./security/vault, Tool for managing secrets

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 0.7.0nb1, Package name: vault-0.7.0nb1, Maintainer: filip

Vault is a tool for securely accessing secrets. A secret is
anything that you want to tightly control access to, such as API
keys, passwords, certificates, and more. Vault provides a unified
interface to any secret, while providing tight access control and
recording a detailed audit log.


Required to build:
[lang/go] [pkgtools/cwrappers]

Master sites:

SHA1: 407eb309107fbb5608fc108331f5d60be0b164b4
RMD160: 8e8ce699782d67ce4f0e6b209ad174a99c92ad80
Filesize: 5689.537 KB

Version history: (Expand)


CVS history: (Expand)


   2017-04-13 17:12:07 by Benny Siegert | Files touched by this commit (39) | Package updated
Log message:
Revbump all Go packages after the Go 1.8.1 update.
   2017-03-20 16:15:28 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.7.0.

SECURITY:

* Common name not being validated when `exclude_cn_from_sans` option used in
  `pki` backend

DEPRECATIONS/CHANGES:

* List Operations Always Use Trailing Slash
* PKI Defaults to Unleased Certificates

FEATURES:

* Replication (Enterprise)
* Response Wrapping & Replication in the Vault Enterprise UI
* Expanded Access Control Policies
* SSH Backend As Certificate Authority

IMPROVEMENTS:

* api/request: Passing username and password information in API request
* audit: Logging the token's use count with authentication response and
  logging the remaining uses of the client token with request
* auth/approle: Support for restricting the number of uses on the tokens
  issued
* auth/aws-ec2: AWS EC2 auth backend now supports constraints for VPC ID,
  Subnet ID and Region
* auth/ldap: Use the value of the `LOGNAME` or `USER` env vars for the
  username if not explicitly set on the command line when authenticating
* audit: Support adding a configurable prefix (such as `@cee`) before each
  line
* core: Canonicalize list operations to use a trailing slash
* core: Add option to disable caching on a per-mount level
* core: Add ability to require valid client certs in listener config
* physical/dynamodb: Implement a session timeout to avoid having to use
  recovery mode in the case of an unclean shutdown, which makes HA much safer
* secret/pki: O (Organization) values can now be set to role-defined values
  for issued/signed certificates
* secret/pki: Certificates issued/signed from PKI backend do not generate
  leases by default
* secret/pki: When using DER format, still return the private key type
* secret/pki: Add an intermediate to the CA chain even if it lacks an
  authority key ID
* secret/pki: Add role option to use CSR SANs
* secret/ssh: SSH backend as CA to sign user and host certificates
* secret/ssh: Support reading of SSH CA public key from `config/ca` endpoint
  and also return it when CA key pair is generated

BUG FIXES:

* audit: When auditing headers use case-insensitive comparisons
* auth/aws-ec2: Return role period in seconds and not nanoseconds
* auth/okta: Fix panic if user had no local groups and/or policies set
* command/server: Fix parsing of redirect address when port is not mentioned
* physical/postgresql: Fix listing returning incorrect results if there were
  multiple levels of children

Full changelog:

  https://github.com/hashicorp/vault/blob … ANGELOG.md
   2017-02-13 15:23:08 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.6.5.

FEATURES:

- Okta Authentication: A new Okta authentication backend allows you to use
  Okta usernames and passwords to authenticate to Vault. If provided with an
  appropriate Okta API token, group membership can be queried to assign
  policies; users and groups can be defined locally as well.
- RADIUS Authentication: A new RADIUS authentication backend allows using
  a RADIUS server to authenticate to Vault. Policies can be configured for
  specific users or for any authenticated user.
- Exportable Transit Keys: Keys in `transit` can now be marked as
  `exportable` at creation time. This allows a properly ACL'd user to retrieve
  the associated signing key, encryption key, or HMAC key. The `exportable`
  value is returned on a key policy read and cannot be changed, so if a key is
  marked `exportable` it will always be exportable, and if it is not it will
  never be exportable.
- Batch Transit Operations: `encrypt`, `decrypt` and `rewrap` operations
  in the transit backend now support processing multiple input items in one
  call, returning the output of each item in the response.
- Configurable Audited HTTP Headers: You can now specify headers that you
  want to have included in each audit entry, along with whether each header
  should be HMAC'd or kept plaintext. This can be useful for adding additional
  client or network metadata to the audit logs.
- Transit Backend UI (Enterprise): Vault Enterprise UI now supports the transit
  backend, allowing creation, viewing and editing of named keys as well as using
  those keys to perform supported transit operations directly in the UI.
- Socket Audit Backend A new socket audit backend allows audit logs to be sent
  through TCP, UDP, or UNIX Sockets.

IMPROVEMENTS:

- auth/aws-ec2: Add support for cross-account auth using STS
- auth/aws-ec2: Support issuing periodic tokens
- auth/github: Support listing teams and users
- auth/ldap: Support adding policies to local users directly, in addition to
  local groups
- command/server: Add ability to select and prefer server cipher suites
- core: Add a nonce to unseal operations as a check (useful mostly for
  support, not as a security principle)
- duo: Added ability to supply extra context to Duo pushes
- physical/consul: Add option for setting consistency mode on Consul gets
- physical/etcd: Full v3 API support; code will autodetect which API version
  to use. The v3 code path is significantly less complicated and may be much
  more stable.
- secret/pki: Allow specifying OU entries in generated certificate subjects
- secret mount ui (Enterprise): the secret mount list now shows all mounted
  backends even if the UI cannot browse them. Additional backends can now be
  mounted from the UI as well.

BUG FIXES:

- auth/token: Fix regression in 0.6.4 where using token store roles as a
  blacklist (with only `disallowed_policies` set) would not work in most
  circumstances
- physical/s3: Page responses in client so list doesn't truncate
- secret/cassandra: Stop a connection leak that could occur on active node
  failover
- secret/pki: When using `sign-verbatim`, don't require a role and use the
  CSR's common name
   2017-01-03 08:44:01 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.6.4

SECURITY:

- default Policy Privilege Escalation: If a parent token did not have
  the default policy attached to its token, it could still create
  children with the default policy. This is no longer allowed (unless
  the parent has sudo capability for the creation path). In most cases
  this is low severity since the access grants in the default policy are
  meant to be access grants that are acceptable for all tokens to have.
- Leases Not Expired When Limited Use Token Runs Out of Uses: When
  using limited-use tokens to create leased secrets, if the
  limited-use token was revoked due to running out of uses (rather than
  due to TTL expiration or explicit revocation) it would fail to revoke
  the leased secrets. These secrets would still be revoked when their
  TTL expired, limiting the severity of this issue. An endpoint has been
  added (auth/token/tidy) that can perform housekeeping tasks on the
  token store; one of its tasks can detect this situation and revoke the
  associated leases.

FEATURES:

- Policy UI (Enterprise): Vault Enterprise UI now supports viewing,
  creating, and editing policies.

IMPROVEMENTS:

- http: Vault now sets a no-store cache control header to make it more
  secure in setups that are not end-to-end encrypted

BUG FIXES:

- auth/ldap: Don't panic if dialing returns an error and starttls is
  enabled; instead, return the error
- ui (Enterprise): Submitting an unseal key now properly resets the
  form so a browser refresh isn't required to continue.

0.6.3 (December 6, 2016)

DEPRECATIONS/CHANGES:

- Request size limitation: A maximum request size of 32MB is imposed
  to prevent a denial of service attack with arbitrarily large
  requests
- LDAP denies passwordless binds by default: In new LDAP mounts, or
  when existing LDAP mounts are rewritten, passwordless binds will be
  denied by default. The new deny_null_bind parameter can be set to
  false to allow these.
- Any audit backend activated satisfies conditions: Previously, when a
  new Vault node was taking over service in an HA cluster, all audit
  backends were required to be loaded successfully to take over active
  duty. This behavior now matches the behavior of the audit logging
  system itself: at least one audit backend must successfully be loaded.
  The server log contains an error when this occurs. This helps keep a
  Vault HA cluster working when there is a misconfiguration on a standby
  node.

FEATURES:

- Web UI (Enterprise): Vault Enterprise now contains a built-in web UI
  that offers access to a number of features, including
  init/unsealing/sealing, authentication via userpass or LDAP, and K/V
  reading/writing. The capability set of the UI will be expanding
  rapidly in further releases. To enable it, set ui = true in the top
  level of Vault's configuration file and point a web browser at your
  Vault address.
- Google Cloud Storage Physical Backend: You can now use GCS for
  storing Vault data

IMPROVEMENTS:

- auth/github: Policies can now be assigned to users as well as to
  teams
- cli: Set the number of retries on 500 down to 0 by default (no
  retrying). It can be very confusing to users when there is a pause
  while the retries happen if they haven't explicitly set it. With
  request forwarding the need for this is lessened anyways.
- core: Response wrapping is now allowed to be specified by backend
  responses (requires backends gaining support)
- physical/consul: When announcing service, use the scheme of the
  Vault server rather than the Consul client
- secret/consul: Added listing functionality to roles
- secret/postgresql: Added revocation_sql parameter on the role
  endpoint to enable customization of user revocation SQL statements
- secret/transit: Add listing of keys

BUG FIXES:

- api/unwrap, command/unwrap: Increase compatibility of unwrap command
  with Vault 0.6.1 and older
- api/unwrap, command/unwrap: Fix error when no client token exists
- auth/approle: Creating the index for the role_id properly
- auth/aws-ec2: Handle the case of multiple upgrade attempts when
  setting the instance-profile ARN
- auth/ldap: Avoid leaking connections on login
- command/path-help: Use the actual error generated by Vault rather
  than always using 500 when there is a path help error
- command/ssh: Use temporary file for identity and ensure its deletion
  before the command returns
- cli: Fix error printing values with -field if the values contained
  formatting directives
- command/server: Don't say mlock is supported on OSX when it isn't.
- core: Fix bug where a failure to come up as active node (e.g. if an
  audit backend failed) could lead to deadlock
- physical/mysql: Fix potential crash during setup due to a query
  failure
- secret/consul: Fix panic on user error
   2016-12-04 17:30:01 by Benny Siegert | Files touched by this commit (35) | Package updated
Log message:
Revbump Go packages after 1.7.4 update.
   2016-10-29 10:59:49 by Benny Siegert | Files touched by this commit (34) | Package updated
Log message:
Revbump packages depending on Go after the Go 1.7.3 update.
   2016-10-26 13:49:11 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
Update security/vault to 0.6.2.

DEPRECATIONS/CHANGES:
- Convergent Encryption v2: New keys in transit using convergent mode will
  use a new nonce derivation mechanism rather than require the user to
  supply a nonce. While not explicitly increasing security, it minimizes the
  likelihood that a user will use the mode improperly and impact the security
  of their keys. Keys in convergent mode that were created in v0.6.1 will
  continue to work with the same mechanism (user-supplied nonce).
- etcd HA off by default: Following in the footsteps of dynamodb, the etcd
  storage backend now requires that ha_enabled be explicitly specified in
  the configuration file. The backend currently has known broken HA behavior,
  so this flag discourages use by default without explicitly enabling it. If
  you are using this functionality, when upgrading, you should set ha_enabled
  to "true" before starting the new versions of Vault.
- Default/Max lease/token TTLs are now 32 days: In previous versions of
  Vault the default was 30 days, but moving it to 32 days allows some
  operations (e.g. reauthenticating, renewing, etc.) to be performed via a
  monthly cron job.
- AppRole Secret ID endpoints changed: Secret ID and Secret ID accessors are
  no longer part of request URLs. The GET and DELETE operations are now
  moved to new endpoints (/lookup and /destroy) which consumes the input from
  the body and not the URL.
- AppRole requires at least one constraint: previously it was sufficient to
  turn off all AppRole authentication constraints (secret ID, CIDR block)
  and use the role ID only. It is now required that at least one additional
  constraint is enabled. Existing roles are unaffected, but any new roles or
  updated roles will require this.
- Reading wrapped responses from cubbyhole/response is deprecated. The
  sys/wrapping/unwrap endpoint should be used instead as it provides
  additional security, auditing, and other benefits. The ability to read
  directly will be removed in a future release.
- Request Forwarding is now on by default: in 0.6.1 this required toggling
  on, but is now enabled by default. This can be disabled via the
  "disable_clustering" parameter in Vault's config, or per-request with the
  X-Vault-No-Request-Forwarding header.
- In prior versions a bug caused the bound_iam_role_arn value in the aws-ec2
  authentication backend to actually use the instance profile ARN. This has
  been corrected, but as a result there is a behavior change. To match using
  the instance profile ARN, a new parameter bound_iam_instance_profile_arn has
  been added. Existing roles will automatically transfer the value over to the
  correct parameter, but the next time the role is updated, the new meanings
  will take effect.

FEATURES:
- Secret ID CIDR Restrictions in AppRole: Secret IDs generated under an
  approle can now specify a list of CIDR blocks from where the requests to
  generate secret IDs should originate from. If an approle already has CIDR
  restrictions specified, the CIDR restrictions on the secret ID should be a
  subset of those specified on the role [GH-1910]
- Initial Root Token PGP Encryption: Similar to generate-root, the root
  token created at initialization time can now be PGP encrypted [GH-1883]
- Support Chained Intermediate CAs in pki: The pki backend now allows, when
  a CA cert is being supplied as a signed root or intermediate, a trust
  chain of arbitrary length. The chain is returned as a parameter at
  certificate issue/sign time and is retrievable independently as well.
  [GH-1694]
- Response Wrapping Enhancements: There are new endpoints to look up
  response wrapped token parameters; wrap arbitrary values; rotate wrapping
  tokens; and unwrap with enhanced validation. In addition, list operations
  can now be response-wrapped. [GH-1927]
- Transit features: The transit backend now supports generating random bytes
  and SHA sums; HMACs; and signing and verification functionality using EC
  keys (P-256 curve)

IMPROVEMENTS:
- api: Return error when an invalid (as opposed to incorrect) unseal key is
  submitted, rather than ignoring it [GH-1782]
- api: Add method to call auth/token/create-orphan endpoint [GH-1834]
- api: Rekey operation now redirects from standbys to master [GH-1862]
- audit/file: Sending a SIGHUP to Vault now causes Vault to close and
  re-open the log file, making it easier to rotate audit logs [GH-1953]
- auth/aws-ec2: EC2 instances can get authenticated by presenting the
  identity document and its SHA256 RSA digest [GH-1961]
- auth/aws-ec2: IAM bound parameters on the aws-ec2 backend will perform a
  prefix match instead of exact match [GH-1943]
- auth/aws-ec2: Added a new constraint bound_iam_instance_profile_arn to
  refer to IAM instance profile ARN and fixed the earlier bound_iam_role_arn
  to refer to IAM role ARN instead of the instance profile ARN [GH-1913]
- auth/aws-ec2: Backend generates the nonce by default and clients can
  explicitly disable reauthentication by setting empty nonce [GH-1889]
- auth/token: Added warnings if tokens and accessors are used in URLs
  [GH-1806]
- command/format: The format flag on select CLI commands takes yml as an
  alias for yaml [GH-1899]
- core: Allow the size of the read cache to be set via the config file, and
  change the default value to 1MB (from 32KB) [GH-1784]
- core: Allow single and two-character path parameters for most places
  [GH-1811]
- core: Allow list operations to be response-wrapped [GH-1814]
- core: Provide better protection against timing attacks in Shamir code
  [GH-1877]
- core: Unmounting/disabling backends no longer returns an error if the
  mount didn't exist. This is line with elsewhere in Vault's API where
  DELETE is an idempotent operation. [GH-1903]
- credential/approle: At least one constraint is required to be enabled
  while creating and updating a role [GH-1882]
- secret/cassandra: Added consistency level for use with roles [GH-1931]
- secret/mysql: SQL for revoking user can be configured on the role
  [GH-1914]
- secret/transit: Use HKDF (RFC 5869) as the key derivation function for new
  keys [GH-1812]
- secret/transit: Empty plaintext values are now allowed [GH-1874]

BUG FIXES:
- audit: Fix panic being caused by some values logging as underlying Go
  types instead of formatted strings [GH-1912]
- auth/approle: Fixed panic on deleting approle that doesn't exist [GH-1920]
- auth/approle: Not letting secret IDs and secret ID accessors to get logged
  in plaintext in audit logs [GH-1947]
- auth/aws-ec2: Allow authentication if the underlying host is in a bad
  state but the instance is running [GH-1884]
- auth/token: Fixed metadata getting missed out from token lookup response
  by gracefully handling token entry upgrade [GH-1924]
- cli: Don't error on newline in token file [GH-1774]
- core: Pass back content-type header for forwarded requests [GH-1791]
- core: Fix panic if the same key was given twice to generate-root [GH-1827]
- core: Fix potential deadlock on unmount/remount [GH-1793]
- physical/file: Remove empty directories from the file storage backend
  [GH-1821]
- physical/zookeeper: Remove empty directories from the zookeeper storage
  backend and add a fix to the file storage backend's logic [GH-1964]
- secret/aws: Added update operation to aws/sts path to consider ttl
  parameter [39b75c6]
- secret/aws: Mark STS secrets as non-renewable [GH-1804]
- secret/cassandra: Properly store session for re-use [GH-1802]
- secret/ssh: Fix panic when revoking SSH dynamic keys [GH-1781]
   2016-09-10 21:47:21 by Benny Siegert | Files touched by this commit (30) | Package updated
Log message:
Revbump all Go packages after the Go 1.7.1 update.