krb5-wallet (1.7) unstable; urgency=medium * Only fix /etc/krb5kdc permissions when building arch-independent packages, since otherwise it doesn't exist. (Closes: #1084804) * Fix typo of overridden in manual pages, caught by Lintian. * Remove now-unused Lintian override for the source package. * Add myself to uploaders. -- Russ Allbery Mon, 11 Nov 2024 17:05:15 -0800 krb5-wallet (1.6) unstable; urgency=medium [ Bill MacAllister ] * Convert source to native Debian package. * Update ACL ldap-attr to accept an arbitrary LDAP filter and improve the performance of the ACL check by using a single LDAP search for the check. [ Russ Allbery ] * Fix the permissions on /etc/krb5kdc. (Closes: #1082430) * Add lintian override for the switch from a non-native package to a native package. -- Bill MacAllister Mon, 23 Sep 2024 20:50:47 -0700 krb5-wallet (1.5-1) unstable; urgency=medium [ Bill MacAllister ] * Upload to Debian. (Closes: #1070211) * Import new upstream version. This version has a limited set of patches developed at Dropbox. Most of the Dropbox patches will be included in a later version of krb5-wallet. * Update debhelper version dependency to 13. * Update Debian Policy version to 4.7.0.0. No changes required. [ Russ Allbery ] * Use a debhelper-compat dependency and drop debian/compat. * Drop dh_install override to add --fail-missing, now the default. * Remove Bugs control field now that the package is being uploaded to Debian proper. -- Bill MacAllister Sat, 06 Jul 2024 16:23:57 -0700 krb5-wallet (1.4-15) unstable; urgency=medium * Rename source package to krb5-wallet. -- Bill MacAllister Mon, 29 Apr 2024 19:46:35 +0000 wallet (1.4-14) unstable; urgency=medium * Disable depreciation warning for opensslv1. This is an emergency patch to support the opensslv1 warning for the default encryption message. This warning is affecting production systems negatively. To resolve this problem a method will be implemented that allows the transition to any encryption method supported by Crypt::CBC. -- Bill MacAllister Mon, 28 Aug 2023 23:35:39 -0700 wallet (1.4-13) unstable; urgency=medium * Expand the allow ldap-attr ACL specification to include a full ldap filter. At the same time remove the compare search and perform the access test in a single LDAP search. -- Bill MacAllister Fri, 18 Nov 2022 08:05:41 +0000 wallet (1.4-12) unstable; urgency=medium * Correct double encryption problem when transitioning to encrypted password storage. -- Bill MacAllister Thu, 23 Jun 2022 06:33:15 +0000 wallet (1.4-11) unstable; urgency=medium * Remove support for WebAuth keyrings. -- Bill MacAllister Sat, 18 Jun 2022 02:42:15 +0000 wallet (1.4-10) unstable; urgency=medium * Correct problem with transition of unencrypted file and password objects to encrypted objected. -- Bill MacAllister Sun, 12 Jun 2022 18:28:16 +0000 wallet (1.4-9) unstable; urgency=medium * Correct the default value used for the maximum of a "computer name" used when creating AD keytabs. -- Bill MacAllister Mon, 16 Aug 2021 18:17:30 +0000 wallet (1.4-8) unstable; urgency=medium * Updates to checkfile support. - The POD was updated with the original checkfile changes, but a new man page was not generated. This change updates the man page for the client. - When issuing a checkfile command against an password object that exists but has not been stored yet a warning message was being generated. This warning is confusing since the command succeeds since the password is generated and downloaded. -- Bill MacAllister Mon, 14 Dec 2020 19:39:40 +0000 wallet (1.4-7) unstable; urgency=medium * Add the checkfile command to the wallet client. checkfile uses md5 checksums to determine if a file/password object has changed and performs a get only if the object has changed. -- Bill MacAllister Thu, 16 Jul 2020 16:55:34 +0000 wallet (1.4-6) unstable; urgency=medium * Rename the configuratiion variable LDAP_SECRET_PREFIX to ENCRYPTION_PREFIX. * Improve error messaging when attempting to retrieve the encryption secret from LDAP. * Trap the case when ENCRYPTION_PREFIX is specified and the required LDAP variables are not. -- Bill MacAllister Wed, 10 Jun 2020 23:16:34 +0000 wallet (1.4-5) unstable; urgency=medium * Add password generation options supporting generation of password using selected Crypt::HSXKPasswd presets or a custom routine. * Add encryption of password objects. * Add support for custom encryption methods. -- Bill MacAllister Sat, 23 May 2020 01:15:25 +0000 wallet (1.4-4) unstable; urgency=medium * Add support for encrypting file objects. * Update object class error reporting to make it more obvious when an object is not defined correctly in the wallet database. * Request the presence of the GSSAPI module is either LDAP ACL support or encrypted object support is enabled. -- Bill MacAllister Thu, 23 Apr 2020 22:25:13 +0000 wallet (1.4-3) unstable; urgency=medium * Allow the specification of valid characters to be used when generating passwords. * Add the command checksum to return the checksum of file objects. * Patches to allow the use of quilt. -- Bill MacAllister Mon, 30 Sep 2019 18:39:21 +0000 wallet (1.4-2) unstable; urgency=medium * Dropbox only release -- Bill MacAllister Sun, 06 Jan 2019 19:49:07 +0000 wallet (1.4-1) unstable; urgency=medium * New upstream release. - Substantial improvements to the Active Directory support. This includes several changes to configuration options and new behavior for principal naming and directory attributes. Review the upstream documentation if you are using the experimental Active Directory support. - Install new contrib/ad-keytab script as /usr/bin/ad-keytab. - Retrieve krb5.conf settings using the correct default realm. * Update debhelper compatibility level to V11. - Remove explicit autoreconf sequence configuration. - Remove now-unnecessary --parallel flags. * Update standards version to 4.1.4. - Use https URLs for Vcs-* fields in debian/control. - Use https URL for debian/copyright Format field. - Change Priority: extra to optional since extra has been retired. * Set Rules-Requires-Root: no. * Set C_TAP_VERBOSE for better test output. * Bump watch file version to 4 and use an https URL. * Add upstream-vcs-tag pattern to debian/gbp.conf. * Refresh upstream signing key. -- Russ Allbery Sun, 03 Jun 2018 18:18:26 -0700 wallet (1.3-1) unstable; urgency=medium * New upstream release. - Initial experimental support for Active Directory as the KDC by setting KEYTAB_KRBTYPE to AD. - New nested ACL scheme to group other ACLs. - New external ACL scheme that runs an external command. - New variation on the ldap-attr ACL scheme, ldap-attr-root, that requires the principal end in /root and removes that part of the principal name when checking LDAP. - New password object type that generates a new, random password if no password was previously stored. - New update wallet command that always updates the contents of an object before returning it, even if it is marked unchanging. In the long term, the unchanging flag will be replaced by this distinction between get and update. - New acl replace wallet command that changes all objects owned by one ACL to be owned by a different ACL. This currently only handles owner, not the more specific ACLs. - All ACL operations now refer to the ACL by name instead of ID. - New report for unstored objects. - New report to list all object types and ACL schemes. - New report to list all ACLs that nest another ACL. - New report that dumps all object history. - Displays of ACLs and ACL entries are now sorted correctly. * Add explicit build dependency on libmodule-build-perl, since it is no no longer provided by the perl package. * Change the branch layout to follow DEP-14. * Run wrap-and-sort -ast on the package. * Remove explicit setting of xz as the Debian source package compression type. This is now the default. * Refresh upstream signing key. -- Russ Allbery Sun, 17 Jan 2016 20:25:41 -0800 wallet (1.2-1) unstable; urgency=medium * New upstream release. - New object types duo-radius, duo-ldap, and duo-rdp. - New rename command for file objects. * Add a gbp.conf file to reflect the branch layout and settings of the normal packaging repository. * Update standards version to 3.9.6 (no changes required). -- Russ Allbery Mon, 08 Dec 2014 21:13:21 -0800 wallet (1.1-1) unstable; urgency=medium * New upstream release. - New object type, duo, which creates a UNIX integration with the Duo Security cloud multifactor authentication service. - The owner and getacl commands now return the name of the ACL. - The date passed to expires can be any date format understood by Date::Parse. - wallet-rekey now works properly with keytabs containing multiple principals and does not store new principals in a separate file first. - Fix setting enctype restrictions on keytab objects and populate the reference table for valid enctypes on database creation. - Fix Wallet::Config documentation of ldap_map_principal. - Generate a long, random password when creating new principals in the Heimdal KDC to avoid problems with password quality checks. - Remove erroneous foreign key constraints between the object history and objects table, an incorrect linkage in the ACL history table, and add indices for object type, name, and ACL. - Use DateTime objects uniformly in the database layer. - ACL renames are now recorded in the ACL history. - Fix wallet-backend parsing of the expires command to expect only one argument. - Fix ordering of table drops during wallet-admin destroy to honor foreign key reference constraints. - The initial ADMIN ACL creation is no longer documented in history. * Document in the wallet-server package description that a DBD::* module and corresponding DateTime::Format::* module are required. (There isn't a way to fully represent the required dependency.) * Rebuild Autoconf and Automake files during the build. * Define AUTOMATED_TESTING to enable some additional Perl tests. * Adjust debian/rules for the new Module::Build Perl build system. * Drop now-unneeded dh_builddeb override for xz compression. * Enable uscan verification of the GnuPG signatures on upstream releases in debian/watch. * Update standards version to 3.9.5 (no changes required). -- Russ Allbery Wed, 16 Jul 2014 17:08:35 -0700 wallet (1.0-5) unstable; urgency=low * Cherry-pick upstream commit to randomize the password used for initial Kerberos principal creation when talking to a Heimdal KDC. -- Russ Allbery Thu, 09 Jan 2014 14:05:19 -0800 wallet (1.0-4) unstable; urgency=low * Cherry-pick upstream commit to fix wallet-rekey when used with keytabs that contain multiple principals. * Cherry-pick upstream commit to fix the skipped test count for the ldap-attr verifier test. * Add libauthen-sasl-perl and libnet-ldap-perl to Build-Depends for the test suite. -- Russ Allbery Mon, 06 Jan 2014 21:27:50 -0800 wallet (1.0-3) unstable; urgency=low * Cherry-pick upstream commits to fix ACL history entries with PostgreSQL, an incorrect foreign key constraint for the object history, and bugs in handling of enctype restrictions for keytabs. * Move the DateTime::Format::* Perl modules for various databases to Depends from Recommends and add the Pg and MySQL versions as alternatives. -- Russ Allbery Tue, 05 Nov 2013 13:17:51 -0800 wallet (1.0-2) unstable; urgency=low * Cherry-pick upstream commits to fix the t/admin.t test with the squeeze version of DBIx::Class. -- Russ Allbery Fri, 29 Mar 2013 13:58:42 -0700 wallet (1.0-1) unstable; urgency=low * New upstream release. - New wallet-admin upgrade command to upgrade the schema to the latest version. This should be run manually after upgrading the server. - Owners of wallet objects are now allowed to destroy them by default. - New ACL type ldap-attr to check whether the caller has an attribute in an LDAP directory (needs libauthen-sasl-perl and libnet-ldap-perl and only works with GSS-API binds). - New object type wa-keyring to store WebAuth keyrings (needs libwebauth-perl). - New acl check command that returns whether the named ACL exists. - New comments field for objects and wallet commands to set and retrieve it. * Switch to xz compression for the upstream and Debian tarballs and binary packages. * Update debhelper compatibility level to V9. - Enable all hardening build flags. - Enable parallel builds. * Check for any files left uninstalled by dh_install. * Tag all packages as Multi-Arch: foreign. * Move single-debian-patch to local-options and patch-header to local-patch-header so that they only apply to the packages I build and NMUs get regular version-numbered patches. * Convert debian/copyright to copyright-format 1.0. * Update standards version to 3.9.4. - Indicate the Debian packaging branch in the Vcs-Git header. -- Russ Allbery Wed, 27 Mar 2013 20:06:21 -0700 wallet (0.12-1) unstable; urgency=low * New upstream release. - New wallet-rekey client program to rekey a keytab. - New ACL type krb5-regex for the server. - New objects unused wallet-report report. - New acls duplicate wallet-report report. - Add a help command to wallet-report. * Don't install wallet-summary in /usr/sbin in the wallet-server package and instead install it in /usr/share/doc/wallet-server/examples. This program is Stanford-specific and would require extensive changes for other sites. * Install the other contrib scripts except convert-srvtab-db to the examples directory for wallet-server. * Switch to 3.0 (quilt) source format. Force a single Debian patch and include a custom patch header explaining that it is a rollup of any fixes cherry-picked from upstream and breaking those patches out separately would be work for no gain. * Update standards version to 3.9.1 (no changes required). -- Russ Allbery Wed, 25 Aug 2010 18:49:48 -0700 wallet (0.11-1) unstable; urgency=low * New upstream release. - Verify that deleted ACLs are not referenced. - Add Wallet::Config verify_acl_name function to check ACL names. - Add audit command to wallet-report to check for naming violations. - Add acl unused report to wallet-report. -- Russ Allbery Mon, 08 Mar 2010 10:59:00 -0800 wallet (0.10-1) unstable; urgency=low * New upstream release. - Add support for Heimdal KDCs as well as MIT Kerberos KDCs. New mandatory configuration setting KEYTAB_KRBTYPE which must be set to either MIT or Heimdal. - Remove kaserver synchronization support and kasetkey. - wallet -S now generates a srvtab based on the DES key of the keytab and does not enable synchronization. No synchronization targets are supported now. - The wallet client and wallet-backend server can now handle store of files containing nuls provided that the server uses remctl 2.14 and the remctl configuration is updated to use stdin=last. - Correctly store data that begins with a dash. - Do not log the data passed to store. - New wallet-report script and multiple additional database reports. - Report ACL names as well as numbers in object history. * Update debhelper compatibility level to V7. - Use debhelper rule minimization with overrides. - Add ${misc:Depends} to dependencies. * Clarify in long description that keytab-backend is only needed for MIT Kerberos. * Move wallet-server's dependency on krb5-user to Recommends, since it's only needed for keytab support, and allow libheimdal-kadm5-perl as an alternative. * Recommend remctl-server 2.14 or later for improved store support. * Add Homepage, Vcs-Git, and Vcs-Browser control fields. * Add a watch file. * Update standards version to 3.8.4 (no changes required). -- Russ Allbery Sun, 21 Feb 2010 21:13:40 -0800 wallet (0.9-1) unstable; urgency=low * New upstream release. - The wallet client now supports -f and stdin for store. - kasetkey supports enable, disable, and examine. - Stop setting Stanford-specific server defaults. * The test suite no longer needs libio-string-perl. * Use a separate stamp file for configure and install and use touch $@ to create stamp files. * Update debhelper compatibility level to V5 (no changes required). -- Russ Allbery Thu, 24 Apr 2008 16:09:19 -0700 wallet (0.8-1) unstable; urgency=low * New upstream version. - Fix protocol mismatch between client and server. - Add file object support to the wallet server. - Correctly handle empty objects in the wallet client. - Add -q flag to wallet-backend to suppress syslog logging. - Add class registration to the wallet-admin utility. - Updated design documentation. -- Russ Allbery Wed, 13 Feb 2008 13:59:06 -0800 wallet (0.7-1) unstable; urgency=low * New upstream version. - Add exists and autocreate wallet server interfaces. - Implement autocreation on the client instead of the server. - Make create once again an ADMIN-only function. - Always generate the srvtab from the newly downloaded keys. - Pass kadmin.local ktadd its options in the correct order. - Check naming policy before checking default ACLs. - Work around a bug in Net::Remctl with explicit undef arguments. - Correctly enable syslog logging in wallet-backend. - Fix the remctl configuration for keytab-backend. * Create /var/lib/keytabs in the keytab-backend package. -- Russ Allbery Fri, 08 Feb 2008 11:22:54 -0800 wallet (0.6-1) unstable; urgency=low * New upstream version. - Safer handling of file creation with -f in the client. - The client can get configuration from krb5.conf. - Support get in the client without -f. - Client support for merging keys into an existing keytab. - New client -u option to obtain new Kerberos credentials. - New wallet-admin command-line utility for the server. - The server supports enforcing a local object naming policy. - New wallet-report script (currently Stanford-specific). * Change hard-coded wallet server to wallet.stanford.edu. * Add --enable-reduced-depends to configure to eliminate unnecessary shared library dependencies. -- Russ Allbery Mon, 28 Jan 2008 15:17:25 -0800 wallet (0.5-2) unstable; urgency=low * Hard-code lsdb-new.stanford.edu as the wallet server name for the time being. -- Russ Allbery Mon, 17 Dec 2007 21:17:08 -0800 wallet (0.5-1) unstable; urgency=low * New upstream release. - Allow more valid arguments to wallet-backend. - Load Perl modules for object types and ACL verifiers properly. - Correctly implement clearing attribute values. - Fix keytab principal validation to allow periods. - When writing files from the client, remove old backup files. - Check default creation ACLs before the ADMIN ACL. -- Russ Allbery Thu, 06 Dec 2007 22:26:55 -0800 wallet (0.4-1) unstable; urgency=low * New upstream release. - Globally cache ACL verifiers. - Add the netdb-root ACL verifier, which requires root instances. - Determine object and ACL scheme classes from the database. - Coding style fixes and cleanup. * Update debian/copyright using the information from LICENSE. * Update standards version to 3.7.3 (no changes required). -- Russ Allbery Wed, 05 Dec 2007 17:01:20 -0800 wallet (0.3-1) unstable; urgency=low * New upstream release. * Initial packaging of all components of wallet. -- Russ Allbery Fri, 30 Nov 2007 20:30:30 -0800 wallet (0.1-1) unstable; urgency=low * Initial release building only kasetkey. -- Russ Allbery Thu, 8 Mar 2007 16:07:05 -0800