--- webauth-3.6.0.orig/debian/webkdc.conf +++ webauth-3.6.0/debian/webkdc.conf @@ -0,0 +1,5 @@ +# webkdc.conf -- Default Debian overrides for WebKDC Perl module. +# $Id: webkdc.conf 2112 2004-06-25 02:16:35Z eagle $ + +our $KEYRING_PATH = '/var/lib/webkdc/keyring'; +our $TEMPLATE_PATH = '/usr/share/weblogin/generic/templates'; --- webauth-3.6.0.orig/debian/control +++ webauth-3.6.0/debian/control @@ -0,0 +1,137 @@ +Source: webauth +Section: web +Priority: optional +Maintainer: Russ Allbery +Build-Depends: debhelper (>> 5), apache2-threaded-dev (>= 2.2), + libcurl3-openssl-dev, libkrb5-dev, libldap2-dev, libssl-dev, perl +Standards-Version: 3.7.3 +Homepage: http://webauth.stanford.edu/ + +Package: libapache2-webauth +Section: net +Architecture: any +Depends: apache2.2-common, ${shlibs:Depends} +Description: Apache 2 modules for WebAuth authentication + WebAuth is a cookie-based web authentication system built on top of + Kerberos. It relies on a central authentication server that handles all + user authentication for a domain and creates user authentication + credentials for any web server that needs strong authentication. + . + This package contains the Apache 2 modules to do basic authentication for + individual web servers and to look up LDAP information using LDAP v3 with + GSSAPI binds about the authenticated user. Directory information can be + used for authorization control and to populate environment variables. + These modules should be installed on any web server using WebAuth. + +Package: libapache2-webkdc +Section: net +Architecture: any +Depends: apache2.2-common, ${shlibs:Depends} +Description: Apache 2 modules for a WebAuth authentication KDC + WebAuth is a cookie-based web authentication system built on top of + Kerberos. It relies on a central authentication server that handles all + user authentication for a domain and creates user authentication + credentials for any web server that needs strong authentication. + . + This package contains the Apache 2 module for the central authentication + server for a particular site. Only one such server is needed; all web + servers that use WebAuth will talk to this server to obtain and verify + authentication credentials. + +Package: libwebauth-perl +Section: perl +Architecture: any +Depends: ${shlibs:Depends}, ${perl:Depends} +Description: Perl library for WebAuth authentication + WebAuth is a cookie-based web authentication system built on top of + Kerberos. It relies on a central authentication server that handles all + user authentication for a domain and creates user authentication + credentials for any web server that needs strong authentication. + . + This package contains the Perl bindings to the WebAuth library, which + does token encoding and decoding and other lower-level parts of the + WebAuth protocol. + +Package: libwebauth1 +Section: libs +Architecture: any +Depends: ${shlibs:Depends} +Description: Shared libraries for WebAuth authentication + WebAuth is a cookie-based web authentication system built on top of + Kerberos. It relies on a central authentication server that handles all + user authentication for a domain and creates user authentication + credentials for any web server that needs strong authentication. + . + This package contains the shared library used by the WebAuth modules, + Perl bindings, and command-line utilities. It does token encoding and + decoding and other lower-level parts of the WebAuth protocol. + +Package: libwebauth1-dev +Section: libdevel +Priority: extra +Architecture: any +Depends: libwebauth1 (= ${binary:Version}), libkrb5-dev +Description: Development files for WebAuth authentication + WebAuth is a cookie-based web authentication system built on top of + Kerberos. It relies on a central authentication server that handles all + user authentication for a domain and creates user authentication + credentials for any web server that needs strong authentication. + . + This package contains the symlinks, headers, and static library needed to + compile and link programs that use libwebauth. + +Package: libwebkdc-perl +Section: perl +Architecture: all +Depends: ${perl:Depends}, libwebauth-perl (>= 3.2.6-1), + libio-socket-ssl-perl, libwww-perl, libxml-parser-perl +Description: Perl library for WebAuth authentication + WebAuth is a cookie-based web authentication system built on top of + Kerberos. It relies on a central authentication server that handles all + user authentication for a domain and creates user authentication + credentials for any web server that needs strong authentication. + . + This package contains the Perl modules that support the WebLogin server, + which handles user authentication and the establishment of initial + authentication credentials. + +Package: webauth-tests +Architecture: all +Depends: libapache2-webauth +Description: Tests for the WebAuth authentication modules + WebAuth is a cookie-based web authentication system built on top of + Kerberos. It relies on a central authentication server that handles all + user authentication for a domain and creates user authentication + credentials for any web server that needs strong authentication. + . + This package contains test HTML files and Apache 2 configuration + fragments to test a new installation of the WebAuth modules. + +Package: webauth-utils +Architecture: any +Depends: ${shlibs:Depends} +Description: Command-line utilities for WebAuth authentication + WebAuth is a cookie-based web authentication system built on top of + Kerberos. It relies on a central authentication server that handles all + user authentication for a domain and creates user authentication + credentials for any web server that needs strong authentication. + . + This package contains an additional command-line tool to manipulate + WebAuth keyrings. + +Package: webauth-weblogin +Architecture: all +Depends: ${perl:Depends}, libwebauth-perl (>= 3.2.6-1), libwebkdc-perl, + libhtml-template-perl, libcgi-fast-perl +Recommends: httpd-cgi +Suggests: libapache2-mod-auth-kerb +Description: Central login server for WebAuth authentication + WebAuth is a cookie-based web authentication system built on top of + Kerberos. It relies on a central authentication server that handles all + user authentication for a domain and creates user authentication + credentials for any web server that needs strong authentication. + . + This package contains the CGI-based WebLogin server that handles initial + user authentication and building authentication tokens for WebAuth + servers. Only one WebLogin server is needed to support a site WebAuth + installation. It is normally run on the same system as the WebKDC. --- webauth-3.6.0.orig/debian/libwebauth1.symbols +++ webauth-3.6.0/debian/libwebauth1.symbols @@ -0,0 +1,68 @@ +libwebauth.so.1 libwebauth1 #MINVER# + WEBAUTH_1.0@WEBAUTH_1.0 3.3.0 + webauth_attr_list_add@WEBAUTH_1.0 3.3.0 + webauth_attr_list_add_int32@WEBAUTH_1.0 3.3.0 + webauth_attr_list_add_str@WEBAUTH_1.0 3.3.0 + webauth_attr_list_add_time@WEBAUTH_1.0 3.3.0 + webauth_attr_list_add_uint32@WEBAUTH_1.0 3.3.0 + webauth_attr_list_find@WEBAUTH_1.0 3.3.0 + webauth_attr_list_free@WEBAUTH_1.0 3.3.0 + webauth_attr_list_get@WEBAUTH_1.0 3.3.0 + webauth_attr_list_get_int32@WEBAUTH_1.0 3.3.0 + webauth_attr_list_get_str@WEBAUTH_1.0 3.3.0 + webauth_attr_list_get_time@WEBAUTH_1.0 3.3.0 + webauth_attr_list_get_uint32@WEBAUTH_1.0 3.3.0 + webauth_attr_list_new@WEBAUTH_1.0 3.3.0 + webauth_attrs_decode@WEBAUTH_1.0 3.3.0 + webauth_attrs_encode@WEBAUTH_1.0 3.3.0 + webauth_attrs_encoded_length@WEBAUTH_1.0 3.3.0 + webauth_base64_decode@WEBAUTH_1.0 3.3.0 + webauth_base64_decoded_length@WEBAUTH_1.0 3.3.0 + webauth_base64_encode@WEBAUTH_1.0 3.3.0 + webauth_base64_encoded_length@WEBAUTH_1.0 3.3.0 + webauth_error_message@WEBAUTH_1.0 3.3.0 + webauth_hex_decode@WEBAUTH_1.0 3.3.0 + webauth_hex_decoded_length@WEBAUTH_1.0 3.3.0 + webauth_hex_encode@WEBAUTH_1.0 3.3.0 + webauth_hex_encoded_length@WEBAUTH_1.0 3.3.0 + webauth_info_build@WEBAUTH_1.0 3.3.0 + webauth_info_version@WEBAUTH_1.0 3.3.0 + webauth_key_copy@WEBAUTH_1.0 3.3.0 + webauth_key_create@WEBAUTH_1.0 3.3.0 + webauth_key_free@WEBAUTH_1.0 3.3.0 + webauth_keyring_add@WEBAUTH_1.0 3.3.0 + webauth_keyring_auto_update@WEBAUTH_1.0 3.3.0 + webauth_keyring_best_key@WEBAUTH_1.0 3.3.0 + webauth_keyring_decode@WEBAUTH_1.0 3.3.0 + webauth_keyring_encode@WEBAUTH_1.0 3.3.0 + webauth_keyring_free@WEBAUTH_1.0 3.3.0 + webauth_keyring_new@WEBAUTH_1.0 3.3.0 + webauth_keyring_read_file@WEBAUTH_1.0 3.3.0 + webauth_keyring_remove@WEBAUTH_1.0 3.3.0 + webauth_keyring_write_file@WEBAUTH_1.0 3.3.0 + webauth_krb5_error_code@WEBAUTH_1.0 3.3.0 + webauth_krb5_error_message@WEBAUTH_1.0 3.3.0 + webauth_krb5_export_tgt@WEBAUTH_1.0 3.3.0 + webauth_krb5_export_ticket@WEBAUTH_1.0 3.3.0 + webauth_krb5_free@WEBAUTH_1.0 3.3.0 + webauth_krb5_get_principal@WEBAUTH_1.0 3.6.0 + webauth_krb5_get_realm@WEBAUTH_1.0 3.6.0 + webauth_krb5_import_cred@WEBAUTH_1.0 3.3.0 + webauth_krb5_init_via_cache@WEBAUTH_1.0 3.3.0 + webauth_krb5_init_via_cred@WEBAUTH_1.0 3.3.0 + webauth_krb5_init_via_keytab@WEBAUTH_1.0 3.3.0 + webauth_krb5_init_via_password@WEBAUTH_1.0 3.3.0 + webauth_krb5_keep_cred_cache@WEBAUTH_1.0 3.3.0 + webauth_krb5_mk_req@WEBAUTH_1.0 3.3.0 + webauth_krb5_mk_req_with_data@WEBAUTH_1.0 3.3.0 + webauth_krb5_new@WEBAUTH_1.0 3.3.0 + webauth_krb5_rd_req@WEBAUTH_1.0 3.3.0 + webauth_krb5_rd_req_with_data@WEBAUTH_1.0 3.3.0 + webauth_krb5_service_principal@WEBAUTH_1.0 3.3.0 + webauth_random_bytes@WEBAUTH_1.0 3.3.0 + webauth_random_key@WEBAUTH_1.0 3.3.0 + webauth_token_create@WEBAUTH_1.0 3.3.0 + webauth_token_create_with_key@WEBAUTH_1.0 3.3.0 + webauth_token_encoded_length@WEBAUTH_1.0 3.3.0 + webauth_token_parse@WEBAUTH_1.0 3.3.0 + webauth_token_parse_with_key@WEBAUTH_1.0 3.3.0 --- webauth-3.6.0.orig/debian/webauth-weblogin.README.Debian +++ webauth-3.6.0/debian/webauth-weblogin.README.Debian @@ -0,0 +1,158 @@ +WebAuth Weblogin Server for Debian +---------------------------------- + +This package contains the central Weblogin server for a WebAuth +installation. Only one server (or one pool of load-balanced servers) at a +given site need to run this package. libapache2-webkdc should also be +installed on the same server as this package is running on. + +This package comes with a very generic set of page templates, suitable for +getting started. You will probably want to customize those templates for +your local site, and you should definitely customize the help.html web +page to contain contact information for your local help desk. The generic +templates are installed in /usr/share/webauth/generic; you can just copy +that whole directory with cp -r to another directory and make whatever +changes you want. Then, change the paths in the two Alias lines below to +point to your directory instead of the generic directory and change the +TEMPLATE_PATH in /etc/webkdc/webkdc.conf to point to the new path. + +(You could then, if you wished, make a Debian package of your local +templates to make them easier to maintain.) + +See: + + + +for more information about WebAuth, including copies of the module manuals +and places to contact to get help with the installation. + + +Installing the Weblogin Server +------------------------------ + +The Weblogin server is implemented as Perl CGI scripts. In order to +finish the installation, you need to add Apache configuration directives +to send the login and logout URLs to these CGI scripts and to allow the +images and help page they refer to to be found. + +Add the following configuration to a virtual host in: + + /etc/apache2/sites-available/weblogin + +or wherever you put local Apache configuration: + + + AllowOverride None + Options +ExecCGI + SSLRequireSSL + Order allow,deny + Allow from all + + ScriptAlias /login "/usr/share/weblogin/login.fcgi" + ScriptAlias /logout "/usr/share/weblogin/logout.fcgi" + + Alias /help.html "/usr/share/weblogin/generic/help.html" + Alias /images/ "/usr/share/weblogin/generic/images/" + +(If you put this in sites-available, you then need to enable the site with +a2ensite.) + +The ScriptAlias and Alias directives can, of course, be changed if you +want the Weblogin server to live at a different URL (although note that +the default templates expect /help.html and /images to work and may need +to be modified otherwise). + +If you used something other than /webkdc-service as the URL to the WebKDC, +you will need to modify the $URL setting in /etc/webkdc/webkdc.conf to +point to the appropriate URL on localhost that the WebKDC is listening to. + +Because the Weblogin server accepts Kerberos passwords from end-users, it +must only be available over SSL. The SSLRequireSSL above makes sure that +users only use SSL to contact the server, but you may also want to put the +above in a virtual host specifically for SSL and set up a separate non-SSL +virtual host that redirects all accesses to the SSL URL. + +Now, reload Apache's configuration file with apache2ctl graceful. After +you've tested and everything is working, you will probably want to +customize the templates as described above. + + +Site Documentation +------------------ + +After you have configured both this server and the WebKDC, following the +instructions in /usr/share/doc/libapache2-webkdc/README.Debian, you should +document the way WebAuth is configured at your site for other users who +are installing the WebAuth modules on individual web servers. I recommend +putting up a web page that contains the following information: + + * The configuration needed for libapache2-webauth (or any other + installation of WebAuth, regardless of platform, at your site). Users + who are installing WebAuth servers need to know the URL to the WebKDC + service, the URL to the Weblogin server, and the Kerberos principal + used by the WebKDC, choices that you had to make while installing. + + I recommend using: + + WebAuthLoginURL https://weblogin.example.com/login + WebAuthWebKdcURL https://weblogin.example.com/webkdc-service + WebAuthWebKdcPrincipal service/webkdc@example.com + + where example.com is your domain. But as long as you configure this + package and libapache2-webkdc consistently, you can use whatever URLs + and Kerberos principals you want. + + * The naming convention for WebAuth Kerberos principals for individual + web servers. This needs to match the configuration that you put into + token.acl when configuring the WebKDC. + + * How to download or otherwise obtain a Kerberos keytab at your site, + when someone is installing a new server. This will depend on how your + Kerberos realm is maintained. + +You will also want to modify the templates for the Weblogin server as +mentioned above to include images, pointers, and help appropriate to your +local site. + + +Using SPNEGO +------------ + +The Weblogin scripts optionally support attempting to authenticate with +SPNEGO first before prompting the user with a username and password. If +the user is authenticated to Kerberos and their ticket caches are properly +accessible to the browser, this should work with Firefox on all platforms +and Safari on the Mac, at least. It may also work with IE depending on +your KDC setup. + +To use SPNEGO in Debian, install the libapache2-mod-auth-kerb module (it +will do the SPNEGO protocol work) and then follow the instructions in +/usr/share/doc/webauth-weblogin/install-spnego.gz. The path to the +login.fcgi script will be different in the example ScriptAlias +configuration, but otherwise those instructions should work verbatim with +Debian. + + +Using FastCGI +------------- + +The Weblogin scripts are written so that they can use FastCGI, but don't +require it. FastCGI is, unfortunately, under a non-free license, so this +is not the default. + +If you want to use these scripts with FastCGI, you will need to install +the Apache 2.x modules for FastCGI, which are not bundled with Debian. +You can obtain them from . Once the module is +installed, you need to add this line to load the module: + + LoadModule fastcgi_module modules/mod_fastcgi.so + +and then, to the block in the installation instructions above, +add the line: + + AddHandler fastcgi-script .fcgi + +After you restart Apache with apache2ctl graceful, the Weblogin scripts +should run under FastCGI. + + -- Russ Allbery , Thu Mar 16 13:33:18 2006 --- webauth-3.6.0.orig/debian/libapache2-webkdc.install +++ webauth-3.6.0/debian/libapache2-webkdc.install @@ -0,0 +1,4 @@ +etc/apache2/mods-available/webkdc.conf +etc/apache2/mods-available/webkdc.load +etc/webkdc/token.acl +usr/lib/apache2/modules/mod_webkdc.so --- webauth-3.6.0.orig/debian/webauth-weblogin.docs +++ webauth-3.6.0/debian/webauth-weblogin.docs @@ -0,0 +1,7 @@ +NEWS +README +TODO +doc/install-spnego +doc/weblogin-config +doc/weblogin-cookies +doc/weblogin-flow --- webauth-3.6.0.orig/debian/libwebauth1-dev.install +++ webauth-3.6.0/debian/libwebauth1-dev.install @@ -0,0 +1,4 @@ +usr/include +usr/lib/libwebauth.a +usr/lib/libwebauth.la +usr/lib/libwebauth.so --- webauth-3.6.0.orig/debian/libwebauth-perl.install +++ webauth-3.6.0/debian/libwebauth-perl.install @@ -0,0 +1,2 @@ +usr/lib/perl5 +usr/share/man/man3/WebAuth.3pm --- webauth-3.6.0.orig/debian/libwebkdc-perl.install +++ webauth-3.6.0/debian/libwebkdc-perl.install @@ -0,0 +1,3 @@ +etc/webkdc/webkdc.conf +usr/share/perl5 +usr/share/man/man3/WebKDC*.3pm --- webauth-3.6.0.orig/debian/changelog +++ webauth-3.6.0/debian/changelog @@ -0,0 +1,244 @@ +webauth (3.6.0-1) unstable; urgency=low + + * New upstream release. + - Fix prematurely freed internal data in mod_webauth. + - Work around a CGI Perl module bug in WebLogin that caused crashes + for WebLogin URLs containing two slashes and two plus signs. + - Add WebLogin support for delegated credentials. Based on work by + Joachim Keltsch. (Closes: #466792) + - New WebKdcLocalRealms and WebKdcPermittedRealms mod_webkdc options. + - New WebKDC protocol error for a login rejected by policy. + - New err_rejected variable in the weblogin login.tmpl template. + - Several new WebLogin configuration options and hooks. + - WebLogin REMOTE_USER variables have been renamed for consistency, + but the old variables will continue to work. + * Add symbols support for libwebauth1. + * Bump shlibs for libwebauth1 for the introduction of a new interface. + * Minor debian/rules tweaking: + - Use the right configure arguments for cross-compiles. + - Use touch $@ to create stamp files. + - Use install rather than cp and mkdir. + * Update the doc-base section for the WebAuth protocol specification. + + -- Russ Allbery Fri, 21 Mar 2008 22:10:09 -0700 + +webauth (3.5.5-1) unstable; urgency=low + + * New upstream release. + - Check browser cookie support on first WebLogin visit for better + cookie checks with Apache authentication. (Closes: #430486) + - New err_cookies_disabled error template variable. + - Fix memory allocation for environment variables in mod_webauthldap. + - Improve display of Shibboleth destination URLs. + * Incorporate NEWS.Debian into webauth-weblogin.NEWS, since it is the + only affected package for the old news item. + * Call dh_fixperms before dh_strip so that the WebAuth Perl module will + be stripped properly. + * Recommend httpd-cgi and suggest libapache2-mod-auth-kerb for + webauth-weblogin. + * Use ${binary:Version} instead of ${Source-Version} in debian/control. + * Move the Homepage pseudo-header from Description to a real header. + * Wrap all Depends lines in debian/control. + * Drop the version on the Perl build-depends. That version is older + than oldstable. + * libwebkdc-perl is arch-independent, so no need for ${shilbs:Depends}. + * Use a configure-stamp file rather than config.status. + * Capitalize WebLogin consistently in package descriptions. + * Update standards version to 3.7.3 (no changes required). + * Update debhelper compatibility level to V5 (no changes required). + + -- Russ Allbery Tue, 08 Jan 2008 22:00:03 -0800 + +webauth (3.5.4-1) unstable; urgency=low + + * New upstream release. + - WebLogin supports displaying destination Shibboleth URLs. + - Be more aggressive about telling browsers not to cache. + - Properly merge directory configurations in mod_webauthldap. + - Refresh REMOTE_USER cookies in WebLogin. + - Improved WebLogin documentation of cookies used. + * Put the Apache modules in the net section to match overrides. + + -- Russ Allbery Tue, 24 Apr 2007 14:35:35 -0700 + +webauth (3.5.3-2) unstable; urgency=low + + * Rebuild for Apache 2.2. + - Add versioned build dependency. + - Change module dependencies from apache2 to apache2.2-common. + - Document the need to enable authz_user. + * Depend on apache2-threaded-dev rather than on the virtual apache2-dev + package. + + -- Russ Allbery Mon, 9 Oct 2006 16:07:54 -0700 + +webauth (3.5.3-1) unstable; urgency=low + + * New usptream release. + - Upstream source now supports Apache 2.2 builds. + - Improve and document mod_webkdc logging. + - Disable debug logging in the weblogin scripts. + + -- Russ Allbery Mon, 11 Sep 2006 20:34:07 -0700 + +webauth (3.5.2-1) unstable; urgency=medium + + * New upstream release. + - SECURITY: Fix the default weblogin templates to always escape form + variables. Sites using customized templates should check their + templates for the same issue; see NEWS.gz for more information. + - When Apache authentication for weblogin fails, don't retry for that + user session even on empty form submissions. + - Mark weblogin login and logout pages and not cachable by browsers. + * Include NEWS, README, and TODO in the webauth-weblogin doc directory. + + -- Russ Allbery Thu, 13 Jul 2006 17:56:23 -0700 + +webauth (3.5.1-1) unstable; urgency=low + + * New upstream release. + - Multiple changes to the Weblogin scripts and templates that will + require updates to existing templates. See the upstream NEWS file + for more details. + - Fix decoding of keyring times on 64-bit platforms. + * Update standards version to 3.7.2 (no changes required). + + -- Russ Allbery Tue, 20 Jun 2006 09:20:44 -0700 + +webauth (3.5.0-1) unstable; urgency=low + + * New upstream release. + - WebAuthExtraRedirect on is now the default. + - Clean up of weblogin template variables. Existing templates will + have to be updated. + - Support for optional Apache authentication in weblogin. + - Clean up and better documentation of the weblogin code. + - New weblogin configuration documentation. + - http://webauth.stanford.edu/ is now the canonical upstream URL. + + -- Russ Allbery Mon, 20 Mar 2006 17:29:57 -0800 + +webauth (3.4.2-1) unstable; urgency=low + + * New upstream release. + + -- Russ Allbery Fri, 17 Feb 2006 20:18:49 -0800 + +webauth (3.4.1-1) unstable; urgency=low + + * New upstream release. + - Reverted the change to not strip WebAuth data from unprotected URLs + since it interacted poorly with .htaccess files. + - The config option WebAuthStripURL is now documented and supported. + - Avoid deprecated OpenLDAP APIs. + + -- Russ Allbery Mon, 6 Feb 2006 17:38:30 -0800 + +webauth (3.4.0-1) unstable; urgency=low + + * New upstream release. + - webauth-weblogin can now optionally try SPNEGO authentication before + prompting for a username and password. + - mod_webauth doesn't strip WebAuth information from the internal URL + for requests not protected by WebAuth. + - Much improved protocol specification. + - Use --enable-reduced-depends to reduce library dependencies. + - No compiler warnings with -Wall. + * Only install the protocol documentation in libapache2-mod-webauth, not + in libapache2-mod-webkdc. If you're using WebAuth at all you'll + install the former somewhere, and there's no need to duplicate it. + * Register the protocol documentation with doc-base. + * Don't install HACKING; it's not useful without the source. + * Use DH_OPTIONS to reduce clutter in debian/rules. + * Add build-arch and build-indep targets. + * Don't ignore the return status of make distclean. + * Use stamp files in a cleaner way. + * Update copyright dates. + + -- Russ Allbery Mon, 23 Jan 2006 22:09:35 -0800 + +webauth (3.3.0-2) unstable; urgency=low + + * Build-depend on libcurl3-openssl-dev, not libcurl3-dev. + * Update maintainer address. + + -- Russ Allbery Wed, 16 Nov 2005 16:39:21 -0800 + +webauth (3.3.0-1) unstable; urgency=low + + * New upstream release. + - S/Ident support removed. + - New WebAuthLdapSeparator configuration setting for multi-valued + attribute handling. + - libwebauth now uses symbol versioning. + * Update copyright to my current format and add an explicit packaging + copyright and license statement. + * Minor cleanup of debian/rules. + * Indent the homepage in package descriptions to avoid wrapping. + * Update standards version to 3.6.2 (no changes required). + + -- Russ Allbery Tue, 4 Oct 2005 21:40:28 -0700 + +webauth (3.2.8-1) unstable; urgency=low + + * New upstream release. + - mod_webauth now handles empty keyring files appropriately. + - Significant improvements to the mod_webkdc manual. + + -- Russ Allbery Thu, 2 Jun 2005 23:21:02 -0700 + +webauth (3.2.7-1) unstable; urgency=low + + * New upstream release. + - Update libtool to 1.5.6 for better shared library support on MIPS. + Thanks, Ryan Murray. (Closes: #306027) + - Better diagnose a missing service token on a weblogin request. + + -- Russ Allbery Sat, 23 Apr 2005 14:33:20 -0700 + +webauth (3.2.6-1) unstable; urgency=low + + * Uploaded to Debian. (Closes: #304728) + * New upstream release. + - Renamed the WebAuth3 Perl bindings to WebAuth. + - Renamed the libwebauth3-perl package to libwebauth-perl accordingly. + * Add dependency on libwebauth-perl to webauth-weblogin. libwebkdc-perl + will also pull it in, but this is more completely correct. + * Add watch file. + + -- Russ Allbery Mon, 18 Apr 2005 23:06:23 -0700 + +webauth (3.2.5-1) unstable; urgency=low + + * New upstream release. + - Removed debian directory from upstream tarball. + - Report information from mod_webauthldap at saner message levels. + * Fix package sections and formatting of the homepage link. + * Use CFLAGS for the Perl module builds rather than hard-coding flags. + * Change the README.Debian files to follow the Apache 2.x package + recommendations for where to put local configuration. + * Add upstream TODO to libapache2-webauth and libapache2-webkdc. + + -- Russ Allbery Thu, 14 Apr 2005 21:51:28 -0700 + +webauth (3.2.4-2) unstable; urgency=low + + * No source changes. + * Rebuild for libcurl migration. + + -- Russ Allbery Mon, 7 Mar 2005 14:47:24 -0800 + +webauth (3.2.4-1) unstable; urgency=low + + * New upstream release. + - Fix bug in S/Ident handling in weblogin script. + * Add prerm scripts for libapache2-webauth and libapache2-webkdc to call + a2dismod if the module is enabled. + + -- Russ Allbery Wed, 25 Aug 2004 17:36:56 -0700 + +webauth (3.2.3-1) unstable; urgency=low + + * Initial release. + + -- Russ Allbery Wed, 23 Jun 2004 16:11:02 -0700 --- webauth-3.6.0.orig/debian/watch +++ webauth-3.6.0/debian/watch @@ -0,0 +1,9 @@ +# watch -- Rules for uscan to find new upstream versions. +# $Id: watch 2498 2006-03-20 18:02:22Z rra $ +# +# I don't use this personally since I'm also one of the upstream +# maintainers, but it's included for the benefit of automated package +# analysis systems. + +version=3 +http://webauth.stanford.edu/download.html ^dist/webauth-([^-]+)\.tar\.gz --- webauth-3.6.0.orig/debian/libapache2-webauth.NEWS +++ webauth-3.6.0/debian/libapache2-webauth.NEWS @@ -0,0 +1,21 @@ +libapache2-webauth (3.5.3-2) unstable; urgency=low + + As of this release, the WebAuth module is built for Apache 2.2 rather + than Apache 2.0. Please note that Apache 2.2 moved authentication and + authorization functionality out of Apache into modules that may not be + enabled by default. In particular, directives of the form: + + Require valid-user + Require user + + will not work unless mod_authz_user is enabled. To do this, run: + + a2enmod authz_user + + as root. You do not need to enable this module if you never use + directives of that type (if, for instance, you only use Require + privgroup directives), but note that the WebAuth tests expect this + functionality to be available. + + -- Russ Allbery Mon, 09 Oct 2006 14:28:00 -0700 + --- webauth-3.6.0.orig/debian/webauth-utils.install +++ webauth-3.6.0/debian/webauth-utils.install @@ -0,0 +1,2 @@ +usr/bin +usr/share/man/man1 --- webauth-3.6.0.orig/debian/compat +++ webauth-3.6.0/debian/compat @@ -0,0 +1 @@ +5 --- webauth-3.6.0.orig/debian/copyright +++ webauth-3.6.0/debian/copyright @@ -0,0 +1,62 @@ +Packaged for Debian by Russ Allbery 2004-06-23 + +It was downloaded from: + + + +Upstream authors: + + The WebAuth v3 protocol and core implementation was written by Roland + Schemers, based on design documents by the entire Stanford WebAuth + team (with considerable work by Tim Torgenrud and Booker Bense) and + based in part on the functionality of WebAuth v2.5, written and + maintained by a cast of dozens over the years but most notably Jeff + Lewis, Anton Ushakov, and Jeanmarie Lucker. + + The mod_webauthldap module was written by Anton Ushakov. + + The configuration and build system and WebAuth packaging was put + together by Russ Allbery. Huaqing Zheng provided builds of supporting + packages and Jonathan Pilat helped greatly with testing. Xueshan Feng + oversaw the project. + + Thanks to pod for improvements, particularly to the WebKDC, to make it + easier to package for a Linux distribution, for the initial Debian + package build rules, and for generic WebKDC templates suitable for a + new installation and for use as examples. + +Upstream maintainer: + + WebAuth Development Team + +Debian packaging copyright: + + Copyright 2004, 2005, 2006 Board of Trustees, Leland Stanford Jr. + University. + + All files and modifications related to Debian packaging are covered + under the same license terms as the rest of the package. + +Copyright: + + Copyright 2002, 2003, 2004, 2005, 2006 Board of Trustees, Leland + Stanford Jr. University. + + Permission is hereby granted, free of charge, to any person obtaining + a copy of this software and associated documentation files (the + "Software"), to deal in the Software without restriction, including + without limitation the rights to use, copy, modify, merge, publish, + distribute, sublicense, and/or sell copies of the Software, and to + permit persons to whom the Software is furnished to do so, subject to + the following conditions: + + The above copyright notice and this permission notice shall be + included in all copies or substantial portions of the Software. + + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, + EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. + IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY + CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, + TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --- webauth-3.6.0.orig/debian/webauth-weblogin.NEWS +++ webauth-3.6.0/debian/webauth-weblogin.NEWS @@ -0,0 +1,52 @@ +webauth-weblogin (3.6.0-1) unstable; urgency=low + + The login.tmpl WebLogin template has a new error variable, err_rejected, + which will be set if the user login was rejected due to a + WebKdcPermittedRealms setting. + + -- Russ Allbery Fri, 21 Mar 2008 22:05:56 -0700 + +webauth-weblogin (3.5.5-1) unstable; urgency=low + + WebLogin now checks for cookies as the first action when a browser goes + to WebLogin for the initial time and uses the error template rather than + the login template to display errors about disabled cookies. The + err_cookies template variable in the login template is no longer used, + and the error template has a new err_cookies_disabled parameter. + + Custom templates should be updated to handle err_cookies_disabled in the + error template, although the WebLogin scripts will work around the + absence of that variable. + + -- Russ Allbery Tue, 08 Jan 2008 16:41:38 -0800 + +webauth-weblogin (3.5.2-1) unstable; urgency=medium + + Prior versions of the default weblogin templates had a cross-site + scripting vulnerability that potentially allowed an attacker to trick + users into submitting their username and password to the attacker's + site. This vulnerability has been corrected in the sample templates as + of this release, but any templates based on the sample templates should + be checked for this vulnerability as well. + + In the templates, replace any instance of: + + + + with: + + + + where "variable" may be any variable name. + + -- Russ Allbery Thu, 13 Jul 2006 17:56:23 -0700 + +webauth (3.5.0-1) unstable; urgency=low + + The weblogin template variables have changed significantly with this + release, both by renaming existing ones and by adding new ones. Please + read /usr/share/doc/webauth-weblogin/weblogin-config.gz for detailed + documentation for both the template variables and the webkdc.conf + settings. + + -- Russ Allbery Wed, 15 Mar 2006 16:55:41 -0800 --- webauth-3.6.0.orig/debian/rules +++ webauth-3.6.0/debian/rules @@ -0,0 +1,157 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# GNU copyright 1997 to 1999 by Joey Hess. +# Further updates by Russ Allbery + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +# This has to be exported for some magic to work later. +export DH_OPTIONS + +# Tell Autoconf the correct system types. +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE)) + SYSTEM = --build $(DEB_HOST_GNU_TYPE) +else + SYSTEM = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE) +endif + +ifndef PERL + PERL = /usr/bin/perl +endif + +CFLAGS = -Wall -g +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif + +configure-stamp: + dh_testdir + CFLAGS="$(CFLAGS)" ./configure --prefix=/usr \ + --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info \ + --enable-mod_webkdc --enable-perl --with-apxs=/usr/bin/apxs2 \ + --enable-reduced-depends $(SYSTEM) + touch $@ + +build: build-arch build-indep +build-arch: build-stamp +build-indep: build-stamp +build-stamp: configure-stamp + dh_testdir + $(MAKE) + cd src/bindings/perl/WebAuth && $(PERL) Makefile.PL INSTALLDIRS=vendor + cd src/bindings/perl/WebAuth && $(MAKE) OPTIMIZE="$(CFLAGS)" + cd src/webkdc && $(PERL) Makefile.PL INSTALLDIRS=vendor + cd src/webkdc && $(MAKE) OPTIMIZE="$(CFLAGS)" + touch $@ + +clean: + dh_testdir + dh_testroot + rm -f configure-stamp build-stamp install-stamp + [ ! -f Makefile ] || $(MAKE) distclean + dh_clean + +# Unfortunately, we have to run make install in the various directories +# separately and install Apache modules manually because apxs with the current +# Makefiles doesn't correctly handle DESTDIR. +install: install-stamp +install-stamp: build-stamp + dh_testdir + dh_testroot + dh_clean -k + mkdir -p $(CURDIR)/debian/tmp/usr/lib/apache2/modules + cd src/libwebauth && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install + cd src/utils && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install + install -m 644 src/modules/webauth/.libs/mod_webauth.so \ + $(CURDIR)/debian/tmp/usr/lib/apache2/modules/ + install -m 644 src/modules/webauthldap/.libs/mod_webauthldap.so \ + $(CURDIR)/debian/tmp/usr/lib/apache2/modules/ + install -m 644 src/modules/webkdc/.libs/mod_webkdc.so \ + $(CURDIR)/debian/tmp/usr/lib/apache2/modules/ + install -d $(CURDIR)/debian/tmp/etc/webauth + install -d $(CURDIR)/debian/tmp/etc/webkdc + install -m 644 src/modules/webkdc/token.acl \ + $(CURDIR)/debian/tmp/etc/webkdc/ + install -m 644 debian/webkdc.conf $(CURDIR)/debian/tmp/etc/webkdc/ + install -d $(CURDIR)/debian/tmp/etc/apache2/mods-available + set -e; cd conf/debian && for f in *.conf *.load ; do \ + install -m 644 $$f \ + $(CURDIR)/debian/tmp/etc/apache2/mods-available/$$f ; \ + done + cd src/bindings/perl/WebAuth \ + && $(MAKE) install PREFIX=$(CURDIR)/debian/tmp/usr + cd src/webkdc && $(MAKE) install PREFIX=$(CURDIR)/debian/tmp/usr + install -d $(CURDIR)/debian/tmp/usr/share/weblogin + set -e; cd src/webkdc && for f in login.fcgi logout.fcgi ; do \ + install -m 755 $$f $(CURDIR)/debian/tmp/usr/share/weblogin/$$f ; \ + done + install -d $(CURDIR)/debian/tmp/usr/share/weblogin/generic/templates + set -e; cd src/webkdc && for f in templates/*.tmpl ; do \ + install -m 644 $$f \ + $(CURDIR)/debian/tmp/usr/share/weblogin/generic/$$f ; \ + done + install -m 644 src/webkdc/templates/help.html \ + $(CURDIR)/debian/tmp/usr/share/weblogin/generic/help.html + install -d $(CURDIR)/debian/tmp/usr/share/weblogin/generic/images + set -e; cd src/webkdc && for f in images/*.png ; do \ + install -m 644 $$f \ + $(CURDIR)/debian/tmp/usr/share/weblogin/generic/$$f ; \ + done + install -d $(CURDIR)/debian/tmp/usr/share/webauth/conf + install -m 644 tests/mod_webauth/conf/*.conf \ + $(CURDIR)/debian/tmp/usr/share/webauth/conf/ + install -d $(CURDIR)/debian/tmp/usr/share/webauth/htdocs + cp -r tests/mod_webauth/htdocs/tests \ + $(CURDIR)/debian/tmp/usr/share/webauth/htdocs/ + cp -r tests/mod_webauth/htdocs/ldaptests \ + $(CURDIR)/debian/tmp/usr/share/webauth/htdocs/ + touch $@ + +# Build the architecture-independent packages. +binary-indep: DH_OPTIONS=-i +binary-indep: install-stamp + dh_testdir + dh_testroot + dh_installchangelogs CHANGES + dh_installdocs + dh_installexamples + dh_install --sourcedir=debian/tmp + dh_link + dh_compress + dh_fixperms + dh_perl + dh_installdeb + dh_gencontrol + dh_md5sums + dh_builddeb + +# Build the architecture-dependent packages. +binary-arch: DH_OPTIONS=-a +binary-arch: install-stamp + dh_testdir + dh_testroot + dh_installchangelogs CHANGES + dh_installdocs + dh_installexamples + dh_install --sourcedir=debian/tmp + dh_installman + dh_link + dh_fixperms + dh_strip + dh_compress + dh_perl + dh_makeshlibs -V 'libwebauth1 (>= 3.6.0)' + dh_installdeb + dh_shlibdeps -L libwebauth1 -l debian/libwebauth1/usr/lib + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-arch binary-indep +.PHONY: binary binary-arch binary-indep build build-arch build-indep clean +.PHONY: install --- webauth-3.6.0.orig/debian/libapache2-webkdc.README.Debian +++ webauth-3.6.0/debian/libapache2-webkdc.README.Debian @@ -0,0 +1,92 @@ +WebAuth WebKDC for Debian +------------------------- + +This package contains the Apache 2.x module for the central WebAuth +WebKDC. Only one server (or one pool of load-balanced servers) at a given +site need to run this module. On the server that you install this module, +you should also install the webauth-weblogin package and follow its +installation instructions. The documentation for it has additional +information about what site configuration documentation you will probably +want to publish for WebAuth users at your site. + +mod_webkdc.html.en is the formatted manuals, but it expects to be part of +the Apache 2.x documentation tree. If you wish, you can install the +apache2-doc package and then copy this file into: + + /usr/share/doc/apache2-doc/manual/mod/ + +and you will then be able to read it as intended. + +See: + + + +for more information about WebAuth, including copies of the module manuals +and places to contact to get help with the installation. + + +Installing the WebKDC +--------------------- + +After installing this package, you must also do the following to make the +WebKDC available: + + 1. Decide what the URL will be for your WebKDC service. I recommend + , where example.com is + your domain, but you can use anything that you wish. It should, + however, be on the same server as the weblogin server. + + 2. Decide what Kerberos principal to use for the WebKDC service. I + recommend service/webkdc (in your local realm), but you can use + anything that you wish. + + 3. Obtain a Kerberos keytab for the WebKDC. How to obtain a keytab + varies greatly from one Kerberos site to the next; contact your local + Kerberos administrator for more information. + + However you get this keytab, install it in /etc/webkdc/keytab and + then make sure that it is readable by the web server: + + chgrp www-data /etc/webkdc/keytab + chmod 640 /etc/webkdc/keytab + + 4. In the configuration for your SSL virtual host, or your main server + configuration if you don't configure SSL separately, add a block like: + + + SSLRequireSSL + SetHandler webkdc + + + You will also have to have a working SSL configuration, which includes + a valid SSL certificate that your WebAuth servers will be able to + validate. See the Apache documentation for information on setting up + SSL. + + 5. Edit /etc/webkdc/token.acl and configure which Kerberos principals + will be allowed to get tokens from the WebKDC. I recommend starting + with a line like: + + krb5:webauth/*@example.com id + + which will allow any webauth/* principal in the example.com realm + (replace that with your own realm) to get an "id" token, which is the + token for basic authentication. You can allow particular servers to + get additional Kerberos credentials on behalf of the user; for more + information, see the manual. + + 6. Enable the WebKDC module: + + a2enmod webkdc + + The WebKDC module will now be loaded the next time you restart your + Apache server. + + 9. Restart Apache: + + apache2ctl graceful + + The WebKDC should now be available, and you can start testing with + WebAuth servers. + + -- Russ Allbery , Thu Mar 16 13:33:35 2006 --- webauth-3.6.0.orig/debian/libapache2-webauth.postinst +++ webauth-3.6.0/debian/libapache2-webauth.postinst @@ -0,0 +1,32 @@ +#! /bin/sh +# postinst script for libapache2-webauth + +set -e + +case "$1" in + configure) + # Make sure that /var/lib/webauth exists and is writable by the + # www-data group, since this is where the keyring and ticket cache + # will go. + if [ ! -d /var/lib/webauth ] ; then + mkdir /var/lib/webauth + fi + chgrp www-data /var/lib/webauth + chmod 770 /var/lib/webauth + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- webauth-3.6.0.orig/debian/libapache2-webkdc.postrm +++ webauth-3.6.0/debian/libapache2-webkdc.postrm @@ -0,0 +1,27 @@ +#! /bin/sh +# postrm script for libapache2-webkdc + +set -e + +case "$1" in + purge) + if [ -d /var/lib/webkdc ] ; then + rm -r /var/lib/webkdc + fi + ;; + + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- webauth-3.6.0.orig/debian/libapache2-webauth.prerm +++ webauth-3.6.0/debian/libapache2-webauth.prerm @@ -0,0 +1,17 @@ +#!/bin/sh +# prerm script for libapache2-webauth + +set -e + +if [ "$1" = remove ] || [ "$1" = deconfigure ] ; then + if [ -f /etc/apache2/mods-enabled/webauthldap.load ] ; then + /usr/sbin/a2dismod webauthldap + fi + if [ -f /etc/apache2/mods-enabled/webauth.load ] ; then + /usr/sbin/a2dismod webauth + fi +fi + +#DEBHELPER# + +exit 0 --- webauth-3.6.0.orig/debian/libwebauth1.install +++ webauth-3.6.0/debian/libwebauth1.install @@ -0,0 +1 @@ +usr/lib/libwebauth.so.* --- webauth-3.6.0.orig/debian/libapache2-webauth.install +++ webauth-3.6.0/debian/libapache2-webauth.install @@ -0,0 +1,7 @@ +etc/apache2/mods-available/webauth.conf +etc/apache2/mods-available/webauth.load +etc/apache2/mods-available/webauthldap.conf +etc/apache2/mods-available/webauthldap.load +etc/webauth +usr/lib/apache2/modules/mod_webauth.so +usr/lib/apache2/modules/mod_webauthldap.so --- webauth-3.6.0.orig/debian/libapache2-webkdc.docs +++ webauth-3.6.0/debian/libapache2-webkdc.docs @@ -0,0 +1,5 @@ +NEWS +README +TODO +doc/mod_webkdc.html.en +doc/mod_webkdc.xml --- webauth-3.6.0.orig/debian/libapache2-webauth.doc-base +++ webauth-3.6.0/debian/libapache2-webauth.doc-base @@ -0,0 +1,14 @@ +Document: webauth-protocol +Title: WebAuth V3 Protocol Specification +Author: Roland Schemers and Russ Allbery +Abstract: The detailed protocol specification for WebAuth, including all + URL formats, token formats, and the XML protocol for talking to the + WebKDC. Also includes the security model and design considerations. +Section: System/Security + +Format: text +Files: /usr/share/doc/libapache2-webauth/protocol.txt.gz + +Format: HTML +Index: /usr/share/doc/libapache2-webauth/protocol.html +Files: /usr/share/doc/libapache2-webauth/protocol.html --- webauth-3.6.0.orig/debian/libapache2-webkdc.NEWS +++ webauth-3.6.0/debian/libapache2-webkdc.NEWS @@ -0,0 +1,15 @@ +libapache2-webkdc (3.3.0-1) unstable; urgency=low + + S/Ident support has been removed from WebAuth due to the discovery of a + protocol flaw that allows active man-in-the-middle attacks. WebAuth is + particularly vulnerable to such an attack because all WebAuth users + regularly go to the central weblogin server and exploiting this + vulerability would have allowed capture of a single sign-on cookie for + the victim. + + If you were using S/Ident in your WebKDC, you will need to remove any + WebKdcSIdentAuthType and WebKdcSIdentTimeout settings in your Apache + configuration. + + -- Russ Allbery Tue, 4 Oct 2005 21:28:12 -0700 + --- webauth-3.6.0.orig/debian/libapache2-webkdc.postinst +++ webauth-3.6.0/debian/libapache2-webkdc.postinst @@ -0,0 +1,31 @@ +#! /bin/sh +# postinst script for libapache2-webkdc + +set -e + +case "$1" in + configure) + # Make sure that /var/lib/webkdc exists and is writable by the + # www-data group, since this is where the keyring will go. + if [ ! -d /var/lib/webkdc ] ; then + mkdir /var/lib/webkdc + fi + chgrp www-data /var/lib/webkdc + chmod 770 /var/lib/webkdc + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- webauth-3.6.0.orig/debian/webauth-weblogin.install +++ webauth-3.6.0/debian/webauth-weblogin.install @@ -0,0 +1 @@ +usr/share/weblogin --- webauth-3.6.0.orig/debian/webauth-tests.install +++ webauth-3.6.0/debian/webauth-tests.install @@ -0,0 +1 @@ +usr/share/webauth --- webauth-3.6.0.orig/debian/libapache2-webauth.README.Debian +++ webauth-3.6.0/debian/libapache2-webauth.README.Debian @@ -0,0 +1,140 @@ +WebAuth for Debian +------------------ + +This package contains the Apache 2.x modules for the WebAuth +authentication system. It is not useful by itself; your site also needs +to be running a WebAuth infrastructure including a separate WebKDC and +weblogin server. See the libapache2-webkdc and webauth-weblogin packages +for the WebKDC server and weblogin server. + +You can install the webauth-tests package to get a test suite that you can +use to verify that your installation is working. See the documentation of +that package for more information. + +mod_webauth.html.en and mod_webauthldap.html.en have the formatted +manuals, but they expect to be part of the Apache 2.x documentation tree. +If you wish, you can install the apache2-doc package and then install them +into /usr/share/doc/apache2-doc/manual/mod/ and you will then be able to +read them as intended. + +See: + + + +for more information about WebAuth, including copies of the module manuals +and places to contact to get help with the installation. + + +Installing WebAuth +------------------ + +There are several steps in installing WebAuth that cannot (easily) be +automated, so WebAuth is not active and available immediately after +installing this package. You must also do the following: + + 1. Determine your local site WebAuth configuration. You need to know + three pieces of information: the URL of the WebKDC service, the URL + of the weblogin service, and the Kerberos principal used by the + WebKDC. These should be part of your local WebAuth documentation. + + If you are setting up a new WebAuth installation from scratch, install + the libapache2-webkdc and webauth-weblogin packages on the system that + will serve as the WebKDC and weblogin server, follow their + installation instructions, and then return to here. + + 2. Obtain a Kerberos keytab for your WebAuth server. How to obtain a + keytab varies greatly from one Kerberos site to the next; contact your + local Kerberos administrator for more information. Normally, the + principal for the WebAuth service on www.example.com would be named + webauth/www.example.com (in your local realm), but this may vary at + your site. + + However you get this keytab, install it in /etc/webauth/keytab and + then make sure that it is readable by the web server: + + chgrp www-data /etc/webauth/keytab + chmod 640 /etc/webauth/keytab + + 3. Enable the WebAuth module and the generic user authorization module: + + a2enmod authz_user + a2enmod webauth + + You can skip enabling authz_user if you won't be using directives of + the form "Require user" or "Require valid-user", but since these + directives are used in WebAuth tests and in much of the documentation, + I recommend enabling that module to avoid confusion. (This module is + new in Apache 2.2; previously, its functionality was built into + Apache.) + + The WebAuth module will now be loaded the next time you restart your + Apache server. Don't restart the server yet; you still need to + configure the module. + + 4. Add the following configuration to /etc/apache2/conf.d/webauth or + wherever you prefer to put local Apache configuration: + + WebAuthLoginURL + WebAuthWebKdcURL + WebAuthWebKdcPrincipal + + where , , and are the + local configuration values that you obtained in step 1. + + 5. Restart Apache: + + apache2ctl graceful + +At this point, WebAuth authentication is available. In order to protect a +section of your web site with WebAuth, just add something like: + + AuthType WebAuth + require user example + +to a , , or block or a .htaccess file. + + +Installing the LDAP Module +-------------------------- + +If you also want to use the WebAuth LDAP module, which supports +authorization through directory entries and obtaining directory +information for authenticated users, you need to additionally do the +following: + + 1. Add the following configuration to /etc/apache2/conf.d/webauth or + wherever you prefer to put local Apache configuration: + + WebAuthLdapHost + WebAuthLdapBase + + where is your local LDAP server name and is + the LDAP search base to use (something like dc=example,dc=com). Your + local LDAP administrator will be able to provide this information. + + 2. If you want to use authorization through privilege groups defined by + the presence of an LDAP attribute in the record of the authenticated + user, also add a line like: + + WebAuthLdapAuthorizationAttribute + + where is a multivalued attribute in directory entries for + your users that contains all of the privilege groups that that user is + a member of. + + 3. Enable the WebAuth LDAP module: + + a2enmod webauthldap + + and restart Apache: + + apache2ctl graceful + +You may now use the WebAuthLdapAttribute directive in , +, or blocks or .htaccess files to request that +particular LDAP attributes be put into environment variables, and if you +configured a privgroup attribute, you may now use the "require privgroup" +command to restrict access to particular web pages to members of that +privgroup. + + -- Russ Allbery , Mon, 9 Oct 2006 14:24:51 z --- webauth-3.6.0.orig/debian/libapache2-webauth.examples +++ webauth-3.6.0/debian/libapache2-webauth.examples @@ -0,0 +1,3 @@ +conf/sample-webauth.conf +conf/stanford-ldap.conf +conf/stanford-webauth.conf --- webauth-3.6.0.orig/debian/webauth-tests.README.Debian +++ webauth-3.6.0/debian/webauth-tests.README.Debian @@ -0,0 +1,32 @@ +WebAuth Tests for Debian +------------------------ + +To enable these tests, add the following to: + + /etc/apache2/conf.d/webauth-tests + +or wherever you prefer to put local Apache configuration: + + Include /usr/share/webauth/conf/webauth-tests.conf + Include /usr/share/webauth/conf/ldaptests.conf + + Alias /tests/ /usr/share/webauth/htdocs/tests/ + Alias /ldaptests/ /usr/share/webauth/htdocs/ldaptests/ + +and make sure that CGI scripts are enabled with: + + a2enmod cgi + +Then reload the configuration with /etc/init.d/apache2 reload. You can +then go to /tests/ and /ldaptests/ on your site to see the test suite. +You will also need to install and enable PHP to do the PHP test. + +The LDAP tests are fairly Stanford-specific in that they use attributes +peculiar to Stanford's directory servers and privgroups specific to +Stanford, so you may need to copy ldaptests.conf to another file and +modify it to make it a better test for your site. + +If you are not using the WebAuth LDAP module, you can just omit the two +lines referring to ldaptests. + + -- Russ Allbery , Wed Nov 16 16:40:55 2005 --- webauth-3.6.0.orig/debian/libapache2-webauth.postrm +++ webauth-3.6.0/debian/libapache2-webauth.postrm @@ -0,0 +1,27 @@ +#! /bin/sh +# postrm script for libapache2-webauth + +set -e + +case "$1" in + purge) + if [ -d /var/lib/webauth ] ; then + rm -r /var/lib/webauth + fi + ;; + + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) + ;; + + *) + echo "postrm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 --- webauth-3.6.0.orig/debian/libapache2-webkdc.prerm +++ webauth-3.6.0/debian/libapache2-webkdc.prerm @@ -0,0 +1,14 @@ +#!/bin/sh +# prerm script for libapache2-webkdc + +set -e + +if [ "$1" = remove ] || [ "$1" = deconfigure ] ; then + if [ -f /etc/apache2/mods-enabled/webkdc.load ] ; then + /usr/sbin/a2dismod webkdc + fi +fi + +#DEBHELPER# + +exit 0 --- webauth-3.6.0.orig/debian/libapache2-webauth.docs +++ webauth-3.6.0/debian/libapache2-webauth.docs @@ -0,0 +1,10 @@ +NEWS +README +TODO +doc/mod_webauth.html.en +doc/mod_webauth.xml +doc/mod_webauthldap.html.en +doc/mod_webauthldap.xml +doc/protocol.* +doc/test-plan +doc/userauth