Posts for August 2013

2013-08-14: C TAP Harness 2.2

I've been incredibly, overwhelmingly busy lately, and I'm still fairly consumed by things other than writing journal posts (or reviews, sigh), but hopefully it's letting up a bit now. At the least, I'm back to writing code instead of doing other things, which is quite a relief.

There's nothing particularly exciting in this release of my C test harness software, but since I'm doing some general releases anyway, it seemed like a good time to flush out pending changes. This release changes the exit status of the bail and sysbail functions to 255 to more closely match the BAIL_OUT function in Perl's Test::More, and documents why the runtests test harness does not match Test::More's handling of a bailing test case.

You can get the latest version from the C TAP Harness distribution page.

2013-08-14: rra-c-util 4.9

This is another rollup of various pending changes in my collection of supporting software.

The libkafs portability layer now supports k_pioctl somewhat more completely by providing a fallback to lpioctl when using the AFS libraries and a system call failure when no library was found. The libkafs functions are also now properly prototyped if the library was found but no header files were available.

The network_connection function, when given a timeout, restarts waiting for a non-blocking connect if interrupted by a signal. That means the timeout could in theory be much longer than intended if it's interrupted by a signal repeatedly, but hopefully that situation will be rare enough to not pose any problems. There are also a few fixes to the networking test suite.

The standard Perl tests now check for POD in more places, don't check the Perl syntax of SYNOPSIS for scripts, work with packages without Build.PL or a t directory, and also check style for files under a usr directory.

The PCRE Autoconf probe now copes with Mac OS X, which has the library but no headers.

Finally, this release incorporates a combination test suite and utility script that checks that the versions of embedded Perl modules stay in sync with the overall package version.

You can get the latest release from the rra-c-util distribution page.

2013-08-14: remctl 3.6

remctl is the network protocol that we use for nearly all of our middleware at Stanford. It's a flexible combination of GSS-API network authentication, ACLs, and mappings of commands to arbitrary local programs.

The primary goal of this release is to fix a problem that I ran into with WebAuth: if a user of the remctl client library catches a signal during a connect with a timeout, the non-blocking connect support in the client library returned an error. Now, it returns to waiting for the connect if the select failed with EINTR.

Also in this release, the Net::Remctl::Backend help formatting does something more reasonable with commands that have a very long syntax. Rather than push all of the command summaries into a tiny right-hand column, syntax lines that are too long will not affect the start column of the summary, just force the summary down one line.

This release also fixes multiple compilation errors on Mac OS X and older Red Hat from a missing include, missing portability probes, and a workaround for Mac OS X's broken PCRE library installation. (The library exists, but without any header files.)

You can get the latest release from the remctl distribution page.

2013-08-16: WebAuth 4.5.4

WebAuth is the site-wide centralized web authentication system that we use at Stanford. This release is a bug-fix release for the central login server, mostly focused on multifactor authentication but also featuring a wide variety of random bug fixes. Going into this release, I filtered the Apache error logs on all of our production servers for a period of a month and then set out to fix every log anomaly or odd behavior pattern that I detected.

The most significant bug fix is to support for requiring non-password session factors. The code handled this entirely incorrectly, resulting in the user being stuck at the password authentication prompt and never able to proceed. It also cleans up several corner cases involving REMOTE_USER authentication to sites that require a Kerberos authenticator (such as for delegated credentials).

This release downgrades a mismatch of login credentials and a webkdc-proxy token (single sign-on credentials) to a log warning rather than a fatal error and just discards the non-matching single sign-on credentials. This case ideally shouldn't happen, but sometimes users share devices, and if they hit a site with forced login or session factors, it's easy for this case to arise.

WebLogin now retries the WebKDC POST once and ignores SIGPIPE errors to work around problems with signals from the FastCGI process manager. It also rewrites non-ASCII characters in XML from the WebKDC to work around XML validation errors created by non-ASCII characters in Kerberos error messages, pending a better fix on the WebKDC side. Password changes no longer go through the replay detection logic, which should not apply to them. Several error messages in WebLogin are now clearer.

The WebKDC now requires that the return URL in a WebAuth request be an absolute URL and not contain any non-ASCII characters.

A bug in the way that errors during the authentication process were reported has been fixed and should produce better error output for the user.

There are also a few other, more minor bug fixes, particularly to logging and error reporting.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

2013-08-29: WebAuth 4.5.5

Testing uncovered additional bugs in the WebLogin and mod_webkdc components of WebAuth (our site-wide web authentication system), so this is another bug-fix release. It only affects the central login server; the application module hasn't changed and doesn't need to be updated.

The biggest changes are around multifactor authentication, and particularly around error reporting and handling. The handling of errors such as invalid codes or rejections by the validation service was somewhat broken in 4.5.3 and earlier and even more broken in 4.5.4 (although in different ways). This release now avoids sending the user to dead-end error pages in more circumstances, displays better and more specific errors, and remembers if the user has already been sent an SMS message and doesn't force them to send another if they enter the code incorrectly. (This last change will require changes to the local multifactor template.)

This release also fixes replay detection, which had been broken by a partially-made change in the memcached key format, and applies rate limiting and replay detection to second factor logins as well as passwords. As a side effect, this corrects a UI issue where people can send themselves additional SMS messages by accident when using the back button on the browser.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

Last modified and spun 2017-02-20