CAUTION: the contents of this page have not been updated since 2014 and may contain inaccurate information about Stanford’s authentication and authorization systems. For information about the future direction of Stanford Authentication, start at
WebAuth is available as source code, as Debian GNU/Linux packages, or as Red Hat packages. There is also an unsupported binary distribution for Apache for Windows and a contributed port to Java. If you are using WebAuth on some other platform, you will need to compile it yourself.
Download WebAuth source:
Older releases are available from the release archive. WARNING: Versions older than 3.6.2 or between 4.4.1 and 4.5.2 have known security vulnerabilities.
WebAuth is available directly from the standard Debian package repositories for Debian unstable and every stable Debian release since etch (4.0). Newer versions built for stable Debian releases are often available from backports.debian.org. During release freezes, new versions will be uploaded to experimental. It is also available for Ubuntu breezy and all later releases as part of Ubuntu universe.
Wherever you are getting the packages from, install the basic WebAuth module with:
aptitude update aptitude install libapache2-webauth
(or use apt-get if you normally do). Then read
/usr/share/doc/libapache2-webauth/README.Debian for instructions on
configuring the package for your local WebAuth setup and for more
information about the Debian packaging. All of WebAuth, including the
WebKDC, is packaged for Debian, broken into several different packages.
For a list of all the available packages, use
Red Hat Packages
We provide Red Hat Enterprise Linux packages of the mod_webauth and mod_webauthldap modules plus the supporting shared library built for Red Hat Enterprise Linux 5 and 6. Packages of the Perl bindings, the WebKDC, and the Weblogin server are not currently available.
The easiest way to install these packages on Red Hat Enterprise Linux is via yum from the Stanford RHEL RPM repositories. For instructions on how to configure those repositories on your system, see the RHEL Stanford-specific repository documentation.
You can also download the RPMs directly from this page if you prefer.
- WebAuth 4.4.3 RHEL5 i686 binaries
- WebAuth 4.4.3 RHEL5 x86_64 binaries
- WebAuth 4.4.3 RHEL6 i686 binaries
- WebAuth 4.4.3 RHEL6 x86_64 binaries
- WebAuth 4.2.2 RHEL5 i686 binaries
- WebAuth 4.2.2 RHEL5 x86_64 binaries
- WebAuth 4.2.2 RHEL6 i686 binaries
- WebAuth 4.2.2 RHEL6 x86_64 binaries
- WebAuth 4.2.2 source
If rebuilding the source RPMs, see the comments in the spec file. They will require some minor modifications for Fedora but should work fine on RHEL 5 and 6.
RPMs of older versions (including for RHEL 4) are available in the release archive.
If you want to download the current development source, instead of the most recent released version, you can do so from the mirror of the WebAuth Git repository maintained by Russ Allbery. The Git command to use is:
git clone git://git.eyrie.org/kerberos/webauth.git
You can also browse the current WebAuth development source and download snapshot tarballs of older commits at git.eyrie.org.
This is recommended only for WebAuth developers and those who need the latest source for some reason. You will need Autoconf 2.64, Automake 1.11, xml2rfc, and Perl to bootstrap WebAuth from a Git clone.
There is a contributed implementation of WebAuth for IIS written by Jesse Young, based on an initial implementation that was never completed. This version of WebAuth for IIS is in use in a few places, but is not supported by the WebAuth team (at least at this time). For more information and downloads, see his WebAuth for IIS page (external link).
The SPIE project at the Oxford University Computing Services department developed a WebAuth implementation written in pure Java. This is a Java Servlet 2.3 implementation that provides a subset of the mod_webauth Apache module capabilities. It has been tested with Tomcat 4.1 and 5.5. It currently only implements the des3-cbc-sha1-kd and des-cbc-crc Kerberos enctypes. This implementation is licensed under the GNU Lesser General Public License.
Please note that this implementation is not supported by the WebAuth team, but the Oxford University Computing Services developers will provide best-effort support. For more information and contact details, please see the README file.
All WebAuth distributions are signed with an OpenPGP signature. You can verify these signatures with GnuPG. Here is the WebAuth signing key, or you can also obtain it from a key server. The key ID is 0xDFA89CD3.
This key has been signed by Russ Allbery (key ID 0x82004173), who is part of the Debian web of trust.
The Red Hat packages are signed by Stanford's Red Hat package signing key, which is also signed by Russ Allbery and by the WebAuth key linked to above. The key ID is 0xAF476543.
Stanford WebAuth is released under the following license:
Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013 The Board of Trustees of the Leland Stanford Junior University
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.