WebAuth 3.6.0 Announcement
The ITS WebAuth team is pleased to announce Stanford WebAuth 3.6.0. This release mostly affects the WebKDC and WebLogin server, adding multiple new features and improving handling of Kerberos cross-realm authentication. It also fixes one bug in the WebAuth module that caused problems for requests with sub-requests (such as mod_autoindex).
For documentation and downloads of WebAuth 3.6.0, see:
We have not yet updated the Red Hat and Solaris builds. New Debian packages have been uploaded to Debian unstable.
The user-visible changes in this release are:
Allocate all note keys and values in the top-most request pool in mod_webauth, avoiding problems with prematurely freed internal data structures. This fixes problems with checking access permissions of subdirectories in mod_autoindex and may have fixed problems elsewhere. Thanks to Ian Ward Comfort for the patch.
Add the WebKdcLocalRealms configuration option to mod_webkdc, which specifies the transformation behavior for authenticated identities. The default is "local", which runs krb5_aname_to_localname and uses the result as the authenticated identity (matching previous behavior). Setting it to "none" always keeps the fully-qualified Kerberos principal as the authenticated identity, and setting it to a list of realms strips the realm if it matches one of the listed realms and uses the fully-qualified Kerberos principal otherwise.
Thanks to Dmitri Priimak for the patch.
Add the WebKdcPermittedRealms configuration option to mod_webkdc. If set, only Kerberos principals in the listed realms will be able to obtain authentication tokens from the WebKDC. This allows sites with Kerberos cross-realm trust to prevent users in foreign realms from obtaining WebAuth credentials that satisfy "require valid-user".
Thanks to Dmitri Priimak for the patch.
The WebLogin login.tmpl template may be called with err_rejected set if the authenticating principal is rejected by the WebKDC. Login templates should be modified to handle this variable.
Add a new error to the WebKDC protocol, 18, indicating that the WebKDC did not permit that user to authenticate. This error is returned when WebKdcPermittedRealms is set and the realm of the authenticating principal isn't included. Add support for the new error in the WebLogin code, setting the template variable err_rejected. Based on work by Dmitri Priimak.
In the WebLogin script, work around a bug in the CGI module that causes it to misparse and die on WebLogin URLs that contain two slashes and two plus signs.
WebLogin now supports delegated credentials, allowing browsers that support credential delegation via SPNEGO to still get single sign-on even to services that require proxy credentials or krb5 authenticators. See doc/install-spnego for configuration details. Based on work by Joachim Keltsch.
WebLogin now supports a new configuration variable, $DEFAULT_REALM. If set, WebLogin will append @ and $DEFAULT_REALM to usernames that do not contain @ before passing them to the WebKDC. This is primarily useful if principals should be authenticated in a different Kerberos realm than the default realm of the WebKDC.
WebLogin now supports a new configuration file, $BYPASS_CONFIRM. If set, the confirmation page will only be displayed if required by the HTTP protocol after a POST of the login form. Otherwise, the user will be silently redirected to the destination site.
Add support for a map_username function defined in the WebLogin config file. If defined, this function will be called to map the user-supplied username to a Kerberos principal for authentication.
Add support for a record_login function defined in the WebLogin config file. If defined, this function will be called after any successful authentication.
Many of the REMOTE_USER configuration variables have been renamed for consistency. The old names are still supported for backward compatibility. $REALM has been deprecated in favor of setting @REMUSER_REALMS to a list with a single value.
Escape Mac OS X compiler flags for apxs, fixing build issues on Mac OS X 10.5.