lp:debian/webauth
- Get this branch:
- bzr branch lp:debian/webauth
Branch information
- Owner:
- Ubuntu branches
- Status:
- Development
Recent revisions
- 22. By Russ Allbery
-
* New upstream release (no Apache 2.4 support yet; that's next).
- Fix webauth_user_info bug in interpreting login history timestamps.
- Fix login history timestamp handling in sample confirm template.
- Suppress history and token rights in sample confirm template when
those data elements are empty. (Closes: #664735)
- Add explicit HTML filters to all sample template variable
interpolations as an additional security measure.
- Update the mod_webkdc manual for changes in 4.1.0.
* If Apache is running and has the module loaded, restart Apache on
configure of libapache2-webauth or libapache2-webkdc.
* Remove the conditional around the postinst actions for
libapache2-webauth and libapache2-webkdc and just always configure the
package. This is at least arguably more correct for the various abort
cases, is simpler, and shouldn't hurt. - 21. By Russ Allbery
-
* New upstream release.
- New mod_webkdc WebKdcUserInfoTimeout option to set a network timeout
for user information service queries. The new default is 30
seconds.
- New mod_webkdc WebKdcUserInfoIgnoreFail error to allow users to
authenticate with password and use pre-existing single sign-on
cookies even if the user information service is down. Be aware that
this can allow bypassing a centrally-mandated multifactor
requirement.
- Use remctl_set_ccache instead of setting KRB5CCNAME when available
to avoid memory leaks on calling the user information service and to
not leak settings across threads.
- Fix WebLogin error handling when the password field is left blank.
- Fix WebLogin error handling of empty usernames.
- Drop library support for base64-encoded token attributes (which was
never used by WebAuth).
- Drop webauth_info_{build, version} library APIs.
- Document Apache/Tomcat security interaction around URL parsing in
the mod_webauth manual. This affects any Apache security mechanism
used in conjunction with Tomcat.
* Bump libremctl-dev build dependency to >= 3.1 for consistent builds.
* Add Build-Depends-Package to the symbols file for better dependency
handling.
* Update standards version to 3.9.3 (no changes required). - 20. By Russ Allbery
-
* New upstream release.
- Fix setting of the REMOTE_USER preference cookie in WebLogin.
- Ignore undefined cookies in WebLogin to reduce error logs.
- Document factor codes in the mod_webauth manual.
* Remove ${shlibs:Depends} from libwebauth-dev dependencies to remove a
warning. This package won't contain compiled binaries. - 19. By Russ Allbery
-
* New upstream release.
- Change user information service and WebKDC to WebLogin protocols for
conveying suspicious login information to use the IP address as the
CDATA and put the hostname in an attribute.
- Display suspicious logins in WebLogin, forcing a confirmation page.
- Log the return URL of authentication requests to the WebKDC.
- Reduce mod_webauth log level when retrieving credentials. - 18. By Russ Allbery
-
* Fix a variety of uninitialized variables and memory leaks in the
libwebauth library and the test suite. Thanks, Christoph Egger and
Aaron M. Ucko. (Closes: #640259)
* Don't attempt to chown files in libwebkdc-perl when doing a
binary-only build. Thanks, Aaron M. Ucko. (Closes: #640268) - 17. By Russ Allbery
-
* New upstream release.
- Added support for multifactor, including new WebAuth directives
WebAuthRequireInitialFacto r, WebAuthRequireS essionFactor, and
WebAuthRequireLOA and new WebKDC directives WebKdcUserInfoURL and
WebKdcUserInfoPrincipal. Currently requires a metadata service for
which there isn't a packaged implementation.
- mod_webauth now exposes the user's initial and session
authentication details and level of assurance (if known) in
environment variables WEBAUTH_FACTORS_ INITIAL,
WEBAUTH_FACTORS_ SESSION, and WEBAUTH_LOA.
- WebLogin now uses Template Toolkit for all templating. All
templates will have to be revised to use the new syntax.
- WebLogin can tell an external middleware service to send the user an
OTP code via some means, such as SMS. There are new configuration
variables for /etc/webkdc/webkdc. conf that control this.
- WebLogin now supports a site-specific callback to determine the
initial and session factors and level of assurance for a user who
has been authenticated via Apache authentication.
- The keyring functions of the WebAuth Perl module have been rewritten
to use an object-oriented style and new WebAuth::Keyring and
WebAuth::KeyringEntry objects. Perl code that used the keyring API
will need to be modified. Methods to remove a key from a keyring,
get the timestamps and keys associated with keyring entries, and
choose the best key have been added.
- The libwebauth API has been changed substantially and will be
changed further in subsequent releases.
- The proxy data attribute of webkdc-proxy tokens is now optional.
* Install /var/cache/weblogin, writable by www-data, as a directory to
use for Template Toolkit to cache compiled templates. Mention the new
$TEMPLATE_COMPILE_ PATH directive in the libwebkdc-perl NEWS.Debian.
* Update the webauth-weblogin README.Debian to mention the Apache
FastCGI module now included in Debian and the alternative in
non-free. - 16. By Russ Allbery
-
* New upstream release.
- New Apache directive WebAuthOptional, which does not force the user
to authenticate if they're not already authenticated but adds the
authentication information to the environment if they are. Intended
for use with dynamic content that can manage optional authentication
through an explicit login link.
- Work around an MIT Kerberos library bug in error reporting from
password change and remove the previous cruder workaround that
mapped Kerberos errors to password strength warnings.
- Suppress certificate validation for the WebKDC in WebLogin if the
WebKDC URL is localhost, required by libwww-perl 5.837 or later.
- More robust generation of the pkg-config configuration file.
- Clearer warning from WebLogin when paired with an old WebKDC.
- Document the pt and sa key/value pairs in WebKDC logging.
* Drop the transitional libwebauth1-dev package, required to smooth
upgrades from lenny. squeeze released with libwebauth-dev.
* Update to debhelper compatibility level V8.
- Use debhelper rule minimization with overrides.
- Do more work in *.install files and less work in debian/rules.
* Switch to 3.0 (quilt) source format. Force a single Debian patch and
include a custom patch header explaining that it is a rollup of any
fixes cherry-picked from upstream and breaking those patches out
separately would be work for no gain.
* Update standards version to 3.9.2 (no changes required). - 13. By Russ Allbery
-
* Apply upstream deltas:
- [49ad22d2] Fix wa_keyring option parsing and verbose mode bugs
* Update standards version to 3.9.1 (no changes required).
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:debian/squeeze/webauth