Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

WebAuth 4.6.1 released

Russ Allbery rra at
Wed Jul 23 16:45:03 PDT 2014

The WebAuth team is pleased to announce Stanford WebAuth 4.6.1.  This is
primarily a bug-fix release, with one Stanford-specific fix for
mod_webauth, a build system fix, and various minor bug fixes for the
WebLogin and WebKDC components.  It also adds FAST support for the WebKDC.

For documentation and downloads of WebAuth 4.6.1, see:


The user-visible changes in this release are:

    Support for AuthType StanfordAuth (for backward compatibility with
    WebAuth 2.5) was broken in WebAuth 4.6.0, causing mod_webauth to
    reject all accesses to resources protected with that AuthType.  This
    has been fixed in this release.

    Add a new configuration directive, WebKdcFastArmorCache, for
    mod_webkdc.  If set, this specifies the path to a Kerberos ticket
    cache that can (and must) be used for FAST (Flexible Authentication
    Secure Tunneling) protection of Kerberos password authentications.
    The Kerberos KDC must also support FAST in order to safely enable this
    option.  Based on a patch by Jakob Uhd Jepsen ( A/S).

    Fix parsing of the WebKdcKerberosFactors configuration directive.

    Add a new webauth_krb5_set_fast_armor_path interface to libwebauth
    that allows configuring a path to a FAST armor ticket cache before
    authenticating with a password.

    Show the expiring password warning in WebLogin if the browser request
    was a POST.  Previously, it was skipped if the user had a REMOTE_USER
    preference or if the browser presented a single sign-on cookie.  This
    was too conservative, not warning in cases when REMOTE_USER failed,
    when the browser presented an expired single sign-on cookie (systems
    that are suspended rather than shut down, for example), and when the
    user has to do multifactor authentication.  Checking for a POST is a
    closer match for when we can force a confirmation screen without too
    much user disruption.

    When translating Kerberos errors, treat KRB5_KDC_UNREACH (cannot
    contact any KDC for realm) as a user rejected error instead of a
    Kerberos error.  This avoids returning an internal error from WebLogin
    and instead tells the user the username is invalid.  This is not
    always correct, since the unreachable KDC could be the local KDC, but
    it's better than the previous behavior of throwing internal errors
    when users enter email addresses as their username.

    Translate an EINVAL error from the Kerberos libraries during password
    authentication to an incorrect password error code.  Older versions of
    MIT Kerberos returned EINVAL for excessively long passwords.

    In WebLogin, verify that the username form field was sent before
    attempting to do multifactor operations and return an error if it
    isn't, avoiding undefined variable warnings and other errors deeper in
    the WebLogin code.

    Allow newlines, carriage returns, and tabs in the XML sent from the
    WebKDC to the WebLogin server rather than replacing them with periods.
    This fixes the display of <user-message> elements that contain

    If a user may switch to a different authorization identity, force
    display of the confirmation page in WebLogin even if this is normally
    disabled.  Otherwise, there is no opportunity for the user to change

    Diagnose empty RT or ST parameters to WebLogin and return the same
    error as when those parameters are missing entirely.

    Fix compilation when remctl support is not enabled.

    Add new factors mp (mobile push) and v (voice), which count as
    separate classes for determining multifactor.  This means the
    combination of those factors with any other factor class will result
    in a synthensized multifactor factor.

    Warn in the mod_webauth documentation that, when using credential
    delegation to a load-balanced pool, all members of that pool must have
    the same Kerberos identity.

    Update to rra-c-util 5.5:

    * Use Lancaster Consensus environment variables to control tests.
    * Use calloc or reallocarray for protection against integer overflows.
    * Suppress warnings from Kerberos headers in non-system paths.
    * Update warning flags when building with make warnings.
    * Only pass warning suppression flags to Perl under make warnings.

    Update to C TAP Harness 3.1:

    * Check for integer overflow on memory allocations.
    * Avoid all remaining uses of sprintf.

Russ Allbery <rra at>
Technical Lead, AS/ACS, Stanford University

More information about the webauth-announce mailing list