tc01/wallet

Project ID: 6963

Description

The wallet is a client/server system using a central server with a supporting database and a stand-alone client that can be widely distributed to users. The server runs on a secure host with access to a local database; tracks object metadata such as ACLs, attributes, history, expiration, and ownership; and has the necessary access privileges to create wallet-managed objects in external systems (such as Kerberos service principals). The client uses the remctl protocol to send commands to the server, store and retrieve objects, and query object metadata. The same client can be used for both regular user operations and wallet administrative actions.

All wallet actions are controlled by a fine-grained set of ACLs. Each object has an owner ACL and optional get, store, show, destroy, and flags ACLs that control more specific actions. A global administrative ACL controls access to administrative actions. An ACL consists of zero or more entries, each of which is a generic scheme and identifier pair, allowing the ACL system to be extended to use any existing authorization infrastructure. Supported ACL types include Kerberos principal names, regexes matching Kerberos principal names, and LDAP attribute checks.

Currently, the object types supported are simple files, Kerberos keytabs, and WebAuth keyrings. By default, whenever a Kerberos keytab object is retrieved from the wallet, the key is changed in the Kerberos KDC and the wallet returns a keytab for the new key. However, a keytab object can also be configured to preserve the existing keys when retrieved. Included in the wallet distribution is a script that can be run via remctl on an MIT Kerberos KDC to extract the existing key for a principal, and the wallet system will use that interface to retrieve the current key if the unchanging flag is set on a Kerberos keytab object for MIT Kerberos. (Heimdal doesn't require any special support.)

Installation Instructions

Just run "dnf install wallet-client wallet-server".

This will pull down a lot of Perl modules (that the server depends on); you have been warned.

I was considering attempting to get this packaged for Fedora, but I'm no longer the system administrator of the group that was thinking of setting up wallet. Thus it's unlikely I'll go further on this. If someone is interested in seeing wallet (or either of these Perl modules) packaged in Fedora, feel free to get in touch (my email is listed on this project page). You're more than welcome to take my specs as a base.

Active Releases

The following unofficial repositories are provided as-is by owner of this project. Contact the owner directly for bugs or issues (IE: not bugzilla).

Release Architectures Repo Download
EPEL 7 x86_64 (10)* EPEL 7 (161 downloads)

* Total number of downloaded packages.