WebAuth

Description

WebAuth is a comprehensive system for authenticating web users, built on top of Apache. It relies on a central authentication server with which individual web servers negotiate keys (the WebKDC) and a central login server to which users are redirected at their first attempt to access a protected web site (WebLogin). WebAuth uses AES-encrypted chunks of data, called tokens, that can be sent either in URLs or in cookies. These tokens are used to communicate between the login server and each participating web server. The WebAuth protocol can use whatever initial user authentication mechanism is convenient for the local site to establish the user's identity. Once the user has logged in to the login server, their identity is carried in a cookie set by that login server and they will not again need to enter their password until their credentials expire, even if they visit multiple different protected web sites.

WebAuth currently relies on either Kerberos or Apache to establish the user's identity, although some features are only available if Kerberos is used. Kerberos is currently the only supported mechanism for WebAuth servers to authenticate to the WebKDC. The protocol is sufficiently general, however, to allow other methods to be added.

WebAuth supports obtaining of credentials on behalf of the user by trusted application servers, allowing cleaner implementation of portal-style applications.

WebAuth also provides a second module that can do LDAP directory lookups using Kerberos GSS-API authentication and use the result to authorize web clients by privilege groups or provide directory information to web applications in environment variables. This module implements a subset of the capabilities of more general Apache LDAP modules, but provides those features using a simpler and more easily documented syntax.

These are not the official WebAuth pages. For the primary download sites, more user documentation, RPMs, support details, and other information, see the official site. These pages will reflect the current development version and may provide more developer-style documentation.

WebAuth was designed and written by Roland Schemers, based on the version two system written and maintained by many people, notably Jeff Lewis, Anton Ushakov, and Jeanmarie Lucker. The LDAP module was written by Anton Ushakov. I currently maintain it.

Requirements

WebAuth is written in C and requires a C compiler to build. It is implemented as Apache modules and therefore requires Apache version 2.0.43 or later (including Apache 2.2 and 2.4 versions). It additionally requires OpenSSL 0.9.7 or later, MIT Kerberos or Heimdal, and cURL. The optional LDAP support requires Cyrus SASL and OpenLDAP.

The WebLogin component requires Perl 5.6 or later plus CGI::Application, the AutoRunmode, Forward, Redirect, and TT plugins for it, Template Toolkit, libwww (LWP), IO::Socket::SSL or Crypt::SSLeay, URI, and XML::Parser, all of which are available from CPAN. The Apache mod_fastcgi module is recommended to speed up the WebLogin interface, but is not required.

For optional WebLogin support for warning users of expired passwords, the Net::Remctl, Date::Parse (part of the TimeDate distribution), and Time::Duration Perl modules are required. The local Kerberos realm must provide the remctl interface from the kadmin-remctl package for the WebLogin script to query.

For optional WebLogin support for replay caching and rate limiting, the Cache::Memcached and Digest::SHA (part of Perl since 5.9.3) Perl modules are required.

For the end user, WebAuth requires that the user's browser be able to handle cookies of moderate length (up to 1KB) and URLs of a similar length. Cookies must be enabled for the systems that use WebAuth authentication. All communication with WebAuth servers is required to be over SSL/TLS to protect the user's credentials. No other special browser capabilities are required.

Other packages are required for bootstrapping from a Git checkout, for making some source changes, and for running the full test suite. See the README file for a complete list.

Download

The distribution:

WebAuth 4.6.1 2014-07-23 tar.gz (PGP signature) tar.xz (PGP signature)

An archive of older releases is also available. The WebLogin servers from versions older than 3.6.2 or from versions 4.4.1 through 4.5.2 have known security vulnerabilities and should not be used.

Debian packages are available from Debian as of Debian 3.1 (sarge). Install libapache2-webauth (libapache2-mod-webauth in experimental) for the basic Apache modules, libapache2-webkdc (libapache2-mod-webkdc in experimental) for the WebKDC, and webauth-weblogin for the WebLogin script. wa_keyring is available in webauth-utils.

WebAuth is maintained using the Git version control system. To check out the current development tree, clone:

    git://git.eyrie.org/kerberos/webauth.git

You can also browse the current development source.

Documentation

User documentation:

Installation and configuration:

Security advisories:

Developer documentation:

Protocol documentation:

Perl API documentation:

See the official WebAuth pages for additional documentation and information.

License

The WebAuth package as a whole is released under the following license:

Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014 The Board of Trustees of the Leland Stanford Junior University

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Some individual source files are covered by other, compatible licenses. For complete copyright and license information, see the file LICENSE in the WebAuth source distribution.

Last spun 2014-07-23 from thread modified 2014-03-19