--- webauth-3.7.0.orig/debian/libapache2-webauth.install
+++ webauth-3.7.0/debian/libapache2-webauth.install
@@ -0,0 +1,7 @@
+etc/apache2/mods-available/webauth.conf
+etc/apache2/mods-available/webauth.load
+etc/apache2/mods-available/webauthldap.conf
+etc/apache2/mods-available/webauthldap.load
+etc/webauth
+usr/lib/apache2/modules/mod_webauth.so
+usr/lib/apache2/modules/mod_webauthldap.so
--- webauth-3.7.0.orig/debian/libapache2-webkdc.README.Debian
+++ webauth-3.7.0/debian/libapache2-webkdc.README.Debian
@@ -0,0 +1,92 @@
+WebAuth WebKDC for Debian
+-------------------------
+
+This package contains the Apache 2.x module for the central WebAuth
+WebKDC. Only one server (or one pool of load-balanced servers) at a given
+site need to run this module. On the server that you install this module,
+you should also install the webauth-weblogin package and follow its
+installation instructions. The documentation for it has additional
+information about what site configuration documentation you will probably
+want to publish for WebAuth users at your site.
+
+mod_webkdc.html.en is the formatted manuals, but it expects to be part of
+the Apache 2.x documentation tree. If you wish, you can install the
+apache2-doc package and then copy this file into:
+
+ /usr/share/doc/apache2-doc/manual/mod/
+
+and you will then be able to read it as intended.
+
+See:
+
+
+
+for more information about WebAuth, including copies of the module manuals
+and places to contact to get help with the installation.
+
+
+Installing the WebKDC
+---------------------
+
+After installing this package, you must also do the following to make the
+WebKDC available:
+
+ 1. Decide what the URL will be for your WebKDC service. I recommend
+ , where example.com is
+ your domain, but you can use anything that you wish. It should,
+ however, be on the same server as the weblogin server.
+
+ 2. Decide what Kerberos principal to use for the WebKDC service. I
+ recommend service/webkdc (in your local realm), but you can use
+ anything that you wish.
+
+ 3. Obtain a Kerberos keytab for the WebKDC. How to obtain a keytab
+ varies greatly from one Kerberos site to the next; contact your local
+ Kerberos administrator for more information.
+
+ However you get this keytab, install it in /etc/webkdc/keytab and
+ then make sure that it is readable by the web server:
+
+ chgrp www-data /etc/webkdc/keytab
+ chmod 640 /etc/webkdc/keytab
+
+ 4. In the configuration for your SSL virtual host, or your main server
+ configuration if you don't configure SSL separately, add a block like:
+
+
+ SSLRequireSSL
+ SetHandler webkdc
+
+
+ You will also have to have a working SSL configuration, which includes
+ a valid SSL certificate that your WebAuth servers will be able to
+ validate. See the Apache documentation for information on setting up
+ SSL.
+
+ 5. Edit /etc/webkdc/token.acl and configure which Kerberos principals
+ will be allowed to get tokens from the WebKDC. I recommend starting
+ with a line like:
+
+ krb5:webauth/*@example.com id
+
+ which will allow any webauth/* principal in the example.com realm
+ (replace that with your own realm) to get an "id" token, which is the
+ token for basic authentication. You can allow particular servers to
+ get additional Kerberos credentials on behalf of the user; for more
+ information, see the manual.
+
+ 6. Enable the WebKDC module:
+
+ a2enmod webkdc
+
+ The WebKDC module will now be loaded the next time you restart your
+ Apache server.
+
+ 9. Restart Apache:
+
+ apache2ctl graceful
+
+ The WebKDC should now be available, and you can start testing with
+ WebAuth servers.
+
+ -- Russ Allbery , Thu Mar 16 13:33:35 2006
--- webauth-3.7.0.orig/debian/libapache2-webauth.doc-base
+++ webauth-3.7.0/debian/libapache2-webauth.doc-base
@@ -0,0 +1,14 @@
+Document: webauth-protocol
+Title: WebAuth V3 Protocol Specification
+Author: Roland Schemers and Russ Allbery
+Abstract: The detailed protocol specification for WebAuth, including all
+ URL formats, token formats, and the XML protocol for talking to the
+ WebKDC. Also includes the security model and design considerations.
+Section: System/Security
+
+Format: text
+Files: /usr/share/doc/libapache2-webauth/protocol.txt.gz
+
+Format: HTML
+Index: /usr/share/doc/libapache2-webauth/protocol.html
+Files: /usr/share/doc/libapache2-webauth/protocol.html
--- webauth-3.7.0.orig/debian/libapache2-webauth.docs
+++ webauth-3.7.0/debian/libapache2-webauth.docs
@@ -0,0 +1,9 @@
+README
+TODO
+docs/mod_webauth.html.en
+docs/mod_webauth.xml
+docs/mod_webauthldap.html.en
+docs/mod_webauthldap.xml
+docs/protocol.*
+docs/test-plan
+docs/userauth
--- webauth-3.7.0.orig/debian/libapache2-webauth.NEWS
+++ webauth-3.7.0/debian/libapache2-webauth.NEWS
@@ -0,0 +1,30 @@
+libapache2-webauth (3.7.0-1) unstable; urgency=low
+
+ Users of mod_webauthldap should note that WebAuthLdapAuthRule's behavior
+ has changed. Previously, it put just the bare name of the privgroup
+ authorizing the user into its environment variable. Now, it puts the
+ string "privgroup " instead.
+
+ -- Russ Allbery Wed, 07 Jul 2010 14:46:40 -0700
+
+libapache2-webauth (3.5.3-2) unstable; urgency=low
+
+ As of this release, the WebAuth module is built for Apache 2.2 rather
+ than Apache 2.0. Please note that Apache 2.2 moved authentication and
+ authorization functionality out of Apache into modules that may not be
+ enabled by default. In particular, directives of the form:
+
+ Require valid-user
+ Require user
+
+ will not work unless mod_authz_user is enabled. To do this, run:
+
+ a2enmod authz_user
+
+ as root. You do not need to enable this module if you never use
+ directives of that type (if, for instance, you only use Require
+ privgroup directives), but note that the WebAuth tests expect this
+ functionality to be available.
+
+ -- Russ Allbery Mon, 09 Oct 2006 14:28:00 -0700
+
--- webauth-3.7.0.orig/debian/libapache2-webauth.postrm
+++ webauth-3.7.0/debian/libapache2-webauth.postrm
@@ -0,0 +1,27 @@
+#! /bin/sh
+# postrm script for libapache2-webauth
+
+set -e
+
+case "$1" in
+ purge)
+ if [ -d /var/lib/webauth ] ; then
+ rm -r /var/lib/webauth
+ fi
+ ;;
+
+ remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- webauth-3.7.0.orig/debian/copyright
+++ webauth-3.7.0/debian/copyright
@@ -0,0 +1,180 @@
+Packaged for Debian by Russ Allbery 2004-06-23
+
+It was downloaded from:
+
+
+
+Upstream authors:
+
+ The WebAuth v3 protocol and core implementation was written by Roland
+ Schemers, based on design documents by the entire Stanford WebAuth team
+ (with considerable work by Tim Torgenrud and Booker Bense) and based in
+ part on the functionality of WebAuth v2.5, written and maintained by a
+ cast of dozens over the years but most notably Jeff Lewis, Anton
+ Ushakov, and Jeanmarie Lucker.
+
+ The mod_webauthldap module was written by Anton Ushakov.
+
+ The configuration and build system and WebAuth packaging was put
+ together by Russ Allbery. Huaqing Zheng provided builds of supporting
+ packages and Jonathan Pilat helped greatly with testing. Xueshan Feng
+ oversaw the project.
+
+ The WebAuth package is currently maintained by Russ Allbery.
+
+ Thanks to pod for improvements, particularly to the WebKDC, to make it
+ easier to package for a Linux distribution, for the initial Debian
+ package build rules, and for generic WebKDC templates suitable for a new
+ installation and for use as examples.
+
+ Thanks to Dmitri Priimak for work on cross-realm support, WebLogin
+ improvements, and testing of unusual Kerberos realms and principal
+ names.
+
+Upstream maintainer:
+
+ WebAuth Development Team
+
+Debian packaging copyright:
+
+ Copyright 2004, 2005, 2006, 2009 Board of Trustees, Leland Stanford Jr.
+ University.
+
+ All files and modifications related to Debian packaging are covered
+ under the same license terms as the rest of the package.
+
+The WebAuth package as a whole is:
+
+ Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Board of
+ Trustees, Leland Stanford Jr. University. All rights reserved.
+
+and released under the following license:
+
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+ CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+All individual files with no other license statement are released under
+this license. Some files may be owned by other copyright holders as noted
+in those files. Some files are individually released under different
+licenses, all of which are compatible with the above general package
+license.
+
+Collected copyright notices for the entire package:
+
+ Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009
+ Board of Trustees, Leland Stanford Jr. University
+ Copyright 2000, 2001, 2004, 2006, 2007, 2008, 2009
+ Russ Allbery
+ Copyright 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001,
+ 2002, 2003, 2004, 2005, 2006, 2007, 2008
+ Free Software Foundation, Inc.
+ Copyright 1994 X Consortium
+
+The files Makefile.in and aclocal.m4 are generated by GNU Automake and
+released under the following copyright and license:
+
+ Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+ 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+ This file is free software; the Free Software Foundation
+ gives unlimited permission to copy and/or distribute it,
+ with or without modifications, as long as this notice is preserved.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+ even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+ PARTICULAR PURPOSE.
+
+The file configure is generated by GNU Autoconf and is released under the
+following copyright and license:
+
+ Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
+ 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+ This configure script is free software; the Free Software Foundation
+ gives unlimited permission to copy, distribute and modify it.
+
+The files m4/ltoptions.m4, m4/ltsugar.m4, m4/ltversion.m4, and
+m4/lt~obsolete.m4 are from GNU Libtool and are released under the
+following copyright and license:
+
+ Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
+
+ This file is free software; the Free Software Foundation gives unlimited
+ permission to copy and/or distribute it, with or without modifications,
+ as long as this notice is preserved.
+
+The files build-aux/compile, build-aux/depcomp, and build-aux/missing are
+taken from GNU Automake. The files build-aux/config.guess and
+build-aux/config.sub are taken from the Debian autotools-dev package. The
+file build-aux/ltmain.sh is taken from GNU Libtool. All of these files
+are released under the following copyright and license:
+
+ Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1999, 2000, 2002,
+ 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+
+ This program is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by the
+ Free Software Foundation; either version 2, or (at your option) any
+ later version.
+
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ As a special exception to the GNU General Public License, if you
+ distribute this file as part of a program that contains a configuration
+ script generated by Autoconf, you may include it under the same
+ distribution terms that you use for the rest of that program.
+
+For the WebAuth distribution, the option described in the last paragraph
+has been accepted and these files are distributed under the same terms as
+the remctl package as a whole, as described at the top of this file. You
+can find the GPL version 2 in /usr/share/common-licenses/GPL-2 on Debian
+systems.
+
+The file build-aux/install-sh is released under the following copyright
+and license:
+
+ Copyright (C) 1994 X Consortium
+
+ Permission is hereby granted, free of charge, to any person obtaining a
+ copy of this software and associated documentation files (the
+ "Software"), to deal in the Software without restriction, including
+ without limitation the rights to use, copy, modify, merge, publish,
+ distribute, sublicense, and/or sell copies of the Software, and to
+ permit persons to whom the Software is furnished to do so, subject to
+ the following conditions:
+
+ The above copyright notice and this permission notice shall be included
+ in all copies or substantial portions of the Software.
+
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ OTHER DEALINGS IN THE SOFTWARE.
+
+ Except as contained in this notice, the name of the X Consortium shall
+ not be used in advertising or otherwise to promote the sale, use or
+ other dealings in this Software without prior written authorization
+ from the X Consortium.
+
+ FSF changes to this file are in the public domain.
--- webauth-3.7.0.orig/debian/libapache2-webkdc.postrm
+++ webauth-3.7.0/debian/libapache2-webkdc.postrm
@@ -0,0 +1,27 @@
+#! /bin/sh
+# postrm script for libapache2-webkdc
+
+set -e
+
+case "$1" in
+ purge)
+ if [ -d /var/lib/webkdc ] ; then
+ rm -r /var/lib/webkdc
+ fi
+ ;;
+
+ remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- webauth-3.7.0.orig/debian/libapache2-webauth.examples
+++ webauth-3.7.0/debian/libapache2-webauth.examples
@@ -0,0 +1,3 @@
+conf/sample-webauth.conf
+conf/stanford-ldap.conf
+conf/stanford-webauth.conf
--- webauth-3.7.0.orig/debian/libwebkdc-perl.install
+++ webauth-3.7.0/debian/libwebkdc-perl.install
@@ -0,0 +1,4 @@
+etc/webkdc/webkdc.conf
+usr/share/perl5
+usr/share/man/man3/WebKDC*.3pm
+usr/share/man/man3/WebLogin.3pm
--- webauth-3.7.0.orig/debian/webauth-weblogin.install
+++ webauth-3.7.0/debian/webauth-weblogin.install
@@ -0,0 +1 @@
+usr/share/weblogin
--- webauth-3.7.0.orig/debian/rules
+++ webauth-3.7.0/debian/rules
@@ -0,0 +1,134 @@
+#!/usr/bin/make -f
+# -*- makefile -*-
+# GNU copyright 1997 to 1999 by Joey Hess.
+# Further updates by Russ Allbery
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+# This has to be exported for some magic to work later.
+export DH_OPTIONS
+
+# Tell Autoconf the correct system types.
+DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
+DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE)
+ifeq ($(DEB_BUILD_GNU_TYPE),$(DEB_HOST_GNU_TYPE))
+ SYSTEM = --build $(DEB_HOST_GNU_TYPE)
+else
+ SYSTEM = --build $(DEB_BUILD_GNU_TYPE) --host $(DEB_HOST_GNU_TYPE)
+endif
+
+ifndef PERL
+ PERL = /usr/bin/perl
+endif
+
+CFLAGS = -Wall -g
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+ CFLAGS += -O0
+else
+ CFLAGS += -O2
+endif
+
+configure-stamp:
+ dh_testdir
+ CFLAGS="$(CFLAGS)" ./configure --prefix=/usr --libexecdir=/usr/lib \
+ --mandir=\$${prefix}/share/man --enable-webkdc \
+ --enable-perl --with-apxs=/usr/bin/apxs2 \
+ --enable-reduced-depends $(SYSTEM)
+ touch $@
+
+# Rebuild the Perl module to pick up the correct installation paths.
+build: build-arch build-indep
+build-arch: build-stamp
+build-indep: build-stamp
+build-stamp: configure-stamp
+ dh_testdir
+ $(MAKE)
+ cd perl && $(PERL) Makefile.PL INSTALLDIRS=vendor
+ cd perl && $(MAKE) OPTIMIZE="$(CFLAGS)"
+ifeq (,$(filter nocheck,$(DEB_BUILD_OPTIONS)))
+ $(MAKE) check
+endif
+ touch $@
+
+clean:
+ dh_testdir
+ dh_testroot
+ rm -f configure-stamp build-stamp install-stamp
+ [ ! -f Makefile ] || $(MAKE) distclean
+ dh_clean
+
+install: install-stamp
+install-stamp: build-stamp
+ dh_testdir
+ dh_testroot
+ dh_prep
+ $(MAKE) install DESTDIR=$(CURDIR)/debian/tmp
+ chmod a+x debian/tmp/usr/share/weblogin/*.fcgi
+ install -d debian/tmp/etc/webauth
+ install -d debian/tmp/etc/webkdc
+ install -m 644 conf/token.acl debian/tmp/etc/webkdc/
+ install -m 644 debian/webkdc.conf debian/tmp/etc/webkdc/
+ install -d debian/tmp/etc/apache2/mods-available
+ set -e; cd conf/debian && for f in *.conf *.load ; do \
+ install -m 644 $$f \
+ $(CURDIR)/debian/tmp/etc/apache2/mods-available/$$f ; \
+ done
+ mkdir -p debian/tmp/usr/share/perl5
+ mv debian/tmp/usr/lib/perl5/WebKDC* debian/tmp/usr/share/perl5
+ mv debian/tmp/usr/lib/perl5/WebLogin* debian/tmp/usr/share/perl5
+ install -d debian/tmp/usr/share/webauth/conf
+ install -m 644 tests/mod_webauth/conf/*.conf \
+ debian/tmp/usr/share/webauth/conf/
+ install -d debian/tmp/usr/share/webauth/htdocs
+ cp -r tests/mod_webauth/htdocs/tests \
+ debian/tmp/usr/share/webauth/htdocs/
+ cp -r tests/mod_webauth/htdocs/ldaptests \
+ debian/tmp/usr/share/webauth/htdocs/
+ touch $@
+
+# Build the architecture-independent packages.
+binary-indep: DH_OPTIONS=-i
+binary-indep: install-stamp
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs NEWS
+ dh_installdocs
+ dh_installexamples
+ dh_install --sourcedir=debian/tmp
+ install -m 755 tools/weblogin-passcheck \
+ debian/webauth-weblogin/usr/share/doc/webauth-weblogin/
+ dh_link
+ dh_compress
+ dh_fixperms
+ dh_perl
+ dh_installdeb
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+# Build the architecture-dependent packages.
+binary-arch: DH_OPTIONS=-a
+binary-arch: install-stamp
+ dh_testdir
+ dh_testroot
+ dh_installchangelogs NEWS
+ dh_installdocs
+ dh_installexamples
+ dh_install --sourcedir=debian/tmp
+ dh_installman
+ dh_link
+ dh_fixperms
+ dh_strip
+ dh_compress
+ dh_perl
+ dh_makeshlibs
+ dh_installdeb
+ dh_shlibdeps
+ dh_gencontrol
+ dh_md5sums
+ dh_builddeb
+
+binary: binary-arch binary-indep
+.PHONY: binary binary-arch binary-indep build build-arch build-indep clean
+.PHONY: install
--- webauth-3.7.0.orig/debian/libwebauth-perl.install
+++ webauth-3.7.0/debian/libwebauth-perl.install
@@ -0,0 +1,2 @@
+usr/lib/perl5
+usr/share/man/man3/WebAuth.3pm
--- webauth-3.7.0.orig/debian/webauth-tests.README.Debian
+++ webauth-3.7.0/debian/webauth-tests.README.Debian
@@ -0,0 +1,32 @@
+WebAuth Tests for Debian
+------------------------
+
+To enable these tests, add the following to:
+
+ /etc/apache2/conf.d/webauth-tests
+
+or wherever you prefer to put local Apache configuration:
+
+ Include /usr/share/webauth/conf/webauth-tests.conf
+ Include /usr/share/webauth/conf/ldaptests.conf
+
+ Alias /tests/ /usr/share/webauth/htdocs/tests/
+ Alias /ldaptests/ /usr/share/webauth/htdocs/ldaptests/
+
+and make sure that CGI scripts are enabled with:
+
+ a2enmod cgi
+
+Then reload the configuration with /etc/init.d/apache2 reload. You can
+then go to /tests/ and /ldaptests/ on your site to see the test suite.
+You will also need to install and enable PHP to do the PHP test.
+
+The LDAP tests are fairly Stanford-specific in that they use attributes
+peculiar to Stanford's directory servers and privgroups specific to
+Stanford, so you may need to copy ldaptests.conf to another file and
+modify it to make it a better test for your site.
+
+If you are not using the WebAuth LDAP module, you can just omit the two
+lines referring to ldaptests.
+
+ -- Russ Allbery , Wed Nov 16 16:40:55 2005
--- webauth-3.7.0.orig/debian/watch
+++ webauth-3.7.0/debian/watch
@@ -0,0 +1,8 @@
+# watch -- Rules for uscan to find new upstream versions.
+#
+# I don't use this personally since I'm also one of the upstream
+# maintainers, but it's included for the benefit of automated package
+# analysis systems.
+
+version=3
+http://webauth.stanford.edu/download.html ^dist/webauth-([^-]+)\.tar\.gz
--- webauth-3.7.0.orig/debian/libapache2-webkdc.install
+++ webauth-3.7.0/debian/libapache2-webkdc.install
@@ -0,0 +1,4 @@
+etc/apache2/mods-available/webkdc.conf
+etc/apache2/mods-available/webkdc.load
+etc/webkdc/token.acl
+usr/lib/apache2/modules/mod_webkdc.so
--- webauth-3.7.0.orig/debian/libapache2-webkdc.docs
+++ webauth-3.7.0/debian/libapache2-webkdc.docs
@@ -0,0 +1,4 @@
+README
+TODO
+docs/mod_webkdc.html.en
+docs/mod_webkdc.xml
--- webauth-3.7.0.orig/debian/libapache2-webauth.prerm
+++ webauth-3.7.0/debian/libapache2-webauth.prerm
@@ -0,0 +1,17 @@
+#!/bin/sh
+# prerm script for libapache2-webauth
+
+set -e
+
+if [ "$1" = remove ] || [ "$1" = deconfigure ] ; then
+ if [ -f /etc/apache2/mods-enabled/webauthldap.load ] ; then
+ a2dismod webauthldap
+ fi
+ if [ -f /etc/apache2/mods-enabled/webauth.load ] ; then
+ a2dismod webauth
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
--- webauth-3.7.0.orig/debian/libwebauth-dev.install
+++ webauth-3.7.0/debian/libwebauth-dev.install
@@ -0,0 +1,3 @@
+usr/include
+usr/lib/libwebauth.a
+usr/lib/libwebauth.so
--- webauth-3.7.0.orig/debian/webauth-utils.install
+++ webauth-3.7.0/debian/webauth-utils.install
@@ -0,0 +1,2 @@
+usr/bin
+usr/share/man/man1
--- webauth-3.7.0.orig/debian/libapache2-webkdc.postinst
+++ webauth-3.7.0/debian/libapache2-webkdc.postinst
@@ -0,0 +1,31 @@
+#! /bin/sh
+# postinst script for libapache2-webkdc
+
+set -e
+
+case "$1" in
+ configure)
+ # Make sure that /var/lib/webkdc exists and is writable by the
+ # www-data group, since this is where the keyring will go.
+ if [ ! -d /var/lib/webkdc ] ; then
+ mkdir /var/lib/webkdc
+ fi
+ chgrp www-data /var/lib/webkdc
+ chmod 770 /var/lib/webkdc
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- webauth-3.7.0.orig/debian/compat
+++ webauth-3.7.0/debian/compat
@@ -0,0 +1 @@
+7
--- webauth-3.7.0.orig/debian/libapache2-webauth.README.Debian
+++ webauth-3.7.0/debian/libapache2-webauth.README.Debian
@@ -0,0 +1,140 @@
+WebAuth for Debian
+------------------
+
+This package contains the Apache 2.x modules for the WebAuth
+authentication system. It is not useful by itself; your site also needs
+to be running a WebAuth infrastructure including a separate WebKDC and
+weblogin server. See the libapache2-webkdc and webauth-weblogin packages
+for the WebKDC server and weblogin server.
+
+You can install the webauth-tests package to get a test suite that you can
+use to verify that your installation is working. See the documentation of
+that package for more information.
+
+mod_webauth.html.en and mod_webauthldap.html.en have the formatted
+manuals, but they expect to be part of the Apache 2.x documentation tree.
+If you wish, you can install the apache2-doc package and then install them
+into /usr/share/doc/apache2-doc/manual/mod/ and you will then be able to
+read them as intended.
+
+See:
+
+
+
+for more information about WebAuth, including copies of the module manuals
+and places to contact to get help with the installation.
+
+
+Installing WebAuth
+------------------
+
+There are several steps in installing WebAuth that cannot (easily) be
+automated, so WebAuth is not active and available immediately after
+installing this package. You must also do the following:
+
+ 1. Determine your local site WebAuth configuration. You need to know
+ three pieces of information: the URL of the WebKDC service, the URL
+ of the weblogin service, and the Kerberos principal used by the
+ WebKDC. These should be part of your local WebAuth documentation.
+
+ If you are setting up a new WebAuth installation from scratch, install
+ the libapache2-webkdc and webauth-weblogin packages on the system that
+ will serve as the WebKDC and weblogin server, follow their
+ installation instructions, and then return to here.
+
+ 2. Obtain a Kerberos keytab for your WebAuth server. How to obtain a
+ keytab varies greatly from one Kerberos site to the next; contact your
+ local Kerberos administrator for more information. Normally, the
+ principal for the WebAuth service on www.example.com would be named
+ webauth/www.example.com (in your local realm), but this may vary at
+ your site.
+
+ However you get this keytab, install it in /etc/webauth/keytab and
+ then make sure that it is readable by the web server:
+
+ chgrp www-data /etc/webauth/keytab
+ chmod 640 /etc/webauth/keytab
+
+ 3. Enable the WebAuth module and the generic user authorization module:
+
+ a2enmod authz_user
+ a2enmod webauth
+
+ You can skip enabling authz_user if you won't be using directives of
+ the form "Require user" or "Require valid-user", but since these
+ directives are used in WebAuth tests and in much of the documentation,
+ I recommend enabling that module to avoid confusion. (This module is
+ new in Apache 2.2; previously, its functionality was built into
+ Apache.)
+
+ The WebAuth module will now be loaded the next time you restart your
+ Apache server. Don't restart the server yet; you still need to
+ configure the module.
+
+ 4. Add the following configuration to /etc/apache2/conf.d/webauth or
+ wherever you prefer to put local Apache configuration:
+
+ WebAuthLoginURL
+ WebAuthWebKdcURL
+ WebAuthWebKdcPrincipal
+
+ where , , and are the
+ local configuration values that you obtained in step 1.
+
+ 5. Restart Apache:
+
+ apache2ctl graceful
+
+At this point, WebAuth authentication is available. In order to protect a
+section of your web site with WebAuth, just add something like:
+
+ AuthType WebAuth
+ require user example
+
+to a , , or block or a .htaccess file.
+
+
+Installing the LDAP Module
+--------------------------
+
+If you also want to use the WebAuth LDAP module, which supports
+authorization through directory entries and obtaining directory
+information for authenticated users, you need to additionally do the
+following:
+
+ 1. Add the following configuration to /etc/apache2/conf.d/webauth or
+ wherever you prefer to put local Apache configuration:
+
+ WebAuthLdapHost
+ WebAuthLdapBase
+
+ where is your local LDAP server name and is
+ the LDAP search base to use (something like dc=example,dc=com). Your
+ local LDAP administrator will be able to provide this information.
+
+ 2. If you want to use authorization through privilege groups defined by
+ the presence of an LDAP attribute in the record of the authenticated
+ user, also add a line like:
+
+ WebAuthLdapAuthorizationAttribute
+
+ where is a multivalued attribute in directory entries for
+ your users that contains all of the privilege groups that that user is
+ a member of.
+
+ 3. Enable the WebAuth LDAP module:
+
+ a2enmod webauthldap
+
+ and restart Apache:
+
+ apache2ctl graceful
+
+You may now use the WebAuthLdapAttribute directive in ,
+, or blocks or .htaccess files to request that
+particular LDAP attributes be put into environment variables, and if you
+configured a privgroup attribute, you may now use the "require privgroup"
+command to restrict access to particular web pages to members of that
+privgroup.
+
+ -- Russ Allbery , Mon, 9 Oct 2006 14:24:51 z
--- webauth-3.7.0.orig/debian/webkdc.conf
+++ webauth-3.7.0/debian/webkdc.conf
@@ -0,0 +1,4 @@
+# webkdc.conf -- Default Debian overrides for WebKDC Perl module.
+
+our $KEYRING_PATH = '/var/lib/webkdc/keyring';
+our $TEMPLATE_PATH = '/usr/share/weblogin/generic/templates';
--- webauth-3.7.0.orig/debian/changelog
+++ webauth-3.7.0/debian/changelog
@@ -0,0 +1,352 @@
+webauth (3.7.0-1) unstable; urgency=low
+
+ * New upstream release.
+ - WebAuthLdapAuthRule in mod_webauthldap now sets environment
+ variables to the value "privgroup " rather than the
+ previous behavior of just "".
+ - New WebAuthLdapPrivgroup directive for mod_webauthldap which probes
+ user's membership in multiple privgroups and sets an environment
+ variable to the list of those they're in.
+ - WebAuthLdapAttribute can now take multiple attributes on one line.
+ - WebLogin includes a password change script and template.
+ - WebLogin now supports password expiration handling.
+ - WebLogin may be configured to warn users of expiring passwords.
+ - WebLogin catches SIGTERM in login.fcgi and finishes the current
+ request, fixing some problems with unclean shutdown when FastCGI
+ restarts the running scripts.
+ - WebLogin correctly encodes RT and ST in the URL when redirecting to
+ an alternate URL when attempting REMOTE_USER authentication.
+ - wa_keyring now uses ISO format for timestamps.
+ - Various changes and cleanup to the WebAuth library API.
+ - Link wa_keyring with libcrypto properly. (Closes: #556674)
+ - Avoid importing isa from UNIVERSAL. (Closes: #578632)
+ - Lower the log level of some mod_webauth diagnostics.
+ * The default help.html file is now installed into
+ /usr/share/weblogin/generic/templates instead of one level higher.
+ * Upstream now no longer uses apxs to install modules, so upstream
+ supports DESTDIR and debian/rules can use make install instead of
+ rewriting all the installation rules.
+ * Drop the SONAME version from libwebauth-dev. We'll never need to
+ maintain development packages for more than one version of the ABI in
+ Debian at the same time. Add a transitional package to assist with
+ upgrades.
+ * Move Perl module dependencies from webauth-weblogin to libwebkdc-perl
+ since the supporting modules now load the other required Perl modules.
+ * Bump the versioned dependencies from webauth-weblogin and
+ libwebkc-perl on libwebauth-perl and in webauth-weblogin on
+ libwebkdc-perl.
+ * Add an explicit dependency on liburi-perl to libwebkdc-perl.
+ * Fix Perl dependencies in webauth-weblogin and webauth-tests.
+ * Add a Suggests of libapache2-mod-php5 to webauth-tests.
+ * Add Suggests of libtimedate-perl, libtime-duration-perl, and
+ libnet-remctl-perl to libwebkdc-perl, required for now for expiring
+ password warning support.
+ * Downgrade the libwebauth-dev dependency on libkrb5-dev to Suggests
+ since it's only required for static linking.
+ * Update build dependency to libcurl4-openssl-dev.
+ * Add additional build dependencies so that the Perl module test suite
+ can run.
+ * Force source format 1.0 for right now to make backporting easier.
+ * Update to debhelper compatibility level V7.
+ - Add ${misc:Depends} to all dependencies.
+ - Use dh_prep instead of dh_clean -k.
+ * Update standards version to 3.9.0 (no changes required).
+
+ -- Russ Allbery Thu, 08 Jul 2010 15:52:26 -0700
+
+webauth (3.6.2-2) unstable; urgency=low
+
+ * Set DESTDIR instead of PREFIX when installing the Perl modules. Perl
+ 5.10.1 doesn't allow changing PREFIX at install time. Thanks, Niko
+ Tyni.
+
+ -- Russ Allbery Tue, 15 Sep 2009 20:33:12 -0700
+
+webauth (3.6.2-1) unstable; urgency=high
+
+ * New upstream release.
+ - CVE-2009-2945: When generating a redirect to test for cookie
+ support, be sure not to include a password in the URL. Reject
+ username/password logins via methods other than POST.
+ - If the user submits the login form via POST without the test cookie,
+ assume the browser supports cookies and don't probe.
+ - New script (in /usr/share/doc/webauth-weblogin/weblogin-passcheck)
+ to find passwords exposed by CVE-2009-2945.
+
+ -- Russ Allbery Tue, 08 Sep 2009 15:30:20 -0700
+
+webauth (3.6.1-2) unstable; urgency=low
+
+ * Do not install the libwebauth.la file. Libtool *.la files force other
+ packages using Libtool to declare excessive library dependencies.
+ * Update standards version to 3.8.3 (no changes required).
+
+ -- Russ Allbery Mon, 24 Aug 2009 16:24:26 -0700
+
+webauth (3.6.1-1) unstable; urgency=low
+
+ * New upstream release.
+ - $BYPASS_CONFIRM now suppresses the confirm page after POST for
+ browsers that support this.
+ - $BYPASS_CONFIRM can be set to "id" to only bypass the confirmation
+ page if the WAS is not requesting a proxy token (and hence may
+ request delegated credentials).
+ - New variables for the WebLogin confirmation page containing
+ delegated credential details.
+ - Better WebLogin cookie handling with confirmation bypass.
+ * Remove -L and -l flags to dh_shlibdeps, which are no longer needed.
+ * Remove full paths to a2dismod in the package prerm scripts.
+ * Update standards version to 3.8.2.
+ - Change sections of Apache modules.
+ - Run test suite iff nocheck is not set in DEB_BUILD_OPTIONS.
+ * Add Vcs-Git and Vcs-Browser source control fields.
+ * Improve short description for libwebkdc-perl.
+ * Update debian/copyright to include a copy of the more thorough new
+ upstream LICENSE file.
+
+ -- Russ Allbery Tue, 14 Jul 2009 19:32:01 -0700
+
+webauth (3.6.0-1) unstable; urgency=low
+
+ * New upstream release.
+ - Fix prematurely freed internal data in mod_webauth.
+ - Work around a CGI Perl module bug in WebLogin that caused crashes
+ for WebLogin URLs containing two slashes and two plus signs.
+ - Add WebLogin support for delegated credentials. Based on work by
+ Joachim Keltsch. (Closes: #466792)
+ - New WebKdcLocalRealms and WebKdcPermittedRealms mod_webkdc options.
+ - New WebKDC protocol error for a login rejected by policy.
+ - New err_rejected variable in the weblogin login.tmpl template.
+ - Several new WebLogin configuration options and hooks.
+ - WebLogin REMOTE_USER variables have been renamed for consistency,
+ but the old variables will continue to work.
+ * Add symbols support for libwebauth1.
+ * Bump shlibs for libwebauth1 for the introduction of a new interface.
+ * Minor debian/rules tweaking:
+ - Use the right configure arguments for cross-compiles.
+ - Use touch $@ to create stamp files.
+ - Use install rather than cp and mkdir.
+ * Update the doc-base section for the WebAuth protocol specification.
+
+ -- Russ Allbery Fri, 21 Mar 2008 22:10:09 -0700
+
+webauth (3.5.5-1) unstable; urgency=low
+
+ * New upstream release.
+ - Check browser cookie support on first WebLogin visit for better
+ cookie checks with Apache authentication. (Closes: #430486)
+ - New err_cookies_disabled error template variable.
+ - Fix memory allocation for environment variables in mod_webauthldap.
+ - Improve display of Shibboleth destination URLs.
+ * Incorporate NEWS.Debian into webauth-weblogin.NEWS, since it is the
+ only affected package for the old news item.
+ * Call dh_fixperms before dh_strip so that the WebAuth Perl module will
+ be stripped properly.
+ * Recommend httpd-cgi and suggest libapache2-mod-auth-kerb for
+ webauth-weblogin.
+ * Use ${binary:Version} instead of ${Source-Version} in debian/control.
+ * Move the Homepage pseudo-header from Description to a real header.
+ * Wrap all Depends lines in debian/control.
+ * Drop the version on the Perl build-depends. That version is older
+ than oldstable.
+ * libwebkdc-perl is arch-independent, so no need for ${shilbs:Depends}.
+ * Use a configure-stamp file rather than config.status.
+ * Capitalize WebLogin consistently in package descriptions.
+ * Update standards version to 3.7.3 (no changes required).
+ * Update debhelper compatibility level to V5 (no changes required).
+
+ -- Russ Allbery Tue, 08 Jan 2008 22:00:03 -0800
+
+webauth (3.5.4-1) unstable; urgency=low
+
+ * New upstream release.
+ - WebLogin supports displaying destination Shibboleth URLs.
+ - Be more aggressive about telling browsers not to cache.
+ - Properly merge directory configurations in mod_webauthldap.
+ - Refresh REMOTE_USER cookies in WebLogin.
+ - Improved WebLogin documentation of cookies used.
+ * Put the Apache modules in the net section to match overrides.
+
+ -- Russ Allbery Tue, 24 Apr 2007 14:35:35 -0700
+
+webauth (3.5.3-2) unstable; urgency=low
+
+ * Rebuild for Apache 2.2.
+ - Add versioned build dependency.
+ - Change module dependencies from apache2 to apache2.2-common.
+ - Document the need to enable authz_user.
+ * Depend on apache2-threaded-dev rather than on the virtual apache2-dev
+ package.
+
+ -- Russ Allbery Mon, 9 Oct 2006 16:07:54 -0700
+
+webauth (3.5.3-1) unstable; urgency=low
+
+ * New usptream release.
+ - Upstream source now supports Apache 2.2 builds.
+ - Improve and document mod_webkdc logging.
+ - Disable debug logging in the weblogin scripts.
+
+ -- Russ Allbery Mon, 11 Sep 2006 20:34:07 -0700
+
+webauth (3.5.2-1) unstable; urgency=medium
+
+ * New upstream release.
+ - SECURITY: Fix the default weblogin templates to always escape form
+ variables. Sites using customized templates should check their
+ templates for the same issue; see NEWS.gz for more information.
+ - When Apache authentication for weblogin fails, don't retry for that
+ user session even on empty form submissions.
+ - Mark weblogin login and logout pages and not cachable by browsers.
+ * Include NEWS, README, and TODO in the webauth-weblogin doc directory.
+
+ -- Russ Allbery Thu, 13 Jul 2006 17:56:23 -0700
+
+webauth (3.5.1-1) unstable; urgency=low
+
+ * New upstream release.
+ - Multiple changes to the Weblogin scripts and templates that will
+ require updates to existing templates. See the upstream NEWS file
+ for more details.
+ - Fix decoding of keyring times on 64-bit platforms.
+ * Update standards version to 3.7.2 (no changes required).
+
+ -- Russ Allbery Tue, 20 Jun 2006 09:20:44 -0700
+
+webauth (3.5.0-1) unstable; urgency=low
+
+ * New upstream release.
+ - WebAuthExtraRedirect on is now the default.
+ - Clean up of weblogin template variables. Existing templates will
+ have to be updated.
+ - Support for optional Apache authentication in weblogin.
+ - Clean up and better documentation of the weblogin code.
+ - New weblogin configuration documentation.
+ - http://webauth.stanford.edu/ is now the canonical upstream URL.
+
+ -- Russ Allbery Mon, 20 Mar 2006 17:29:57 -0800
+
+webauth (3.4.2-1) unstable; urgency=low
+
+ * New upstream release.
+
+ -- Russ Allbery Fri, 17 Feb 2006 20:18:49 -0800
+
+webauth (3.4.1-1) unstable; urgency=low
+
+ * New upstream release.
+ - Reverted the change to not strip WebAuth data from unprotected URLs
+ since it interacted poorly with .htaccess files.
+ - The config option WebAuthStripURL is now documented and supported.
+ - Avoid deprecated OpenLDAP APIs.
+
+ -- Russ Allbery Mon, 6 Feb 2006 17:38:30 -0800
+
+webauth (3.4.0-1) unstable; urgency=low
+
+ * New upstream release.
+ - webauth-weblogin can now optionally try SPNEGO authentication before
+ prompting for a username and password.
+ - mod_webauth doesn't strip WebAuth information from the internal URL
+ for requests not protected by WebAuth.
+ - Much improved protocol specification.
+ - Use --enable-reduced-depends to reduce library dependencies.
+ - No compiler warnings with -Wall.
+ * Only install the protocol documentation in libapache2-mod-webauth, not
+ in libapache2-mod-webkdc. If you're using WebAuth at all you'll
+ install the former somewhere, and there's no need to duplicate it.
+ * Register the protocol documentation with doc-base.
+ * Don't install HACKING; it's not useful without the source.
+ * Use DH_OPTIONS to reduce clutter in debian/rules.
+ * Add build-arch and build-indep targets.
+ * Don't ignore the return status of make distclean.
+ * Use stamp files in a cleaner way.
+ * Update copyright dates.
+
+ -- Russ Allbery Mon, 23 Jan 2006 22:09:35 -0800
+
+webauth (3.3.0-2) unstable; urgency=low
+
+ * Build-depend on libcurl3-openssl-dev, not libcurl3-dev.
+ * Update maintainer address.
+
+ -- Russ Allbery Wed, 16 Nov 2005 16:39:21 -0800
+
+webauth (3.3.0-1) unstable; urgency=low
+
+ * New upstream release.
+ - S/Ident support removed.
+ - New WebAuthLdapSeparator configuration setting for multi-valued
+ attribute handling.
+ - libwebauth now uses symbol versioning.
+ * Update copyright to my current format and add an explicit packaging
+ copyright and license statement.
+ * Minor cleanup of debian/rules.
+ * Indent the homepage in package descriptions to avoid wrapping.
+ * Update standards version to 3.6.2 (no changes required).
+
+ -- Russ Allbery Tue, 4 Oct 2005 21:40:28 -0700
+
+webauth (3.2.8-1) unstable; urgency=low
+
+ * New upstream release.
+ - mod_webauth now handles empty keyring files appropriately.
+ - Significant improvements to the mod_webkdc manual.
+
+ -- Russ Allbery Thu, 2 Jun 2005 23:21:02 -0700
+
+webauth (3.2.7-1) unstable; urgency=low
+
+ * New upstream release.
+ - Update libtool to 1.5.6 for better shared library support on MIPS.
+ Thanks, Ryan Murray. (Closes: #306027)
+ - Better diagnose a missing service token on a weblogin request.
+
+ -- Russ Allbery Sat, 23 Apr 2005 14:33:20 -0700
+
+webauth (3.2.6-1) unstable; urgency=low
+
+ * Uploaded to Debian. (Closes: #304728)
+ * New upstream release.
+ - Renamed the WebAuth3 Perl bindings to WebAuth.
+ - Renamed the libwebauth3-perl package to libwebauth-perl accordingly.
+ * Add dependency on libwebauth-perl to webauth-weblogin. libwebkdc-perl
+ will also pull it in, but this is more completely correct.
+ * Add watch file.
+
+ -- Russ Allbery Mon, 18 Apr 2005 23:06:23 -0700
+
+webauth (3.2.5-1) unstable; urgency=low
+
+ * New upstream release.
+ - Removed debian directory from upstream tarball.
+ - Report information from mod_webauthldap at saner message levels.
+ * Fix package sections and formatting of the homepage link.
+ * Use CFLAGS for the Perl module builds rather than hard-coding flags.
+ * Change the README.Debian files to follow the Apache 2.x package
+ recommendations for where to put local configuration.
+ * Add upstream TODO to libapache2-webauth and libapache2-webkdc.
+
+ -- Russ Allbery Thu, 14 Apr 2005 21:51:28 -0700
+
+webauth (3.2.4-2) unstable; urgency=low
+
+ * No source changes.
+ * Rebuild for libcurl migration.
+
+ -- Russ Allbery Mon, 7 Mar 2005 14:47:24 -0800
+
+webauth (3.2.4-1) unstable; urgency=low
+
+ * New upstream release.
+ - Fix bug in S/Ident handling in weblogin script.
+ * Add prerm scripts for libapache2-webauth and libapache2-webkdc to call
+ a2dismod if the module is enabled.
+
+ -- Russ Allbery Wed, 25 Aug 2004 17:36:56 -0700
+
+webauth (3.2.3-1) unstable; urgency=low
+
+ * Initial release.
+
+ -- Russ Allbery Wed, 23 Jun 2004 16:11:02 -0700
--- webauth-3.7.0.orig/debian/libapache2-webkdc.prerm
+++ webauth-3.7.0/debian/libapache2-webkdc.prerm
@@ -0,0 +1,14 @@
+#!/bin/sh
+# prerm script for libapache2-webkdc
+
+set -e
+
+if [ "$1" = remove ] || [ "$1" = deconfigure ] ; then
+ if [ -f /etc/apache2/mods-enabled/webkdc.load ] ; then
+ a2dismod webkdc
+ fi
+fi
+
+#DEBHELPER#
+
+exit 0
--- webauth-3.7.0.orig/debian/webauth-weblogin.NEWS
+++ webauth-3.7.0/debian/webauth-weblogin.NEWS
@@ -0,0 +1,72 @@
+webauth-weblogin (3.7.0-1) unstable; urgency=low
+
+ The default help.html page is in /usr/share/weblogin/generic/templates
+ instead of /usr/share/weblogin/generic. If you reference it in your
+ Apache configuration, you will need to change the path.
+
+ -- Russ Allbery Wed, 07 Jul 2010 14:44:56 -0700
+
+webauth-weblogin (3.6.2-1) unstable; urgency=high
+
+ Versions of the webauth-weblogin package between 3.5.5 and 3.6.1,
+ inclusive, could in rare cases convert the user login to a GET and
+ expose the user's password in the URL, from which it would enter the
+ user's browser history and possibly be sent to remote web sites via
+ referrer. /usr/share/doc/webauth-weblogin/weblogin-passcheck is a
+ script that searches WebLogin web server logs and identifies users that
+ may be affected by this problem. Run it with -h for usage information.
+
+ -- Russ Allbery Tue, 08 Sep 2009 12:35:53 -0700
+
+webauth-weblogin (3.6.0-1) unstable; urgency=low
+
+ The login.tmpl WebLogin template has a new error variable, err_rejected,
+ which will be set if the user login was rejected due to a
+ WebKdcPermittedRealms setting.
+
+ -- Russ Allbery Fri, 21 Mar 2008 22:05:56 -0700
+
+webauth-weblogin (3.5.5-1) unstable; urgency=low
+
+ WebLogin now checks for cookies as the first action when a browser goes
+ to WebLogin for the initial time and uses the error template rather than
+ the login template to display errors about disabled cookies. The
+ err_cookies template variable in the login template is no longer used,
+ and the error template has a new err_cookies_disabled parameter.
+
+ Custom templates should be updated to handle err_cookies_disabled in the
+ error template, although the WebLogin scripts will work around the
+ absence of that variable.
+
+ -- Russ Allbery Tue, 08 Jan 2008 16:41:38 -0800
+
+webauth-weblogin (3.5.2-1) unstable; urgency=medium
+
+ Prior versions of the default weblogin templates had a cross-site
+ scripting vulnerability that potentially allowed an attacker to trick
+ users into submitting their username and password to the attacker's
+ site. This vulnerability has been corrected in the sample templates as
+ of this release, but any templates based on the sample templates should
+ be checked for this vulnerability as well.
+
+ In the templates, replace any instance of:
+
+
+
+ with:
+
+
+
+ where "variable" may be any variable name.
+
+ -- Russ Allbery Thu, 13 Jul 2006 17:56:23 -0700
+
+webauth (3.5.0-1) unstable; urgency=low
+
+ The weblogin template variables have changed significantly with this
+ release, both by renaming existing ones and by adding new ones. Please
+ read /usr/share/doc/webauth-weblogin/weblogin-config.gz for detailed
+ documentation for both the template variables and the webkdc.conf
+ settings.
+
+ -- Russ Allbery Wed, 15 Mar 2006 16:55:41 -0800
--- webauth-3.7.0.orig/debian/libapache2-webauth.postinst
+++ webauth-3.7.0/debian/libapache2-webauth.postinst
@@ -0,0 +1,32 @@
+#! /bin/sh
+# postinst script for libapache2-webauth
+
+set -e
+
+case "$1" in
+ configure)
+ # Make sure that /var/lib/webauth exists and is writable by the
+ # www-data group, since this is where the keyring and ticket cache
+ # will go.
+ if [ ! -d /var/lib/webauth ] ; then
+ mkdir /var/lib/webauth
+ fi
+ chgrp www-data /var/lib/webauth
+ chmod 770 /var/lib/webauth
+ ;;
+
+ abort-upgrade|abort-remove|abort-deconfigure)
+ ;;
+
+ *)
+ echo "postinst called with unknown argument \`$1'" >&2
+ exit 1
+ ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
--- webauth-3.7.0.orig/debian/webauth-weblogin.README.Debian
+++ webauth-3.7.0/debian/webauth-weblogin.README.Debian
@@ -0,0 +1,173 @@
+WebAuth Weblogin Server for Debian
+----------------------------------
+
+This package contains the central Weblogin server for a WebAuth
+installation. Only one server (or one pool of load-balanced servers) at a
+given site need to run this package. libapache2-webkdc should also be
+installed on the same server as this package is running on.
+
+This package comes with a very generic set of page templates, suitable for
+getting started. You will probably want to customize those templates for
+your local site, and you should definitely customize the help.html web
+page to contain contact information for your local help desk. The generic
+templates are installed in /usr/share/webauth/generic; you can just copy
+that whole directory with cp -r to another directory and make whatever
+changes you want. Then, change the paths in the two Alias lines below to
+point to your directory instead of the generic directory and change the
+TEMPLATE_PATH in /etc/webkdc/webkdc.conf to point to the new path.
+
+(You could then, if you wished, make a Debian package of your local
+templates to make them easier to maintain.)
+
+See:
+
+
+
+for more information about WebAuth, including copies of the module manuals
+and places to contact to get help with the installation.
+
+
+Installing the Weblogin Server
+------------------------------
+
+The Weblogin server is implemented as Perl CGI scripts. In order to
+finish the installation, you need to add Apache configuration directives
+to send the login and logout URLs to these CGI scripts and to allow the
+images and help page they refer to to be found.
+
+Add the following configuration to a virtual host in:
+
+ /etc/apache2/sites-available/weblogin
+
+or wherever you put local Apache configuration:
+
+
+ AllowOverride None
+ Options +ExecCGI
+ SSLRequireSSL
+ Order allow,deny
+ Allow from all
+
+ ScriptAlias /login "/usr/share/weblogin/login.fcgi"
+ ScriptAlias /logout "/usr/share/weblogin/logout.fcgi"
+ ScriptAlias /pwchange "/usr/share/weblogin/pwchange.fcgi"
+
+ Alias /help.html "/usr/share/weblogin/generic/templates/help.html"
+ Alias /images/ "/usr/share/weblogin/generic/images/"
+
+(If you put this in sites-available, you then need to enable the site with
+a2ensite.)
+
+The ScriptAlias and Alias directives can, of course, be changed if you
+want the Weblogin server to live at a different URL (although note that
+the default templates expect /help.html and /images to work and may need
+to be modified otherwise). The pwchange configuration is optional, but
+without it WebLogin will not be able to correctly handle expired passwords
+and will instead just not allow users with expired passwords to
+authenticate.
+
+Add the URL for the pwchange script, if you configured one, to
+/etc/webkdc/webkdc.conf. If you used the recommended URL configured
+above, the line to add is:
+
+ $EXPIRING_PW_URL = '/pwchange';
+
+If you used a different URL, change the value of the setting. The host
+and scheme of the URL should be omitted and should be the same as the
+login URL, since otherwise browsers will reject the cross-site POST for
+security reasons.
+
+If you used something other than /webkdc-service as the URL to the WebKDC,
+you will need to modify the $URL setting in /etc/webkdc/webkdc.conf to
+point to the appropriate URL on localhost that the WebKDC is listening to.
+
+Because the Weblogin server accepts Kerberos passwords from end-users, it
+must only be available over SSL. The SSLRequireSSL above makes sure that
+users only use SSL to contact the server, but you may also want to put the
+above in a virtual host specifically for SSL and set up a separate non-SSL
+virtual host that redirects all accesses to the SSL URL.
+
+Now, reload Apache's configuration file with apache2ctl graceful. After
+you've tested and everything is working, you will probably want to
+customize the templates as described above.
+
+
+Site Documentation
+------------------
+
+After you have configured both this server and the WebKDC, following the
+instructions in /usr/share/doc/libapache2-webkdc/README.Debian, you should
+document the way WebAuth is configured at your site for other users who
+are installing the WebAuth modules on individual web servers. I recommend
+putting up a web page that contains the following information:
+
+ * The configuration needed for libapache2-webauth (or any other
+ installation of WebAuth, regardless of platform, at your site). Users
+ who are installing WebAuth servers need to know the URL to the WebKDC
+ service, the URL to the Weblogin server, and the Kerberos principal
+ used by the WebKDC, choices that you had to make while installing.
+
+ I recommend using:
+
+ WebAuthLoginURL https://weblogin.example.com/login
+ WebAuthWebKdcURL https://weblogin.example.com/webkdc-service
+ WebAuthWebKdcPrincipal service/webkdc@example.com
+
+ where example.com is your domain. But as long as you configure this
+ package and libapache2-webkdc consistently, you can use whatever URLs
+ and Kerberos principals you want.
+
+ * The naming convention for WebAuth Kerberos principals for individual
+ web servers. This needs to match the configuration that you put into
+ token.acl when configuring the WebKDC.
+
+ * How to download or otherwise obtain a Kerberos keytab at your site,
+ when someone is installing a new server. This will depend on how your
+ Kerberos realm is maintained.
+
+You will also want to modify the templates for the Weblogin server as
+mentioned above to include images, pointers, and help appropriate to your
+local site.
+
+
+Using SPNEGO
+------------
+
+The Weblogin scripts optionally support attempting to authenticate with
+SPNEGO first before prompting the user with a username and password. If
+the user is authenticated to Kerberos and their ticket caches are properly
+accessible to the browser, this should work with Firefox on all platforms
+and Safari on the Mac, at least. It may also work with IE depending on
+your KDC setup.
+
+To use SPNEGO in Debian, install the libapache2-mod-auth-kerb module (it
+will do the SPNEGO protocol work) and then follow the instructions in
+/usr/share/doc/webauth-weblogin/install-spnego.gz. The path to the
+login.fcgi script will be different in the example ScriptAlias
+configuration, but otherwise those instructions should work verbatim with
+Debian.
+
+
+Using FastCGI
+-------------
+
+The Weblogin scripts are written so that they can use FastCGI, but don't
+require it. FastCGI is, unfortunately, under a non-free license, so this
+is not the default.
+
+If you want to use these scripts with FastCGI, you will need to install
+the Apache 2.x modules for FastCGI, which are not bundled with Debian.
+You can obtain them from . Once the module is
+installed, you need to add this line to load the module:
+
+ LoadModule fastcgi_module modules/mod_fastcgi.so
+
+and then, to the block in the installation instructions above,
+add the line:
+
+ AddHandler fastcgi-script .fcgi
+
+After you restart Apache with apache2ctl graceful, the Weblogin scripts
+should run under FastCGI.
+
+ -- Russ Allbery , Wed, 7 Jul 2010 18:00:16 -0700
--- webauth-3.7.0.orig/debian/webauth-tests.install
+++ webauth-3.7.0/debian/webauth-tests.install
@@ -0,0 +1 @@
+usr/share/webauth
--- webauth-3.7.0.orig/debian/libwebauth4.install
+++ webauth-3.7.0/debian/libwebauth4.install
@@ -0,0 +1 @@
+usr/lib/libwebauth.so.*
--- webauth-3.7.0.orig/debian/control
+++ webauth-3.7.0/debian/control
@@ -0,0 +1,163 @@
+Source: webauth
+Section: web
+Priority: optional
+Maintainer: Russ Allbery
+Build-Depends: debhelper (>> 7), apache2-threaded-dev (>= 2.2),
+ libcgi-fast-perl, libcurl4-openssl-dev, libhtml-template-perl,
+ libkrb5-dev, libldap2-dev, libssl-dev, liburi-perl, libwww-perl,
+ libxml-parser-perl, perl
+Standards-Version: 3.9.0
+Homepage: http://webauth.stanford.edu/
+Vcs-Git: git://git.eyrie.org/kerberos/webauth.git
+Vcs-Browser: http://git.eyrie.org/?p=kerberos/webauth.git
+
+Package: libapache2-webauth
+Section: httpd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, apache2.2-common
+Description: Apache 2 modules for WebAuth authentication
+ WebAuth is a cookie-based web authentication system built on top of
+ Kerberos. It relies on a central authentication server that handles all
+ user authentication for a domain and creates user authentication
+ credentials for any web server that needs strong authentication.
+ .
+ This package contains the Apache 2 modules to do basic authentication for
+ individual web servers and to look up LDAP information using LDAP v3 with
+ GSSAPI binds about the authenticated user. Directory information can be
+ used for authorization control and to populate environment variables.
+ These modules should be installed on any web server using WebAuth.
+
+Package: libapache2-webkdc
+Section: httpd
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, apache2.2-common
+Description: Apache 2 modules for a WebAuth authentication KDC
+ WebAuth is a cookie-based web authentication system built on top of
+ Kerberos. It relies on a central authentication server that handles all
+ user authentication for a domain and creates user authentication
+ credentials for any web server that needs strong authentication.
+ .
+ This package contains the Apache 2 module for the central authentication
+ server for a particular site. Only one such server is needed; all web
+ servers that use WebAuth will talk to this server to obtain and verify
+ authentication credentials.
+
+Package: libwebauth-perl
+Section: perl
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends}
+Description: Perl library for WebAuth authentication
+ WebAuth is a cookie-based web authentication system built on top of
+ Kerberos. It relies on a central authentication server that handles all
+ user authentication for a domain and creates user authentication
+ credentials for any web server that needs strong authentication.
+ .
+ This package contains the Perl bindings to the WebAuth library, which
+ does token encoding and decoding and other lower-level parts of the
+ WebAuth protocol.
+
+Package: libwebauth4
+Section: libs
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Shared libraries for WebAuth authentication
+ WebAuth is a cookie-based web authentication system built on top of
+ Kerberos. It relies on a central authentication server that handles all
+ user authentication for a domain and creates user authentication
+ credentials for any web server that needs strong authentication.
+ .
+ This package contains the shared library used by the WebAuth modules,
+ Perl bindings, and command-line utilities. It does token encoding and
+ decoding and other lower-level parts of the WebAuth protocol.
+
+Package: libwebauth-dev
+Section: libdevel
+Priority: extra
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends},
+ libwebauth4 (= ${binary:Version})
+Suggests: libkrb5-dev
+Replaces: libwebauth1-dev (<< 3.7.0)
+Breaks: libwebauth1-dev (<< 3.7.0)
+Description: Development files for WebAuth authentication
+ WebAuth is a cookie-based web authentication system built on top of
+ Kerberos. It relies on a central authentication server that handles all
+ user authentication for a domain and creates user authentication
+ credentials for any web server that needs strong authentication.
+ .
+ This package contains the symlinks, headers, and static library needed to
+ compile and link programs that use libwebauth.
+
+Package: libwebauth1-dev
+Section: oldlibs
+Priority: extra
+Architecture: all
+Depends: ${misc:Depends}, libwebauth-dev
+Description: Transitional package for WebAuth development files
+ WebAuth is a cookie-based web authentication system built on top of
+ Kerberos. It relies on a central authentication server that handles all
+ user authentication for a domain and creates user authentication
+ credentials for any web server that needs strong authentication.
+ .
+ This is a transitional package to assist upgrades to the current WebAuth
+ development package. It can be removed from your system after
+ installation.
+
+Package: libwebkdc-perl
+Section: perl
+Architecture: all
+Depends: ${misc:Depends}, ${perl:Depends}, libwebauth-perl (>= 3.7.0),
+ libcgi-fast-perl, libhtml-template-perl, libio-socket-ssl-perl,
+ liburi-perl, libwww-perl, libxml-parser-perl
+Suggests: libnet-remctl-perl, libtime-duration-perl, libtimedate-perl
+Description: Perl libraries for WebAuth central login server
+ WebAuth is a cookie-based web authentication system built on top of
+ Kerberos. It relies on a central authentication server that handles all
+ user authentication for a domain and creates user authentication
+ credentials for any web server that needs strong authentication.
+ .
+ This package contains the Perl modules that support the WebLogin server,
+ which handles user authentication and the establishment of initial
+ authentication credentials.
+
+Package: webauth-tests
+Architecture: all
+Depends: ${misc:Depends}, ${perl:Depends}, libapache2-webauth
+Suggests: libapache2-mod-php5
+Description: Tests for the WebAuth authentication modules
+ WebAuth is a cookie-based web authentication system built on top of
+ Kerberos. It relies on a central authentication server that handles all
+ user authentication for a domain and creates user authentication
+ credentials for any web server that needs strong authentication.
+ .
+ This package contains test HTML files and Apache 2 configuration
+ fragments to test a new installation of the WebAuth modules.
+
+Package: webauth-utils
+Architecture: any
+Depends: ${shlibs:Depends}, ${misc:Depends}
+Description: Command-line utilities for WebAuth authentication
+ WebAuth is a cookie-based web authentication system built on top of
+ Kerberos. It relies on a central authentication server that handles all
+ user authentication for a domain and creates user authentication
+ credentials for any web server that needs strong authentication.
+ .
+ This package contains an additional command-line tool to manipulate
+ WebAuth keyrings.
+
+Package: webauth-weblogin
+Architecture: all
+Depends: ${misc:Depends}, ${perl:Depends}, libwebauth-perl (>= 3.7.0),
+ libwebkdc-perl (>= 3.7.0)
+Recommends: httpd-cgi
+Suggests: libapache2-mod-auth-kerb
+Description: Central login server for WebAuth authentication
+ WebAuth is a cookie-based web authentication system built on top of
+ Kerberos. It relies on a central authentication server that handles all
+ user authentication for a domain and creates user authentication
+ credentials for any web server that needs strong authentication.
+ .
+ This package contains the CGI-based WebLogin server that handles initial
+ user authentication and building authentication tokens for WebAuth
+ servers. Only one WebLogin server is needed to support a site WebAuth
+ installation. It is normally run on the same system as the WebKDC.
--- webauth-3.7.0.orig/debian/webauth-weblogin.docs
+++ webauth-3.7.0/debian/webauth-weblogin.docs
@@ -0,0 +1,6 @@
+README
+TODO
+docs/install-spnego
+docs/weblogin-config
+docs/weblogin-cookies
+docs/weblogin-flow
--- webauth-3.7.0.orig/debian/libwebauth4.symbols
+++ webauth-3.7.0/debian/libwebauth4.symbols
@@ -0,0 +1,68 @@
+libwebauth.so.4 libwebauth4 #MINVER#
+ WEBAUTH_2.0@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_add@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_add_int32@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_add_str@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_add_time@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_add_uint32@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_find@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_free@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_get@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_get_int32@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_get_str@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_get_time@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_get_uint32@WEBAUTH_2.0 3.7.0
+ webauth_attr_list_new@WEBAUTH_2.0 3.7.0
+ webauth_attrs_decode@WEBAUTH_2.0 3.7.0
+ webauth_attrs_encode@WEBAUTH_2.0 3.7.0
+ webauth_attrs_encoded_length@WEBAUTH_2.0 3.7.0
+ webauth_base64_decode@WEBAUTH_2.0 3.7.0
+ webauth_base64_decoded_length@WEBAUTH_2.0 3.7.0
+ webauth_base64_encode@WEBAUTH_2.0 3.7.0
+ webauth_base64_encoded_length@WEBAUTH_2.0 3.7.0
+ webauth_error_message@WEBAUTH_2.0 3.7.0
+ webauth_hex_decode@WEBAUTH_2.0 3.7.0
+ webauth_hex_decoded_length@WEBAUTH_2.0 3.7.0
+ webauth_hex_encode@WEBAUTH_2.0 3.7.0
+ webauth_hex_encoded_length@WEBAUTH_2.0 3.7.0
+ webauth_info_build@WEBAUTH_2.0 3.7.0
+ webauth_info_version@WEBAUTH_2.0 3.7.0
+ webauth_key_copy@WEBAUTH_2.0 3.7.0
+ webauth_key_create@WEBAUTH_2.0 3.7.0
+ webauth_key_free@WEBAUTH_2.0 3.7.0
+ webauth_keyring_add@WEBAUTH_2.0 3.7.0
+ webauth_keyring_auto_update@WEBAUTH_2.0 3.7.0
+ webauth_keyring_best_key@WEBAUTH_2.0 3.7.0
+ webauth_keyring_decode@WEBAUTH_2.0 3.7.0
+ webauth_keyring_encode@WEBAUTH_2.0 3.7.0
+ webauth_keyring_free@WEBAUTH_2.0 3.7.0
+ webauth_keyring_new@WEBAUTH_2.0 3.7.0
+ webauth_keyring_read_file@WEBAUTH_2.0 3.7.0
+ webauth_keyring_remove@WEBAUTH_2.0 3.7.0
+ webauth_keyring_write_file@WEBAUTH_2.0 3.7.0
+ webauth_krb5_change_password@WEBAUTH_2.0 3.7.0
+ webauth_krb5_error_code@WEBAUTH_2.0 3.7.0
+ webauth_krb5_error_message@WEBAUTH_2.0 3.7.0
+ webauth_krb5_export_tgt@WEBAUTH_2.0 3.7.0
+ webauth_krb5_export_ticket@WEBAUTH_2.0 3.7.0
+ webauth_krb5_free@WEBAUTH_2.0 3.7.0
+ webauth_krb5_get_principal@WEBAUTH_2.0 3.6.0
+ webauth_krb5_get_realm@WEBAUTH_2.0 3.6.0
+ webauth_krb5_import_cred@WEBAUTH_2.0 3.7.0
+ webauth_krb5_init_via_cache@WEBAUTH_2.0 3.7.0
+ webauth_krb5_init_via_cred@WEBAUTH_2.0 3.7.0
+ webauth_krb5_init_via_keytab@WEBAUTH_2.0 3.7.0
+ webauth_krb5_init_via_password@WEBAUTH_2.0 3.7.0
+ webauth_krb5_keep_cred_cache@WEBAUTH_2.0 3.7.0
+ webauth_krb5_mk_req@WEBAUTH_2.0 3.7.0
+ webauth_krb5_mk_req_with_data@WEBAUTH_2.0 3.7.0
+ webauth_krb5_new@WEBAUTH_2.0 3.7.0
+ webauth_krb5_rd_req@WEBAUTH_2.0 3.7.0
+ webauth_krb5_rd_req_with_data@WEBAUTH_2.0 3.7.0
+ webauth_random_bytes@WEBAUTH_2.0 3.7.0
+ webauth_random_key@WEBAUTH_2.0 3.7.0
+ webauth_token_create@WEBAUTH_2.0 3.7.0
+ webauth_token_create_with_key@WEBAUTH_2.0 3.7.0
+ webauth_token_encoded_length@WEBAUTH_2.0 3.7.0
+ webauth_token_parse@WEBAUTH_2.0 3.7.0
+ webauth_token_parse_with_key@WEBAUTH_2.0 3.7.0
--- webauth-3.7.0.orig/debian/libapache2-webkdc.NEWS
+++ webauth-3.7.0/debian/libapache2-webkdc.NEWS
@@ -0,0 +1,15 @@
+libapache2-webkdc (3.3.0-1) unstable; urgency=low
+
+ S/Ident support has been removed from WebAuth due to the discovery of a
+ protocol flaw that allows active man-in-the-middle attacks. WebAuth is
+ particularly vulnerable to such an attack because all WebAuth users
+ regularly go to the central weblogin server and exploiting this
+ vulerability would have allowed capture of a single sign-on cookie for
+ the victim.
+
+ If you were using S/Ident in your WebKDC, you will need to remove any
+ WebKdcSIdentAuthType and WebKdcSIdentTimeout settings in your Apache
+ configuration.
+
+ -- Russ Allbery Tue, 4 Oct 2005 21:28:12 -0700
+
--- webauth-3.7.0.orig/debian/source/format
+++ webauth-3.7.0/debian/source/format
@@ -0,0 +1 @@
+1.0