Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

WebAuth 4.4.0 released

Russ Allbery eagle at
Wed Dec 19 23:01:52 PST 2012

The ITS WebAuth team is pleased to announce Stanford WebAuth 4.4.0.  This
is a major new feature release, particularly for the WebKDC and WebLogin

Users of WebAuth who build it against Heimdal for the underlying Kerberos
library should be aware that a bug in encoding Kerberos ticket flags was
fixed in this release in a way that may cause compatibility problems.  As
of WebAuth 4.4.0, Kerberos tickets are encoded the same with both MIT and
Heimdal, as was the original intention, and all components understand both
the new and the buggy encoding.  However, older versions built against
Heimdal only understand the buggy encoding.  You should upgrade
mod_webauth modules built against Heimdal before upgrading a WebKDC built
against Heimdal to ensure that ticket flags are decoded correctly.

Users of WebAuthForceLogin should be aware of the behavior change
described in the detailed release notes below.  We believe this behavior
change will generally be a UI improvement, avoiding pointless multiple
logins when a user goes to multiple force-login sites in close succession,
but some sites may wish to disable support for multi-stage login processes
to get back the previous behavior.

For documentation and downloads of WebAuth 4.4.0, see:


New Debian packages built against Apache 2.4 have been uploaded to Debian

The user-visible changes in this release are:

    The WebKDC and WebLogin server now support allowing a user to assert
    an authorization identity other than their own identity.  This can be
    used to allow a user to access a test account on a particular WebAuth
    Application Server, pretend to be another user for testing or
    administrative reasons, or otherwise use an identity other than their
    own.  This support is disabled by default; to enable it, set the
    WebKdcIdentityAcl Apache directive to the path to an ACL file
    describing acceptable combinations of authentication and authorization
    identities for each site.  See the WebKdcIdentityAcl documentation in
    the mod_webkdc manual for more information.  Updates to the confirm
    and possibly the login templates in WebLogin will also be required.
    See the sample templates for the new parameters and fields.

    mod_webauth by default ignores the new authorization identities (and
    old versions will always ignore them) except for recording the
    authorization identity in the new environment variable
    WEBAUTH_AUTHZ_USER.  There is a new mod_webauth Apache directive,
    WebAuthTrustAuthzIdentity, which can be enabled to set REMOTE_USER to
    the authorization identity instead of the authentication identity and
    to use the authorization identity for access control (such as
    mod_webauthldap privilege group lookups).  WEBAUTH_USER will always be
    set to the authentication identity.  This directive is allowed in
    .htaccess files (if authentication overrides are allowed) as well as
    anywhere in the main Apache configuration.  Authorization identities
    will still be ignored if WebAuthSubjectAuthType is set to krb5.

    Add new mod_webkdc Apache directive WebKdcLoginTimeLimit, which
    controls the time limit for completing a multi-step login process
    (such as with multifactor authentication) and how recently
    authentication must have occurred to count for session factors and
    forced login.  The default value is five minutes, matching the
    previous default behavior for multifactor logins.

    WebAuthForceLogin no longer forces re-entry of the user's password if
    the user has done an interactive authentication within the
    WebKdcLoginTimeLimit interval (five minutes by default).  Initial
    authentication factors also count as session factors for single
    sign-on authentications within that time interval.  This allows
    WebAuthForceLogin to work in combination with other features such as
    multi-step authentication processes and authorization identities and
    improves the user experience when simultaneously visiting multiple
    sites with forced login set.  To disable this behavior and always
    force reauthentication, WebKdcLoginTimeLimit can be set to 0s, but
    this will make multi-stage login processes, such as multifactor,

    Add replay detection to WebLogin.  When enabled, only one username and
    password authentication is permitted with a given request token, and
    further authentications with the same request token are rejected as
    replays.  This can protect against an attacker using the back button
    in an abandoned browser to replay the form submission on the WebLogin
    server.  This support requires a memcached server be available for
    data storage and the Perl modules Cache::Memcached and Digest::SHA.
    The latter is available as part of Perl since 5.9.3.

    Add rate limiting of login attempts in WebLogin.  If enabled, after a
    configured number of failed login attempts, all password
    authentications for a given username will be rejected (valid or not)
    until a configurable interval of time has passed.  This support also
    requires a memcached server for data storage and the Perl module

    The WebLogin error template has two new parameters: err_lockout and
    err_replay, corresponding to a replayed authentication and an account
    that was locked out due to too many login failures.  Local templates
    should be updated to handle those parameters, particularly if either
    of these features are in use.

    In WebLogin, set single sign-on cookies if present even when
    displaying an error.  This establishes single sign-on when errors are
    returned after authentication, such as authentication rejected errors
    from the user information service.  Without this behavior, if the
    custom error sent the user to another page that also required
    authentication, the user would have to log in again and may given up,
    thinking that authentication was looping.

    Support two additional WebLogin configuration settings:
    the equivalent of WebKdcLocalRealms and WebKdcPermittedRealms for
    Apache REMOTE_USER authentication handled by the WebLogin front-end
    (such as when using Negotiate-Auth with mod_auth_kerb).  Previously,
    there was only a @REMUSER_REALMS setting, which combined both
    meanings.  @REMUSER_REALMS continues to be supported for backward
    compatibility, but will only be used if the more-specific variable is
    not set.  Patch from Tom Jones.

    Fix encoding of Kerberos credentials containing addresses or authdata
    when built against MIT Kerberos.  WebAuth 4.3.0 and later would fail
    to encode those credentials properly.  This bug only affects people
    using credential delegation with either Active Directory or with
    Kerberos configured to add addresses to tickets, which are relatively
    rare configurations.

    Fix encoding of ticket flags with Heimdal Kerberos and tolerate the
    old, incorrect encoding.  All previous versions of WebAuth, when built
    with Heimdal, encoded the ticket flags on the wire with the flag bits
    reversed (matching the in-memory Heimdal format).  Prior to this
    version, flags would be lost when reading credentials encoded via MIT
    Kerberos with Heimdal or vice versa.  As of this release, the portable
    flag encoding used for ticket caches is used when writing credentials
    with both MIT and Heimdal, and the flag order is detected when
    decoding credentials and fixed if necessary.  If you use delegated
    credentials and link with Heimdal Kerberos, upgrade mod_webauth prior
    to upgrading the WebKDC to ensure the ticket flags are conveyed

    Fix mapping of WebKDC error codes to names when reporting errors in
    WebLogin, fixing mostly cosmetic Perl warnings in the WebLogin server

    Document the WebAuthRequireSSL configuration directive.  Under normal
    circumstances, this directive should always be left on (the default)
    to avoid serious security vulnerabilities, but there are some specific
    situations where it may be necessary to turn it off.

    Add webauth_token_encrypt and webauth_token_decrypt to the public API,
    including the Perl API.  These functions provide access to the
    low-level token encryption and decryption routines.  Normally, the
    high-level webauth_token_{encode,decode} functions will be used
    instead, but these functions are useful for constructing low-level

    The webauth_base64_* functions have been removed from libwebauth, as
    have the corresponding Perl bindings.  For C programs, use the
    apr_base64_* functions from APR-Util instead.  For Perl programs, use

    The webauth_attr_*, webauth_attrs_*, and webauth_hex_* functions have
    been removed from libwebauth, as have the corresponding Perl bindings.
    These functions provided a low-level interface to internal WebAuth
    data structures that is no longer necessary.

    Remove webauth.h.  The only remaining contents of interest to clients
    were the WebAuth protocol error constants, which have now moved to

    Add public webauth_keyring_encode and webauth_keyring_decode functions
    that encode and decode keyrings into the serialization format used for
    storing them in files.  These are useful for sending WebAuth keyrings
    over other protocols.  Add a corresponding keyring_decode method to
    the Perl WebAuth class and encode and decode methods to the
    WebAuth::Keyring class.

    The WA_TK_*, WA_TT_*, and WA_SA_* preprocessor constants are no longer
    provided by webauth.h.  These contained a subset of the encoding rules
    for the WebAuth wire protocol, but were not really useful to clients
    of the library.

    The WA_ERR_KEYRING_* error codes have changed to WA_ERR_FILE_* and
    will be used for any errors inside the WebAuth library when reading or
    writing to files.  Now that WebAuth can report rich error messages,
    there is no need for the codes to be this specific.  Add new
    when the error is due to the file not existing.

    Update to rra-c-util 4.7:

    * Fix probing for Heimdal's libroken to work with older versions.
    * Checked asprintf variants are now void functions and cannot fail.
    * Include a replacement strndup for systems that don't have it.

Russ Allbery <eagle at>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University

More information about the webauth-info mailing list