Skip navigation



WebAuth 4.0.0 Announcement

The ITS WebAuth team is pleased to announce Stanford WebAuth 4.0.0, a major new release that adds support for multifactor authentication (called two-step authentication at Stanford).

This should be considered a beta release. It is not yet deployed in production at Stanford, and there will be at least one more release before it is. The WebKDC and WebLogin code in particular have undergone significant changes, and may well have new bugs. Testing and reporting bugs is strongly encouraged, but we recommend you hold off on production deployments until the next release. However, now is a good time to examine the changes and start preparing for an eventual upgrade.

For documentation and downloads of WebAuth 4.0.0, see:


New Debian packages have been uploaded to Debian unstable. New Red Hat packages will probably wait until the next release.

The user-visible changes in this release are:

  • WARNING: This release is a major revision with significant changes to mod_webkdc and to the WebLogin code. While the additions are not completely specific to Stanford University, it still has some limitations and missing components that will make it difficult to deploy new features outside of Stanford, and it's not yet been tested in a production deployment. The new mod_webauth and mod_webauthldap are suitable for everyone, but sites outside of Stanford University will probably want to wait for subsequent releases before updating mod_webkdc and the WebLogin code.

  • WebAuth now has support for multifactor authentication. New WebAuth configuration directives WebAuthRequireInitialFactor, WebAuthRequireSessionFactor, and WebAuthRequireLOA can be used to require specific authentication factors, unspecified multiple factors, or a site-specific level of assurance value to allow access to particular content. Using this feature currently requires a custom middleware service that returns information about users and their configured factors and that validates a provided OTP code. New WebKDC configuration directives WebKdcUserInfoURL and WebKdcUserInfoPrincipal control how that middleware service is used. WebKdcKerberosFactors controls what factors are assigned to webkdc-proxy tokens obtained directly from the WebKDC rather than via WebLogin.

  • mod_webauth now exposes the user's initial and session authentication methods via environment variables WEBAUTH_FACTORS_INITIAL and WEBAUTH_FACTORS_SESSION, and the user's level of assurance (if known) via WEBAUTH_LOA.

  • WebLogin now uses Template Toolkit for all templating instead of HTML::Template. This means that all local WebLogin templates will have to be revised for the new syntax. WebLogin has also dropped support for obsolete template variables and for templates that don't support the new variables that have been introduced over the years. See the sample templates in weblogin/templates for examples of what the new templates should look like.

  • WebLogin now uses CGI::Application to control page flow through the WebLogin pages. WebLogin servers will need CGI::Application plus additional plugin modules installed. See docs/install-webkdc for a complete list.

  • As part of multifactor support, WebLogin can now tell an external middleware service to send an OTP code to the user through site-specific means (such as an SMS message). There are new configuration variables for webkdc.conf to specify how to contact this optional service.

  • As part of multifactor support, WebLogin supports a new site-specific callback to determine the initial and session factors for a user who has been authenticated via some other Apache authentication mechanism (such as GSS-API via mod_auth_kerb). See docs/weblogin-config under remuser_factors for more information.

  • The libwebauth library API has changed significantly in this version and will be changing further in subsequent versions. There are new webauth/*.h headers for the new API, but this API should not yet be considered stable. External users of the libwebauth API should stay with previous releases until the libwebauth library changes have been completed, and should expect to require substantial changes (mostly simplifications).

  • The proxy data attribute of webkdc-proxy tokens is now optional and may be omitted for webkdc-proxy token types (like remuser) that carry no additional data. The WebKDC now accepts webkdc-proxy tokens with no data but always adds some data for backward compatibility with older servers. It will stop generating that data in a future release.

  • The keyring manipulation functions of the WebAuth Perl module have been rewritten to be object-oriented, introducing new WebAuth::Keyring and WebAuth::KeyringEntry objects. Perl code using the WebAuth module to manipulate keyrings will have to be modified, since several functions were removed in favor of the new interface. Methods to remove a key from a keyring, get the timestamps and keys associated with keyring entries, and choose the best key from a keyring have been added.

  • Use PATH_KRB5_CONFIG as the environment variable to set the path to krb5-config rather than KRB5_CONFIG, since the latter is used by the Kerberos libraries to specify an alternative path to krb5.conf.

  • Update to rra-c-util 3.8:

    • Add notices to all files copied over from rra-c-util.
    • Fix warnings when reporting memory allocation failure in messages.c.
    • Include strings.h for additional POSIX functions where found.
    • Avoid using krb5-config if --with-{krb5,gssapi}-{include,lib} given.
    • Fix use of long long in portable/mkstemp.c.
  • Update to C TAP Harness 1.8:

    • Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions.
    • Fix runtests to honor -s even if BUILD and -b aren't given.
Last modified Friday, 12-Dec-2014 02:31:14 PM

Stanford University Home Page