Russ Allbery [Sun, 9 Aug 2015 17:31:15 +0000 (10:31 -0700)]
Set secure cookie flag properly with WebAuthSSLReturn
If WebAuthSSLReturn is set to true, we may see non-SSL connections
that are SSL from the perspective of the browser (such as a WebAuth
server behind an L7 load balancer that does SSL termination). In
this case, we still want to set the secure flag on the cookie so that
the browser properly restricts it to SSL connections.
Trigger setting the secure flag off the combination of whether the
request is SSL and whether WebAuthSSLReturn is set, rather than
just the former.
Gbp-Pq: Name 0004-Set-secure-cookie-flag-properly-with-WebAuthSSLRetur.patch
Robert Bradley [Sun, 29 Nov 2015 05:36:39 +0000 (21:36 -0800)]
Suppress CGI warnings from param in list context
Force scalar context to eliminate the new warning from the CGI
module:
FastCGI: server "/usr/share/webkdc/cgi/login.fcgi" stderr: CGI::param
called in list context from package WebLogin line 1615, this can lead
to vulnerabilities. See the warning in "Fetching the value or values
of a single named parameter" at /usr/share/perl5/CGI.pm line 436.
Gbp-Pq: Name 0002-Suppress-CGI-warnings-from-param-in-list-context.patch
Russ Allbery [Mon, 7 Aug 2017 14:54:47 +0000 (07:54 -0700)]
webauth (4.7.0-5) unstable; urgency=medium
* Update build dependency to libssl-dev (OpenSSL 1.1). (Closes: #859788)
* Remove old transitional packages for the Apache module renaming.
* Update standards version to 4.0.1.
- Change all extra priorities to optional.
Jon Robertson [Tue, 30 Sep 2014 05:22:01 +0000 (22:22 -0700)]
Finished first pass at mod_webkdc automated tests
The main tests are now all complete save PHP. The multifactor tests
have been halted for now due to waiting on template completion and
having higher-priority tasks to finish.
Jon Robertson [Mon, 22 Sep 2014 20:44:34 +0000 (13:44 -0700)]
Give a validation remctl command its own timeout error
In order to set up out of band methods that will time out if the user
doesn't respond to the out of band prompt (such as a phone call), we
need to have a validation remctl call tell us specifically if it timed
out. Currently it's just sent as a WK_ERR_UNRECOVERABLE_ERROR, which
makes it impossible to carve out special logic for a timeout. This will
now be sent as its own error code.
Currently this is only true for validate and not for the userinfo
command. If we later need to do special things for userinfo timeouts as
well, we'll build on this work.
Jon Robertson [Thu, 18 Sep 2014 06:26:18 +0000 (23:26 -0700)]
First pass at updating all tests for clarity and auto-running
Clarified a lot of the test information on the index page. Started to
do scripts with WWW::Mechanize to test an install. These tests do rely
on the Stanford templates so aren't good for general use. But then, the
multifactor tests were already relying on assumptions about our
infrastructure.
Jon Robertson [Tue, 26 Aug 2014 06:18:03 +0000 (23:18 -0700)]
WebLogin: Changes for better multifactor handling
* Reread multifactor data from fields on the multifactor template page.
* Pass a FreezeThaw version of the devices to the template as well, so
that it can be kept for future iterations.
* Attempt multifactor login even if there is no passcode given, to
accomodate non-passcode methods.
* Catch the unrecoverable error page from multifactor temporarily, as
we'll hit that error if an out-of-band method times out. Later we
want to expose the timeout as an actual error on its own instead so
that we can match against it rather than unrecoverable error.
Change-Id: I950b200c9ab58abfff9e59f65b29cd06c4c8d98c
Reviewed-on: https://gerrit.stanford.edu/1618 Reviewed-by: Jon Robertson <jonrober@stanford.edu> Tested-by: Jon Robertson <jonrober@stanford.edu>
Russ Allbery [Fri, 15 Aug 2014 00:44:32 +0000 (17:44 -0700)]
Add temporary test code to the multifactor template
To check the data returned from the WebKDC for the default device
and factor, and for the device list, add some temporary testing
code to print all of that out in the template. This should probably
be removed before a release.
Russ Allbery [Fri, 15 Aug 2014 00:43:23 +0000 (17:43 -0700)]
Add support for new multifactor data in WebLogin code
Support reading device_id from the posted form and passing it
through in the login token. Support reading the default device
and factor and the device list from mod_webkdc and exposing it
to the templates. Not yet tested thoroughly or end-to-end.
Russ Allbery [Thu, 14 Aug 2014 01:26:33 +0000 (18:26 -0700)]
Provide the device and default factor information to WebLogin
Pass the device information and default device through from the
user information service to the response to a WebLogin
<requestTokenRequest> so that it can be, eventually, passed all the
way to the templates.
Russ Allbery [Thu, 14 Aug 2014 00:23:16 +0000 (17:23 -0700)]
Add support for default and device info in userinfo calls
In the JSON implementation of the user information call, add
support for reading default device information and the list of
configured devices. Add support for passing in the device ID
for validate calls, and pull it out of the login token. (This
field is ignored with the old XML protocol.)
Russ Allbery [Thu, 14 Aug 2014 00:22:20 +0000 (17:22 -0700)]
Change the protocol for returning device information to WebLogin
Use more, separate XML elements to better match the information
model returned by the user information service using JSON, instead
of collapsing everything as attributes.
Russ Allbery [Thu, 14 Aug 2014 00:16:16 +0000 (17:16 -0700)]
Recognize more failed login error codes from Kerberos
Recognize KRB5_BAD_ENCTYPE, KRB5_GET_IN_TKT_LOOP, KRB5_PREAUTH_FAILED,
and KRB5KRB_AP_ERR_MODIFIED as additional synonyms for a failed login
error code. Various combinations of recent MIT and Heimdal with
different KDCs return these error codes if the password is incorrect.
Russ Allbery [Wed, 13 Aug 2014 23:48:44 +0000 (16:48 -0700)]
Add new device_id field to login tokens
This will be used by WebLogin to pass the authenticating device
identifier through to the WebKDC. Add the field to the login
token encoding and to all of the various tests, and adjust the
test suite construction of login tokens to account for the extra
field. Pass through a value in multifactor tests in preparation
for further tests that actually use that field.
Russ Allbery [Tue, 12 Aug 2014 03:26:58 +0000 (20:26 -0700)]
Add a note about possible Kerberos APIs for ticket serialization
Peter Mogensen pointed out MIT Kerberos APIs that can be used to
serialize a ticket in a native format, which would be a nice
replacement for our home-grown serialization format. Add a note
about that to TODO.
Russ Allbery [Thu, 7 Aug 2014 20:42:43 +0000 (13:42 -0700)]
Bump shared library versioning
The addition of the new json flag in the user information service
configuration will force this, and I plan on changing the API for
the user information service calls as well.
Russ Allbery [Thu, 7 Aug 2014 02:13:13 +0000 (19:13 -0700)]
Refactor JSON argument construction with macros
Add macros that wrap the error checking when building JSON objects
and that correctly free temporary objects. Use that to restructure
the command construction so that it shouldn't leak memory and is
much easier to read.
Russ Allbery [Thu, 7 Aug 2014 00:35:03 +0000 (17:35 -0700)]
Refactor userinfo code
Separate the remctl support, XML parsing, and JSON parsing into
separate source files to make each source file more comprehensible.
While doing this, stop always sending ip to the user information
service in the JSON protocol. Now that we have a protocol that can
handle optional arguments easily, don't send ip if we don't have an
IP address.
Russ Allbery [Mon, 4 Aug 2014 20:52:20 +0000 (13:52 -0700)]
Enable JSON testing and fix one minor bug
Enable testing of the new JSON support in the user information
service, and fix one minor bug that surfaced in that testing.
The JSON code now produces results equivalent to the non-JSON
code.
Russ Allbery [Sat, 2 Aug 2014 02:22:10 +0000 (19:22 -0700)]
Initial framework for testing JSON user information calls
Add the remctl interface, the Perl backend, and the JSON data
for testing the user information service with JSON. This is not
yet hooked into the test suite.
Russ Allbery [Sat, 2 Aug 2014 02:18:52 +0000 (19:18 -0700)]
Initial implementation of JSON user information service support
An initial implementation of a new user information service protocol
that uses JSON for communication. The JSON call and parsing of the
result is implemented and compiles, but is not yet tested and is
probably buggy. The code is in significant need of refactoring at
some point.
Russ Allbery [Sat, 2 Aug 2014 01:22:55 +0000 (18:22 -0700)]
Remove remctl and kadmin-remctl references in README
This was for the separate query for the user's password expiration,
which is no longer supported in favor of pulling that information
from the user information service and passing it down from mod_webkdc.