to an object. To enable this ACL type for an existing wallet database, use wallet-admin to register the new verifier.
A new ACL type, external (Wallet::ACL::External), is now supported. This ACL runs an external command to check if access is allowed, and passes the principal, type and name of the object, and the ACL identifier to that command. To enable this ACL type for an existing wallet database, use wallet-admin to register the new verifier.
A new variation on the ldap-attr ACL type, ldap-attr-root (Wallet::ACL::LDAP::Attribute::Root), is now supported. This is similar to netdb-root (compared to netdb): the authenticated principal must end in /root, and the LDAP entry checked will be for the same principal without the /root component. This is useful for limiting access to certain privileged objects to Kerberos root instances. To enable this ACL type for an existing wallet database, use wallet-admin to register the new verifier.
A new object type, password (Wallet::Object::Password), is now supported. This is a subclass of the file object that will randomly generate content for the object if you do a get before storing any content inside it. To enable this object type for an existing database, use wallet-admin to register the new object.
Add a new command to wallet-backend, update. This will update the contents of an object before running a get on it, and is only valid for objects that can automatically get new content, such as keytab and password objects. A keytab will get a new kvno regardless of the unchanging flag if called with update. In a future release get will be changed to never update a keytab, and the unchanging flag will be ignored. Please start moving to use get or update as the situation warrants.
Add an acl replace command, to change all objects owned by one ACL to be owned by another. This currently only handles owner, not any of the more specific ACLs.
All ACL operations now refer to the ACL by name rather than ID.
Add a report for unstored objects to wallet-report, and cleaned up the help for the existing unused report that implied it showed unstored as well as unused.
Add reports that list all object types (types) and all ACL schemes (schemes) currently registered in the wallet database.
Add a report of all ACLs that nest a given ACL. This requires some additional local configuration (and probably some code). See Wallet::Config for more information.
Took contributions from Commerzbank AG to improve wallet history. Add a command to dump all object history for searching on to wallet-report, and add a new script for more detailed object history operations to the contrib directory.
Displays of ACLs and ACL entries are now sorted correctly.
The versions of all of the wallet Perl modules now match the overall package version except for Wallet::Schema, which is used to version the database schema.
Update to rra-c-util 5.10:
Update to C TAP Harness 3.4:
The duo object type has been split into several sub-types, each for a specific type of Duo integration. The old type's functionality has been moved to duo-pam (Wallet::Object::Duo::PAM), and new types are supported for Duo's auth proxy configurations for LDAP and Radius, and their RDP configuration. These types are duo-radius, duo-ldap, and duo-rdp (Wallet::Object::Duo::RadiusProxy, Wallet::Object::Duo::LDAPProxy, and Wallet::Object::Duo::RDP). The old duo type still exists for compatability. To enable these object types for an existing wallet database, use wallet-admin to register the new object.
New rename command for file type objects. This will change the name of the object itself and move any stored data for the file to the correct location for the new name. Currently, rename is only supported for file objects, but may be supported by other backends in the future.
A new object type, duo (Wallet::Object::Duo), is now supported. This creates an integration with the Duo Security cloud multifactor authentication service and allows retrieval of the integration key, secret key, and admin hostname. Currently, only UNIX integration types are supported. The Net::Duo Perl module is required to use this object type. New configuration settings are required as well; see Wallet::Config for more information. To enable this object type for an existing wallet database, use wallet-admin to register the new object.
The owner and getacl commands now return the current name of the ACL instead of its numeric ID, matching the documentation of owner.
The date passed to expires can now be any date format understood by Date::Parse, and Date::Parse (part of the TimeDate CPAN distribution) is now a required prerequisite for the wallet server.
Fix wallet-rekey on keytabs containing multiple principals. Previous versions assumed one could concatenate keytab files together to make a valid keytab file, which doesn't work with some Kerberos libraries. This caused new keys downloaded for principals after the first to be discarded. As a side effect of this fix, wallet-rekey always appends new keys directly to the existing keytab file, and never creates a backup copy of that file.
Fix the code to set enctype restrictions for keytab objects in the wallet server and populate the reference table for valid enctypes on initial database creation.
Fix the Wallet::Config documentation for the ldap-attr verifier to reference an ldap_map_principal hook, not ldap_map_attribute, matching the implementation.
When creating new principals in a Heimdal KDC, generate a long, random password as the temporary password of the disabled principal before randomizing keys. This is necessary if password quality is being enforced on create calls. Since the principal is always inactive until the keys have been randomized, the password should not need to be secure (and indeed is not cryptographically random).
Previous versions had erroneous foreign key constraints between the object history table and the objects table. Remove those constraints, and an incorrect linkage in the schema for the ACL history, and add indices for the object type, name, and ACL instead.
Pass in DateTime objects for the date fields in the database instead of formatted time strings. This provides better compatibility with different database engines. Document in README the need to install the DateTime::Format::* module corresponding to the DBD::* module used for the server database.
ACL renames are now recorded in the ACL history.
Fix wallet-backend parsing of the expires command to expect only one argument as the expiration. This was correctly documented in the wallet client man page, but not in wallet-backend, and it accepted two arguments (a date and time). However, Wallet::Server did not and would just ignore the time. Now wallet-backend correctly requires the date and time be passed as a single argument.
Fix the ordering of table drops during a wallet-admin destroy action to remove tables with foreign key references before the tables they are referencing. Should fix destroy in MySQL and other database engines that enforce referential integrity.
The wallet server now requires Perl 5.8 or later (instead of 5.006 in previous versions) and is now built with Module::Build instead of ExtUtils::MakeMaker. This should be transparent to anyone not working with the source code, since Perl 5.8 was released in 2002, but Module::Build is now required to build the wallet server. It is included in some versions of Perl, or can be installed separately from CPAN, distribution packages, or other sources.
Add a new contrib script, wallet-rekey-periodic, which is used at Stanford to periodically rekey hosts from cron.
Update to rra-c-util 5.5:
Update to C TAP Harness 3.1:
Owners of wallet objects are now allowed to destroy them. In previous versions, a special destroy ACL had to be set and the owner ACL wasn't used for destroy actions, but operational experience at Stanford has shown that letting owners destroy their own objects is a better model.
wallet-admin has a new sub-command, upgrade, which upgrades the wallet database to the latest schema version. This command should be run when deploying any new version of the wallet server.
A new ACL type, ldap-attr (Wallet::ACL::LDAP::Attribute), is now supported. This ACL type grants access if the LDAP entry corresponding to the principal contains the attribute name and value specified in the ACL. The Net::LDAP and Authen::SASL Perl modules are required to use this ACL type. New configuration settings are required as well; see Wallet::Config for more information. To enable this ACL type for an existing wallet database, use wallet-admin to register the new verifier.
A new object type, wa-keyring (Wallet::Object::WAKeyring), is now supported. This stores a WebAuth keyring and handles both key rotation and garbage collection of old keys on retrieval of the keyring. The WebAuth Perl module is required to use this object type. To enable this object type for an existing wallet database, use wallet-admin to register the new object.
Add a new acl check command which, given an ACL ID, prints yes if that ACL already exists and no otherwise. This is parallel to the check command for objects.
Add a comment field to objects and corresponding commands to wallet-backend and wallet to set and retrieve it. The comment field can only be set by the owner or wallet administrators but can be seen by anyone on the show ACL.
The wallet server backend now uses DBIx::Class for the database layer, which means that DBIx::Class and SQL::Translator and all of their dependencies now have to be installed for the server to work. If the database in use is SQLite 3, DateTime::Format::SQLite should also be installed.
Add docs/objects-and-schemes, which provides a brief summary of the current supported object types and ACL schemes.
The Stanford wallet object and ACL naming policy is now available in code form as the Wallet::Policy::Stanford module, which is installed as part of the server. As-is, it is only useful for sites that want to adopt an identical naming policy (and will still require overriding some of the internal data, like group names), but it may provide a useful code example for others wanting to do something similar.
Update to rra-c-util 4.8:
Update to C TAP Harness 1.12:
New client program wallet-rekey that, given a list of keytabs on the command line, requests new keytab objects for each principal in the local realm and then merges the new objects into that keytab. The current implementation only acquires new keys and doesn't purge any old keys.
A new ACL type, krb5-regex, is now supported. This ACL type is the same as krb5 except that the identifier is interpreted as a Perl regular expression and matched against the authenticated identity attempting to run a wallet command. Patch from Ian Durkacz.
Add a objects unused report to wallet-report and Wallet::Report, returning all objects that have never been downloaded (in other words, have never been the target of a get command).
Add an acls duplicate report to wallet-report and Wallet::Report, returning sets of ACLs that have exactly the same entries.
Add a help command to wallet-report, which returns a summary of all available commands.
Update to C TAP Harness 1.5:
Update to rra-c-util 2.6:
When deleting an ACL on the server, verify that the ACL is not referenced by any object first. Database referential integrity should also catch this, but not all database backends may enforce referential integrity. This also allows us to return a better error message naming an object that's still using that ACL.
Wallet::Config now supports an additional local function, verify_acl_name, which can be used to enforce ACL naming policies. If set, it is called for any ACL creation or rename and can reject the new ACL name.
Add an audit command to wallet-report and two audits: acls name, which returns all ACLs that do not pass the local naming policy, and objects name, which does the same for objects. The corresponding Wallet::Report method is audit().
Add the acls unused report to wallet-report and Wallet::Report, returning all ACLs not referenced by any database objects.
Wallet::Config::verify_name may now be called with an undefined third argument (normally the user attempting to create an object). This calling convention is used when auditing, and the local policy function should select the correct policy to apply for useful audit results.
Fix portability to older Kerberos libraries without
krb5_free_error_message.
Add support for Heimdal KDCs as well as MIT Kerberos KDCs. There is now a mandatory new setting in Wallet::Config: $KEYTAB_KRBTYPE. It should be set to either "MIT" or "Heimdal" depending on the Kerberos KDC implementation used. The Heimdal support requires the Heimdal::Kadm5 Perl module.
Remove kaserver synchronization support. It is no longer tested, and retaining the code was increasing the complexity of wallet, and some specific requirements (such as different realm names between kaserver and Kerberos v5 and the kvno handling) were Stanford-specific. Rather than using this support, AFS sites running kaserver will probably find deploying Heimdal with its internal kaserver compatibility is probably an easier transition approach.
Remove the kasetkey client for setting keys in an AFS kaserver.
The wallet client no longer enables kaserver synchronization when a srvtab is requested with -S. Instead, it just extracts the DES key from the keytab and writes it to a srvtab. It no longer forces the kvno of the srvtab to 0 (a Stanford-specific action) and instead preserves the kvno from the key in the keytab. This should now do the right thing for sites that use a KDC that serves both Kerberos v4 and Kerberos v5 from the same database.
The wallet client can now store data containing nul characters and wallet-backend will accept it if passed on standard input instead of as a command-line argument. See config/wallet for the new required remctld configuration. Storing data containing nul characters requires remctl 2.14 or later.
Correctly handle storing of data that begins with a dash and don't parse it as an argument to wallet-backend.
Fix logging in wallet-backend and the remctl configuration to not log the data passed to store.
Move all reporting from Wallet::Admin to Wallet::Report and simplify the method names since they're now part of a dedicated reporting class. Similarly, create a new wallet-report script to wrap Wallet::Report, moving all reporting commands to it from wallet-admin, and simplify the commands since they're for a dedicated reporting script.
Add additional reports for wallet-report: objects owned by a specific ACL, objects owned by no one, objects of a specific type, objects with a specific flag, objects for which a specific ACL has privileges, ACLs with an entry with a given type and identifier, and ACLs with no members.
Add a new owners command to wallet-report and corresponding owners() method to Wallet::Report, which returns all ACL lines on owner ACLs for matching objects.
Report ACL names as well as numbers in object history.
The wallet client now uses a temporary disk ticket cache when obtaining tickets with the -u option rather than an in-memory cache, allowing for a libremctl built against a different Kerberos implementation than the wallet client. This primarily helps with testing.
Update to rra-c-util 2.3:
Update to C TAP Harness 1.1:
The wallet command-line client now reads the data for store from a file (using -f) or from standard input (if -f wasn't given) when the data isn't specified on the command line. The data still must not contain nul characters.
Add support for enabling and disabling principals (clearing or setting the NOTGS flag) and examining principals to kasetkey. This functionality isn't used by wallet (and probably won't be) but is convenient for other users of kasetkey such as kadmin-remctl.
Report the correct error message when addprinc fails while creating a keytab object.
The configure option requesting AFS kaserver support (and thus building kasetkey) is now --with-kaserver instead of --with-afs.
If KRB5_CONFIG was explicitly set in the environment, don't use a different krb5-config based on --with-krb4 or --with-krb5. If krb5-config isn't executable, don't use it. This allows one to force library probing by setting KRB5_CONFIG to point to a nonexistent file.
Sanity-check the results of krb5-config before proceeding and error out in configure if they don't work.
Fix Autoconf syntax error when probing for libkrb5support. Thanks, Mike Garrison.
wallet can now be built in a different directory than the source directory.
Stop setting Stanford-specific compile-time defaults for the wallet server and port.
Perl 5.8 is required to run the test suite, but IO::String is not.
Include Stanford's wallet.conf as an example (examples/stanford.conf).
Fix the wallet client to use check instead of exists.
Add file object support to the wallet server.
Correctly handle get of an empty object in the wallet client. The empty string is valid object content.
Wallet::Config and hence the wallet server now checks for the environment variable WALLET_CONFIG and loads configuration from the file specified there instead of /etc/wallet/wallet.conf if it is set.
wallet-backend now supports a -q flag, which disables syslog logging.
wallet-admin now supports registering new object or ACL verifier implementations in the database.
Remove the restriction that all object implementations must have class names of Wallet::Object::* and all ACL verifier implementations must have class names of Wallet::ACL::*.
Add a full end-to-end test suite to catch protocol mismatches between the client and server, such as the one fixed in this release.
Update the design documentation to reflect the current protocol and implementation.
Add new exists and autocreate wallet server interfaces. The first states whether a given object exists and the second attempts to create the object using the default owner rules. Remove default owner handling from the create interface, which is now for administrators only. Remove server-side auto-creation of objects on get or store and instead have the client check for object existence and call autocreate if necessary. This removes confusion between default ACLs and administrative object creation for users who are also on the ADMIN ACL.
When creating a srvtab based on a just-downloaded keytab, extract the srvtab key before merging the keytab into an existing file. Otherwise, if the new keys had a lower kvno than the old keys (possible after deleting and recreating the object), the wrong key would be extracted for the srvtab.
keytab-backend now passes kadmin.local ktadd its options in a specific order to satisfy the picky option parser.
Check naming policy on wallet object creation before checking the default ACLs to avoid creating and stranding an ACL when the naming policy check fails.
The current version of Net::Remctl can't handle explicit undef or the empty string as a principal argument. Be careful not to provide a principal argument if no principal was set. This workaround can be removed once we depend on a later version of Net::Remctl.
Correctly enable syslog logging in wallet-backend.
Fix the example remctl configuration for keytab-backend to use the correct script name.
SECURITY: If -f is used and the output file name with ".new" appended already exists, unlink it first and then create it safely rather than truncating it. This is much safer when creating files in a world-writable directory.
The wallet client can now get the server, port, principal, and remctl type from krb5.conf as well as from compile-time defaults and command-line options.
When getting a keytab with the client with no -f option, correctly write the keytab to standard output rather than dying with a cryptic error.
When downloading a keytab to a file that already exists, merge the new keytab keys into that file rather than moving aside the old keytab and creating a new keytab with only the new keys.
The wallet client now supports a -u option, saying to obtain Kerberos credentials for the given user and use those for authentication rather than using an existing ticket cache.
Add a wallet-admin program which can initialize and destroy the database and list all objects and ACLs in the database.
Support enforcing a naming policy for wallet objects via a Perl function in the wallet server configuration file.
The build system now probes for GSS-API, Kerberos v5 and v4, and AFS libraries as necessary rather than hard-coding libraries. Building on systems without strong shared library dependencies and building against static libraries should now work.
Building kasetkey (for AFS kaserver synchronization) is now optional and not enabled by default. Pass --with-afs to configure to enable it. This allows wallet to be easily built in an environment without AFS.
Add a sample script (contrib/wallet-report) showing one way of reporting on the contents of the wallet database. This will eventually become more general.
Allow the empty string in wallet-backend arguments.
Allow @ in wallet-backend arguments so that principal names can be passed in.
Load the Perl modules for ACL verifiers and object types dynamically now that we're reading the class from the database.
Correctly implement the documented intention that setting an attribute to the empty string clears the attribute values.
Fix the keytab principal validation regex to allow instances containing periods. Otherwise, it's hard to manage host keytabs. Add a missing test suite for that method.
When writing to a file in the wallet client program, remove an old backup file before creating a new backup and don't fail if the backup already exists.
Check a default creation ACL first before the ADMIN ACL when deciding whether we can auto-create a non-existent ACL, since creating one with the ADMIN ACL doesn't create a useful object.
Maintain a global cache of ACL verifiers in Wallet::ACL and reuse them over the life of the process if we see another ACL line from the same scheme, rather than only reusing ACL verifiers within a single ACL.
Add a subclass of the NetDB ACL verifier that requires the principal have an instance of "root" and strips that instance before checking NetDB roles.
Determine the class for object and ACL schema implementations from the database rather than a hard-coded list and provide Wallet::Schema methods for adding new class mappings.
Add a missing class mapping for the netdb ACL schema verifier.
Various coding style fixes and cleanup based on a much-appreciated code audit by Simon Cozens. I didn't take all of his advise, and he shouldn't be blamed for any remaining issues.
MySQL is now a supported database backend and the full test suite passes with MySQL.
Add support for running a user-defined function whenever an object is created by a non-ADMIN user and using the default owner ACL returned by that function provided that the calling user is authorized by that ACL. This permits dynamic creation of new objects based on a default owner ACL programmatically determined from the name of the object.
Attempt to create the object with a default owner on get and store when the object doesn't exist.
Add support for displaying the history of objects and ACLs.
Add an ACL verifier that checks access against NetDB roles using the NetDB remctl interface.
The wallet backend script now logs all commands and errors to syslog.
The keytab backend now supports limiting generated keytabs to particular enctypes by setting an attribute on the object.
Expiration dates are now expressed in YYYY-MM-DD HH:MM:SS instead of seconds since epoch and returned the same way. Timestamps are now stored in the database as correct date and time types rather than seconds since epoch to work properly with MySQL.
The wallet backend test suite now supports using a database other than SQLite for testing.
First public alpha release. Only tested with SQLite 3, no history support, no object list support, and only keytab object and krb5 ACL support.
Internal release containing only kasetkey, a stub client, and design documentation.
| < wallet README | Russ Allbery > Software > wallet | wallet Setup > |