Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

ANNOUNCE: WebAuth 3.6.1 released

Russ Allbery eagle at
Tue Jul 14 19:46:40 PDT 2009

The ITS WebAuth team is pleased to announce Stanford WebAuth 3.6.1.  This
release focuses primarily on improvements to the WebLogin server,
particularly in the confirmation page and support for bypassing that page
in various circumstances.  It also contains significant code restructuring
and build system updates that will make further improvements easier.

As of this release, WebAuth is now maintained in Git.  Russ Allbery hosts
a gitweb interface to the repository and an anonymous Git server at:

For documentation and downloads of WebAuth 3.6.1, see:

New Debian packages have been uploaded to Debian unstable.  Updated Red
Hat packages will be available shortly.  We are no longer producing binary
builds for Solaris.

The user-visible changes in this release are:

    Setting $BYPASS_CONFIRM in the WebLogin configuration now also
    suppresses the confirmation page after username/password login
    provided that the browser supports HTTP/1.1 (and the web server tells
    the WebLogin script that in the form Apache does).

    Setting $BYPASS_CONFIRM to the special value "id" in the WebLogin
    configuration suppresses the confirmation page only if the WebAuth
    Application Server requests an id token (in other words, only asks for
    the user's identity).  If it instead requests a proxy token, which
    would allow it to later ask for delegated user credentials, the
    confirmation page is still displayed.

    Add a new WebLogin configuration variable $TOKEN_ACL.  If set to the
    path of the token.acl file used by the WebKDC, and if the WebAuth
    Application Server requests a proxy token, the list of credentials the
    WAS may request is provided to the confirmation page template for
    display to the user.  See doc/weblogin-config for more information.

    WebLogin now sets and updates its cookies after successful
    authentication even if the confirmation screen is bypassed.  This
    primarily affects the update of the expiration time of the REMOTE_USER

    Handle err_confirm in the error.tmpl sample template and document this
    in doc/weblogin-config.  This error is returned when redisplaying the
    confirmation page after a change in the REMOTE_USER cookie.

    Fix a coding error in login.fcgi when redisplaying the confirmation
    page fails.  Thanks to pod for the report.

    Fix an off-by-one error in error code to error string mapping in
    WebKDC::WebKDCException that resulted in incorrect error names in
    WebLogin error messages.  Thanks to pod for the report.

    The WebLogin scripts and templates are now installed by default under
    /usr/local/share/weblogin.  This can be modified with the --prefix or
    --datadir options to configure.

    There is no longer an install-tests target; instead, to install the
    test suite, copy the directories under tests/mod_webauth recursively.
    This will be replaced by a better test suite mechanism in a future
    version of WebAuth.

    Update the mod_webauth documentation to reflect that separate WebAuth
    servers in the same load-balanced pool can use separate keytabs.  Only
    the keyring needs to be shared between systems.

    Improved the comments in the provided sample configuration files.

    Update the INSTALL documentation for obtaining keytabs for Stanford
    users to reference wallet instead of leland_srvtab.

If you have any problems or questions about WebAuth 3.6.1 or WebAuth in
general, please join and send them to the webauth-info at
mailing list via:

Stanford users may also file a HelpSU ticket.

Russ Allbery <eagle at>
Technical Lead, ITS UNIX Systems and Applications, Stanford University

More information about the webauth-announce mailing list