Posts for March 2014

2014-03-18: rra-c-util 5.3

The lack of journal updates recently is due to a lot of work chaos combined with getting obsessed with various leisure activities (to blunt the work stress) that don't result in public writing. Normalcy seems to be slowly returning, but it will be a while yet.

This release of my collection of utility libraries and scripts only has updates to some of the Perl test infrastructure.

Testing Perl scripts for strictness, warnings, and syntax errors now supports listing a set of modules required for meaningful script testing. This converts failures to skipped tests if the reason for the syntax check failure is that a required module is not installed.

This release also works around two problems with Perl::Tidy 20130922 related to its new log (mis)feature. Perl::Tidy now attempts to create a log file in the current directory whenever it runs unless this is explicitly turned off, and the Perl::Critic policy doesn't know to do that. (Debian bug #742004) I now unlink that file if it exists, after the test completes, and skip the Perl critic testing if the source directory is read-only (since failure to create the log file is treated by Perl::Tidy as a fatal error).

You can get the latest version from the rra-c-util distribution page.

2014-03-18: WebAuth 4.6.0

I was going to put out some of these changes in a 4.5.6 release late last year, but that didn't happen, and then more things kept coming up. So this release is rather large.

The major new feature is a new WebAuthCookiePath directive for mod_webauth, which allows path-scoped WebAuth cookies so that different portions of a site can maintain separate authentication credentials. There are various caveats, and support will get better later, but it's a beginning.

There are two bug fixes from Benjamin Coddington: WebAuthOptional should now work with Apache 2.4, and internal notes management in the module is now done better, which should prevent some cases where the user was redirected to WebLogin twice. Eventually, the things WebAuth uses notes for should become request context data, but that's for a later change.

There are multiple changes to keyring handling to let mod_webauth and mod_webkdc work properly with the ITK Apache MPM, which allows each virtual host to run as a different user. Previously, all virtual hosts shared one in-memory keyring, which meant leaking authentication keys between virtual hosts. Now, each virtual host gets its own, lazily loaded from the keyring on disk when it's first needed. This allows ITK users to configure separate keyrings for each virtual host. To make this easier, keyring files are now locked for write, and writing a keyring preserves the ownership and permissions if possible.

WebLogin now supports a new remctl-based password change protocol, which I developed for Stanford to work around some problems with the kpasswd when password change takes too long. All the tools for this will eventually be available outside of Stanford when I have a chance to polish them up and release them.

There are a few other, more minor bug fixes. mod_webauth and WebLogin are now more aggressive about telling web browsers to really not cache pages. WebLogin also now uses the authenticated identity returned by the WebKDC for multifactor, since it may have canonicalized the user's identity. The correct template variable is now set when the user doesn't enter a code on the WebLogin multifactor page. Better error messages are returned for invalid principals and unknown realms. The workaround for invalid XML returned by the WebKDC should now actually work. And WebLogin logs a more detailed error message on password change failures.

You can get the latest release from the official WebAuth distribution site or from my WebAuth distribution pages.

2014-03-23: Term::ANSIColor 4.03

This is a fairly small Perl module that provides a more convenient interface to the ANSI color escape sequences.

The primary change in this release is interesting for me but not so much for anyone else. It's the first of my core Perl modules that I've converted to Module::Build and to the new Perl test infrastructure that's now maintained in rra-c-util. (Yes, I know that Module::Build is apparently going to be dropped from Perl core, but the package also generates a Makefile.PL for backward compatibility.)

Starting with this release, all my subsequent package releases will start using the Lancaster Consensus environment variables to control whether to run non-default tests (namely AUTOMATED_TESTING, RELEASE_TESTING, and AUTHOR_TESTING). Hopefully this won't cause me too many problems. I'm currently setting AUTHOR_TESTING unconditionally, since I really want to see the results of those tests for all my code, but it's possible that will cause me too many problems with other people's code. (It would have been nice if the spec for AUTHOR_TESTING would let you set the value of the variable to the identity of the author whose tests you want run.)

I like having all my release tests run by automated testing so that I can identify any problems with the code to conditionally skip them, so I enable all the release tests when AUTOMATED_TESTING is set. This is probably peculiar to me.

The other changes in this release are all documentation and test suite fixes. There are no code changes in this release. Thanks to Olivier Mengué and David Steinbrunner for various bug reports.

You can get the latest release from the Term::ANSIColor distribution page.

2014-03-25: rra-c-util 5.4

Further improvements to the shared infrastructure I use for my various packages.

This release adds new Autoconf macros for detecting SQLite. These use the same strategy that I used for libevent, and which I'm slowly adopting for all libraries that support pkg-config. pkg-config is tried first if available, and unless the Autoconf flags to point to particular install paths for the library are given. Autoconf then falls back on manual probing.

Also in this release are all the changes to the Perl support modules for test programs and the various generic Perl tests to implement the change that I started in the last Term::ANSIColor release: using the Lancaster Consensus environment variables to control whether tests run when they don't directly test package functionality, and skipping a lot more tests for the average end user who doesn't really care if, say, the POD syntax is correct or all the supporting Perl scripts past strictness checks.

You can get the latest release from the rra-c-util distribution page.

2014-03-26: krb5-strength 3.0

krb5-strength is the password strength checking code that we use at Stanford for our primary Kerberos realm.

We've had quite a lot of difficulty deciding exactly what password strength checking we want to do and how we want to handle password history. The good part is that this is to the advantage of everyone else, since now more flexible password strength checking code is available.

The major change in this release is the addition of a password history implementation for Heimdal. Implemented as an external password quality check program, it can stack with other password quality check programs, such as the one included in this distribution. Previous passwords are hashed with PBKDF2 with SHA-2. Note that this has somewhat extensive Perl module dependencies, since it was originally written as a separate project.

Also in this release is yet another password dictionary type: SQLite. This is probably a bit slower than straight lookups in CDB, and it's definitely less space-efficient since it stores each word both forward and reversed, but it can reject any password that is within edit distance one of a dictionary word. (Edit distance one means that the word can be formed from the password by adding, removing, or changing a single character.)

The cdbmake-wordlist utility has been renamed to krb5-strength-wordlist and can now generate the SQLite dictionary as well as the CDB dictionary.

Finally, another configuration option has been added: minimum_different. If set, passwords must contain at least this many different characters. This can be used to reject passwords that are long strings of the same character or short repeating patterns, which are otherwise difficult to detect with a straight dictionary-driven approach.

You can get the latest release from the krb5-strength distribution page.

Last modified and spun 2017-03-25