Package: wnpp Severity: wishlist Owner: Bill MacAllister <b...@ca-zephyr.org> X-Debbugs-Cc: debian-de...@lists.debian.org
* Package name : krb5-wallet Version : 1.5 Upstream Contact: Bill MacAllister <b...@ca-zephyr.org> * URL : https://salsa.debian.org/whm/krb5-wallet * License : (Expat) Programming Lang: (C, Perl) Description : The wallet used remctl to manage secure data. The wallet is a client/server system using a central server with a supporting database and a stand-alone client that can be widely distributed to users. The server runs on a secure host with access to a local database; tracks object metadata such as ACLs, attributes, history, expiration, and ownership; and has the necessary access privileges to create wallet-managed objects in external systems (such as Kerberos service principals). The client uses the remctl protocol to send commands to the server, store and retrieve objects, and query object metadata. The same client can be used for both regular user operations and wallet administrative actions. All wallet actions are controlled by a fine-grained set of ACLs. Each object has an owner ACL and optional get, store, show, destroy, and flags ACLs that control more specific actions. A global administrative ACL controls access to administrative actions. An ACL consists of zero or more entries, each of which is a generic scheme and identifier pair, allowing the ACL system to be extended to use any existing authorization infrastructure. Supported ACL types include Kerberos principal names, regexes matching Kerberos principal names, and LDAP attribute checks. Currently, the object types supported are simple files, passwords, Kerberos keytabs, and Duo integrations. By default, whenever a Kerberos keytab object is retrieved from the wallet, the key is changed in the Kerberos KDC and the wallet returns a keytab for the new key. However, a keytab object can also be configured to preserve the existing keys when retrieved. Included in the wallet distribution is a script that can be run via remctl on an MIT Kerberos KDC to extract the existing key for a principal, and the wallet system will use that interface to retrieve the current key if the unchanging flag is set on a Kerberos keytab object for MIT Kerberos. (Heimdal doesn't require any special support.)
