NEWS

                       User-Visible WebAuth Changes

WebAuth 4.7.0 (2014-12-10)

    Recognize KRB5_BAD_ENCTYPE, KRB5_GET_IN_TKT_LOOP, KRB5_PREAUTH_FAILED,
    and KRB5KRB_AP_ERR_MODIFIED as additional synonyms for a failed login
    error code.  Various combinations of recent MIT and Heimdal with
    different KDCs return these error codes if the password is incorrect.

    Added new fields to the userinfo service parsing and the WebLogin
    handling.  These allow for a more complicated multifactor
    configuration to be passed along from the user information service,
    with multiple possible multifactor devices and one default.

    Give a validation remctl command its own timeout error, so that a
    failure to respond to validation is handled differently than any
    other timeout failure.  This is done so that we can handle
    out-of-band multifactor methods, such as a phone call.  Previously
    that would show up in WebLogin as a generic
    WK_ERR_UNRECOVERABLE_ERROR.

    Ability to use JSON rather than XML for the user information service's
    return values.  This is activated with the WebKdcUserInfoJSON
    configuration directive.

    Refactored the userinfo code to separate remctl support, XML parsing,
    and JSON parsing into separate source files for readability.

WebAuth 4.6.1 (2014-07-23)

    Support for AuthType StanfordAuth (for backward compatibility with
    WebAuth 2.5) was broken in WebAuth 4.6.0, causing mod_webauth to
    reject all accesses to resources protected with that AuthType.  This
    has been fixed in this release.

    Add a new configuration directive, WebKdcFastArmorCache, for
    mod_webkdc.  If set, this specifies the path to a Kerberos ticket
    cache that can (and must) be used for FAST (Flexible Authentication
    Secure Tunneling) protection of Kerberos password authentications.
    The Kerberos KDC must also support FAST in order to safely enable this
    option.  Based on a patch by Jakob Uhd Jepsen (One.com A/S).

    Fix parsing of the WebKdcKerberosFactors configuration directive.

    Add a new webauth_krb5_set_fast_armor_path interface to libwebauth
    that allows configuring a path to a FAST armor ticket cache before
    authenticating with a password.

    Show the expiring password warning in WebLogin if the browser request
    was a POST.  Previously, it was skipped if the user had a REMOTE_USER
    preference or if the browser presented a single sign-on cookie.  This
    was too conservative, not warning in cases when REMOTE_USER failed,
    when the browser presented an expired single sign-on cookie (systems
    that are suspended rather than shut down, for example), and when the
    user has to do multifactor authentication.  Checking for a POST is a
    closer match for when we can force a confirmation screen without too
    much user disruption.

    When translating Kerberos errors, treat KRB5_KDC_UNREACH (cannot
    contact any KDC for realm) as a user rejected error instead of a
    Kerberos error.  This avoids returning an internal error from WebLogin
    and instead tells the user the username is invalid.  This is not
    always correct, since the unreachable KDC could be the local KDC, but
    it's better than the previous behavior of throwing internal errors
    when users enter email addresses as their username.

    Translate an EINVAL error from the Kerberos libraries during password
    authentication to an incorrect password error code.  Older versions of
    MIT Kerberos returned EINVAL for excessively long passwords.

    In WebLogin, verify that the username form field was sent before
    attempting to do multifactor operations and return an error if it
    isn't, avoiding undefined variable warnings and other errors deeper in
    the WebLogin code.

    Allow newlines, carriage returns, and tabs in the XML sent from the
    WebKDC to the WebLogin server rather than replacing them with periods.
    This fixes the display of <user-message> elements that contain
    newlines.

    If a user may switch to a different authorization identity, force
    display of the confirmation page in WebLogin even if this is normally
    disabled.  Otherwise, there is no opportunity for the user to change
    identities.

    Diagnose empty RT or ST parameters to WebLogin and return the same
    error as when those parameters are missing entirely.

    Fix compilation when remctl support is not enabled.

    Add new factors mp (mobile push) and v (voice), which count as
    separate classes for determining multifactor.  This means the
    combination of those factors with any other factor class will result
    in a synthensized multifactor factor.

    Warn in the mod_webauth documentation that, when using credential
    delegation to a load-balanced pool, all members of that pool must have
    the same Kerberos identity.

    Update to rra-c-util 5.5:

    * Use Lancaster Consensus environment variables to control tests.
    * Use calloc or reallocarray for protection against integer overflows.
    * Suppress warnings from Kerberos headers in non-system paths.
    * Update warning flags when building with make warnings.
    * Only pass warning suppression flags to Perl under make warnings.

    Update to C TAP Harness 3.1:

    * Check for integer overflow on memory allocations.
    * Avoid all remaining uses of sprintf.

WebAuth 4.6.0 (2014-03-18)

    WARNING: When upgrading to this release, you will need to change the
    ownership of the mod_webauth keyring file (named in the WebAuthKeyring
    Apache directive) to the user and group the Apache child processes run
    as.  (This is controlled by the User and Group Apache directives and
    is often something like www-data.)  Previous versions would create
    this file readable only by root, but, as of this release, it must be
    readable and writable by the Apache child processes.

    mod_webauth supports a new configuration directive, WebAuthCookiePath,
    which scopes all cookies set by mod_webauth to the given path.  This
    allows separate sections of the same virtual host to be treated as
    independent for authentication purposes.  This can be useful when
    controlling factor restrictions via the user information service.
    When using this directive with a logout link, be sure that the logout
    configuration (WebAuthDoLogout) is subject to the same
    WebAuthCookiePath directive or it will not work properly.  Be aware
    that the current version of mod_webauth does not correctly handle
    receiving multiple cookies with the same name from the browser.  When
    using this directive, ensure that all WebAuth-protected portions of
    the site use this directive and none of the scopes are overlapping.

    WebAuthOptional should now work properly with Apache 2.4.  Thanks to
    Benjamin Coddington for the patches.

    Don't delete notes in mod_webauth after using them for authentication
    in case the authentication is happening in a subrequest and the parent
    request has not yet completed.  Deleting the note could cause two
    redirects to WebLogin due to an ordering issue when processing notes
    and subrequests.  Patch from Benjamin Coddington.

    mod_webauth and mod_webkdc now maintain separate in-memory keyrings
    per virtual host, and the WebAuthKeyring, WebKdcKeyring, and related
    directives are now correctly honored in the virtual host configuration
    and can be meaningfully set to different values.  This allows the
    modules to work properly with the ITK MPM with separate keyrings owned
    by different users for each virtual host so that proper privilege
    separation between virtual hosts is maintained.  When using the
    modules in this configuration, configure each virtual host with
    WebAuthKeyring or WebKdcKeyring directives pointing to separate
    keyring files writable by the user that virtual host will use.  Thanks
    to Vegard Edvardsen for the patch.

    Be even more thorough in telling browsers not to cache responses from
    WebLogin, redirects and logout pages from mod_webauth, and any page
    marked with WebAuthDontCache.  Add private and max-age=0 to the
    existing Cache-Control headers, add Vary: *, and (for WebLogin pages)
    set an expiration time in the past.

    webauth_keyring_write and webauth_keyring_auto_update now lock the
    keyring, using a separate lock file named by appending ".lock" to the
    name of the keyring.  This applies to the keyrings used by
    mod_webauth, mod_webkdc, and the wa_keyring utility and ensures that
    only one process attempts to update a keyring at the same time.  These
    functions continue to use atomic replacement on all writes, and no
    locks are used for reading the keyring.

    WebAuth keyring updates via either mod_webauth's and mod_webkdc's
    auto-update support or via wa_keyring now preserve the keyring
    ownership and permissions where possible, with the exception that the
    permissions are not preserved if the old permissions included group
    access and the group ownership could not be preserved.

    Use the authenticated identity returned by the WebKDC as the username
    for multifactor authentication in WebLogin rather than preserving what
    the user originally typed.  The WebKDC may have done Kerberos
    canonicalization and aname to localname mapping.

    The WebAuth Kerberos API now supports Kerberos password change via the
    remctl protocol, which is more robust than the kpasswd protocol when
    password changes can take some time.  This can be configured via the
    new webauth_krb5_change_config function.  The remote remctl server
    must provide a command and subcommand that takes a single argument,
    the new password, and changes the password for the authenticated
    principal that sent the command.

    The WebAuth::Krb5 change_password function now takes an optional args
    parameter that can be used to set the same configuration that can be
    set with webauth_krb5_change_config.

    WebLogin now supports using the remctl-based password change protocol
    instead of kpasswd.  This is controlled by setting
    $PASSWORD_CHANGE_HOST and several other variables in the WebLogin
    configuration.  See docs/weblogin-config for more information.

    Set the correct template variable when the code field is left blank on
    the WebLogin multifactor form.

    Map unknown realm and invalid principal errors during Kerberos
    authentication in mod_webkdc to WA_PEC_USER_REJECTED instead of a
    generic Kerberos error.  This will display a more accurate error
    message to the user of WebLogin instead of a generic internal error
    message.

    Correct a bug in the workaround for parsing of invalid XML from the
    WebKDC in WebLogin that caused it to not be effective.

    Log a more detailed error message on WebAuth exceptions during
    WebLogin password change.

    Fix configure probes for OpenSSL on platforms without transitive
    shared library dependencies.

    Update to rra-c-util 5.3:

    * Avoid leaking dummy symbols into shared libraries.
    * Probe for libdl for OpenSSL libraries (required on AIX).
    * Distinguish failure to format output in asprintf wrappers.
    * Check return status of snprintf properly.
    * Better remctld process management in the test suite.
    * Better memory management in Kerberos tests.
    * Fix syntax error when buiding portable/krb5.h with a C++ compiler.
    * Skip Perl critic tests with read-only source directory.

    Update to C TAP Harness 3.0:

    * Add new diag_file_add and _remove API to the C TAP library.
    * Add new test_cleanup_register API to the C TAP library.
    * Suppress lazy plans and test summaries if the test failed with bail.
    * Add warn_unused_result gcc attributes to relevant functions.
    * Reopen standard input for tests to /dev/null.
    * Clean up inherited file descriptors from the test harness.

WebAuth 4.5.5 (2013-08-28)

    Fix replay detection in WebLogin to use the same memcached object
    naming convention when registering authentications and when checking
    for a previous authentication.

    If the login is rejected by the user information service, WebLogin now
    displays a more specific error instead of the generic "something went
    wrong" error page.

    If a multifactor authentication is rejected by the validation service,
    the user is now returned to the multifactor authentication screen and
    the error message is provided to the template, rather than taking the
    user to a dead-end error page with a generic error.

    If enabled, rate limiting and replay detection are also applied to the
    multifactor login page in addition to the password login page.

    Support remembering that the user has been sent an SMS message already
    when redisplaying the multifactor login page after an error.  For this
    to work properly, local templates will have to be updated to set the
    form parameter multifactor_sentauth if an SMS message has already been
    sent.  See the sample multifactor.tmpl file for an example.

WebAuth 4.5.4 (2013-08-16)

    If the user presents a login token for one user and a webkdc-proxy
    token for a different user, or, more generally, mismatched
    webkdc-proxy tokens, ignore and log the mismatched webkdc-proxy token
    rather than rejecting the authentication with a fatal error.  While
    this case ideally should not happen, in practice it's not uncommon for
    users sharing devices to attempt authentication (due to session factor
    requirements or forced login) while still possessing webkdc-proxy
    tokens for another user, and rejecting the authentication instead of
    replacing the older webkdc-proxy token does nothing to improve the
    situation.

    Fix handling of non-password session factors.  Requiring any session
    factor other than password, for users using password authentication,
    resulted in the user being repeatedly presented with the password
    login page because mod_webkdc did not notice the password session
    factor and continue to asking for a multifactor authentication.  The
    logic is still not entirely correct for users who use non-password
    initial authentication factors; that will be fixed in a subsequent
    release.

    Improve handling of required initial factors when users have a way to
    establish initial credentials that don't include password.  mod_webkdc
    now returns a forced login error instead of multifactor required if
    the user's initial factors don't satisfy the request and don't contain
    a password factor.

    If a password authentication is required in order to obtain a Kerberos
    authenticator, return that error in preference to a multifactor
    required error.  This ensures that the password authentication page
    happens first, preserving expected user page flow, and fixes various
    errors and loops caused by detecting this problem after the successful
    second factor authentication.

    If the WebLogin post to the WebKDC fails, retry once.  It's common for
    the POST to be interrupted by a signal from the FastCGI process
    manager trying to shut down the login.fcgi process, in which case
    retrying will succeed and allow completion of the request before
    shutting down.

    Produce more succinct and hopefully still useful error messages when
    WebLogin cannot POST to the WebKDC.

    Ignore SIGPIPE signals in the WebLogin scripts, fixing unexpected
    failures and subsequent FastCGI problems when run under mod_fastcgi.

    mod_webkdc now requires that the return URL in a request token be
    absolute URL and not contain any non-ASCII characters.  The latter
    check avoids error messages and later problems with WebLogin template
    processing.

    Fix the WebLogin replay detection logic to not attempt to trigger
    during password changes, which do not have request tokens.

    Work around problems with WebLogin parsing of the XML returned from
    the WebKDC when a user attempts an authentication using a non-ASCII
    principal name.  This results in invalid XML that XML::Parser cannot
    parse.  The proper fix is to catch this on the WebKDC side, but, as an
    interim measure, replace non-ASCII characters in the WebKDC reply with
    periods so that reply processing can continue.

    Improve error reporting of unparsable XML received by the WebLogin
    server from the WebKDC.

    Fix logging of mod_webkdc <requestTokenRequest> failures.

    Fix the webauth/webkdc.h header prototype for webauth_user_validate to
    correctly allow the user state parameter to be NULL.

    Log (at the info level) whenever mod_webkdc ignores expired
    webkdc-factor or webkdc-proxy tokens passed to <requestTokenRequest>.

    Display more correct errors after less common failures during the
    second step of a multifactor login.

    Correctly diagnose a missing service token in a WebLogin request and
    return the correct error page rather than an internal error.

    All Perl modules now have a version that matches the release of
    WebAuth from which they came, with zeroes added so that the version
    numbers will sort properly.  For example, the version number of each
    Perl module included in WebAuth 4.5.4 is 4.0504.

    Update to rra-c-util 4.9:

    * Improve robustness of the Perl test scripts.

    Update to C TAP Harness 2.2:

    * bail and sysbail now exit with status 255 to match Test::More.

WebAuth 4.5.3 (2013-05-15)

    SECURITY: Reset all header contents between WebLogin requests, fixing
    problems introduced in WebAuth 4.4.1 when WebLogin began using a
    persistent CGI::Application object with FastCGI.  WebLogin
    installations that used FastCGI and the $REMUSER_REDIRECT setting in
    webkdc.conf could fail with infinite redirect loops or leak security
    information, such as single sign-on cookies, from one authenticated
    user to another.  (CVE-2013-2106)

WebAuth 4.5.2 (2013-05-14)

    WebLogin now supports preserving the remember_login setting on the
    login page after a failed authentication, instead of resetting the
    checkbox to the default.  Taking advantage of this support requires
    local template changes.  See the sample login.tmpl file for an example
    of how to write the template.

    Fix clearing of account authentication attempts (for lockout)
    following a successful authentication.

    Fix setting cookies on the WebLogin error page so that single sign-on
    cookies are still correctly created.

    WebLogin no longer erroneously clears single sign-on and persistent
    factor cookies when redirecting the user to test for session cookie
    support.

WebAuth 4.5.1 (2013-05-01)

    Fix bugs in the remember_login feature introduced in WebAuth 4.5.0
    that would cause WebLogin to discard all single sign-on cookies in the
    default configuration and many other common situations.  WebLogin
    should now reliably respect the value sent by the form, and should
    retain single sign-on and persistent factor cookies in situations
    where there is no opportunity for local templates to send a default
    setting.

    Sites that wish to add the new UI element to the login page that
    allows the user to control whether single sign-on cookies are created
    will need to preserve the remember_login setting as a hidden form
    variable in any local confirm, multifactor, and pwchange templates.
    See the sample templates for examples.

    The remember_login setting is now preserved through a forced password
    change due to an expired password.  This, as with all the
    remember_login changes, requires updates to any local templates.

    WebLogin now passes any user information message returned by the user
    information service to the confirm template as well as the multifactor
    authentication template.  This allows the <userinfo> element in the
    user information service reply to be used to pass arbitrary
    information to the end user through the WebKDC and WebLogin
    components.

    Avoid re-creating WebAuth cookies other than single sign-on cookies
    during WebLogin cookie processing, which fixes some corner-case bugs
    when the WebLogin server and WAS are on the same host.

    Fix a few minor bugs in the installable mod_webauth test suite.

WebAuth 4.5.0 (2013-04-26)

    The change in interpretation of WebAuthForceLogin introduced in 4.4.0
    has been reverted, and WebAuthForceLogin once again requires that the
    user perform an authentication that results in a login token (either
    password or OTP).  This seems more generally useful than making this
    directive largely redundant with WebAuthRequireSessionFactor.  Add a
    caution in the documentation explaining that this will not work well
    with authorization identities in most environments.

    WebLogin now supports login form templates that allow the user (or the
    template) to indicate whether single sign-on cookies (and any
    persistent factor cookies) should be retained after authentication.
    The fallback, if the HTML form doesn't send a value, is controlled by
    the new $REMEMBER_FALLBACK configuration option.  The default is to
    not do single sign-on, but the default login template sets the form
    parameter to enable single sign-on.  This will require template
    updates when upgrading.  If configured not to set single sign-on
    cookies, WebLogin will only retain single sign-on cookies and
    persistent factor cookies long enough to complete the login process
    and will then discard them, reducing the risk of theft of
    authentication tokens when someone walks away from an untrusted
    computer.

    Fix password change handling in WebLogin, which has been broken since
    4.4.0 due to code changes for handling account lockout.  Also fix
    reporting of the reason for a rejected password change, which has been
    broken since WebAuth 4.3.0.

    Apache 2.4 error logging has been fixed for all modules to properly
    indicate the module name originating the message.

    mod_webauth and mod_webkdc will now produce significantly better
    Apache error log messages with more context and details about the
    failure.

    Initial multifactor no longer satisfies a random session multifactor
    requirement, correcting a long-standing bug in random multifactor
    handling.

    mod_webauthldap supports a new WebAuthLdapOperationalAttribute
    directive that is the same as WebAuthLdapAttribute but searches the
    directory for operational attributes and adds them to the environment.
    Patch from William Orr.

    WebLogin no longer supports obtaining the password expiration from a
    kadmin-remctl backend with a direct remctl call.  Instead, it uses the
    password expiration time returned by the WebKDC, which in turn gets it
    from the user information service.

    A new WebAuth confirmation page template variable is available,
    expire_timestamp, which includes the timestamp (in seconds since UNIX
    epoch) when the password will expire.  This should be used instead of
    the old (and now deprecated) expire_date variable since it allows the
    time information to be localized.  See the example confirm.tmpl file
    to see how to format this using Perl's Time::Duration module.

    The WebKDC and WebLogin now support persistent cookies that add
    additional authentication factors to a successful authentication.
    This can be used to require multifactor authentication only from
    browsers that have not previously completed a multifactor
    authentication (similar to "remember this device" in various web
    services).  The additional factors are stored in a new webkdc-factor
    token type and a new webauth_wft cookie.  A persistent factor cookie
    is created when the user information service validation call for an
    OTP authentication returns a list of persistent factors.  The
    validation service can indicate the lifetime of the cookie.  The
    cookies will be re-encrypted in the current WebKDC private key on each
    interaction with WebLogin to prevent them from becoming invalid due to
    key rotation (although this does mean that they will become invalid
    over long periods of inactivity).

    The user information service can invalidate all persistent factor
    tokens created before a particular timestamp by including an
    <valid-threshold> element in the userinfo reply.

    WebLogin supports optionally warning the user when persistent factor
    tokens are about to expire.  See the generic confirmation page
    template for an example of how to do this.  The warning threshold can
    be configured in /etc/webkdc/webkdc.conf.

    When the WebKDC calls the user information service, it now provides,
    as an additional parameter, the current initial authentication factors
    for the user.  This can be used by the user information service to
    decide whether or not to require a multifactor authentication.  This
    is most useful in combination with persistent factors; for example,
    the user information service can require multifactor authentication if
    the user didn't present a persistent factor token for the "d" (device)
    factor, indicating that device had previously authenticated with
    multifactor.

    In addition to requiring a multifactor authentication, the user
    information service can now add a specific list of factors that will
    be required for this authentication.  The user will be required to
    provide the union of this list and the list of factors requested by
    the WebAuth Application Server.  Contributed by Benjamin Coddington.

    The user information service can return a message to WebLogin for
    display in the multifactor authentication page.  One possible use is
    for the user information service to tell the user why a multifactor
    authentication is required.  Contributed by Benjamin Coddington.

    The user information service (with both the userinfo and validate
    calls) can return an opaque login state string, which is passed to
    WebLogin and from there to the multifactor login template.  The
    template can set the login state as a form variable and pass it back
    to the user information service validate function.  This allows for
    multistep multifactor authentication using serialized data, allowing
    implementation of (for example) resynchronization of a hardware token.
    Contributed by Benjamin Coddington.

    The user information service can now add factors to the user's
    authentication if the user successfully completed an interactive
    authentication (defined as one that involved WebLogin sending a login
    token, which in practice means an OTP or password authentication).
    The new "h" (human verification) factor has been added to the factor
    list for this purpose and counts as an additional factor for the
    purposes of satisfying multifactor.  The intended use of this feature
    is to allow a local support desk to verify someone's identity out of
    band and then bless their authentications for a certain length of time
    as satisfying multifactor even if they've forgotten their second
    factor.

    WebLogin and the multifactor authentication template now receive a
    list of which factors the user must provide but has not already
    provided, rather than a complete list of required factors.  This is
    used to provide a better value for the factor_type template parameter
    for the multifactor login template.  Contributed by Benjamin
    Coddington.

    WebLogin can now tell the WebKDC what type of OTP was used for a
    multifactor authentication, if it knows, and the WebKDC will pass that
    information to the user information service validate call.
    Contributed by Benjamin Coddington.

    The user information service can now indicate the expiration time of a
    webkdc-proxy token created via an OTP authentication by including an
    <expiration> element in its reply.

    Errors contacting the user information service are now logged to the
    Apache error log by mod_webkdc even if it is configured to ignore
    those errors and continue as if no user information service is
    availabe.

    webauth_factors is now a private data structure with a much richer C
    API for manipulating sets of factors.  Several other internal APIs,
    particularly the ones related to the WebKDC login process or the user
    information service, take opaque webauth_factors structs instead of
    APR lists of factors.

    mod_webkdc no longer supports obtaining proxy tokens with
    <getTokenRequest>.  This was never used by WebAuth code and is
    conceptually useless.

    The WebKDC login API now expects encrypted token strings rather than
    decrypted token structs as input and returns the error code, whether a
    protocol error or an internal error, rather than using a separate
    field in the response struct.

    Diagnose undef arguments to various Perl WebAuth module functions
    implemented in XS and throw exceptions rather than segfaulting from a
    NULL pointer dereference.

    Fix compilation error with Heimdal Kerberos libraries, introduced in
    WebAuth 4.4.0.

    Update to C TAP Harness 2.1:

    * runtests now treats the command line as a list of tests by default.
    * The full test executable path can now be passed to runtests -o.
    * Improved harness output for tests with lazy plans.
    * Improved harness output to a terminal for some abort cases.
    * Flush harness output after each test even when not on a terminal.

WebAuth 4.4.3 (2013-03-12)

    Fix a coding error in the WebAuthTrustAuthzIdentity directive parsing
    that also enabled WebAuthDoLogout for the same scope.

    If the user asserts an authorization identity equal to their
    authentication identity, discard the authorization identity in the
    WebKDC login process and continue as if they did not choose an
    authorization identity.  This fixes a previously fatal error when the
    user selects their default identity in WebLogin (if, for example, they
    are trying to undo a previous choice of authorization identity).
    Thanks to Benjamin Coddington for the report.

    Remove an arbitrary limit in mod_webauthldap on the number of values
    from a multivalued LDAP attribute that are put in the environment.
    Previous versions would only add the first 127 values, but there are
    some cases where one may want to see more values than that.  This
    opens the possibility of overflowing the allowed size of the
    environment, but the maximum environment size is quite large on most
    modern operating systems.

    Fix syntax error in the replay condition in the default WebLogin error
    template.

    Ignore empty app cookies rather than logging an error saying they
    cannot be parsed.  These are created internally by mod_webauth to
    remove expired cookies and may be seen by subqueries.

    Log a more informative message in mod_webauth when the user's app
    cookie has expired instead of a generic parse error and downgrade it
    to the info level from error.

    Stop logging the raw binary app token in mod_webauth when it cannot be
    decoded.  This was old debugging code left over from fixing a problem
    in a much earlier version of WebAuth.

WebAuth 4.4.2 (2013-02-05)

    Fix an occasional WebKDC crash (introduced in 4.4.0) when attempting
    to determine if an authentication is interactive.

    Fix out-of-tree builds with --enable-webkdc.  Some of the logic to
    ensure the Perl modules could build when the build directory was not
    the source directory had not been tested for a while.

WebAuth 4.4.1 (2013-01-31)

    Add a new authenticate callback to the WebLogin configuration.  If
    this function is present in webkdc.conf, it will be called for every
    user visit to WebLogin and may return the user's authentication
    information or an empty list to defer to normal handling.  This can be
    used to extract authentication information from the full WebLogin
    environment; for example, it could map information about a successful
    client-side certificate authentication to an authentication identity.

    When run under FastCGI, the WebLogin scripts now use a persistent
    CGI::Application object instead of recreating it for each query.  This
    avoids reinitializing the Template Toolkit and reopening memcached
    connections for each query.

    WebLogin and the WebAuth Perl bindings are now built with
    Module::Build instead of ExtUtils::MakeMaker.  This should be
    transparent to anyone not working with the source code, but
    Module::Build and ExtUtils::CBuilder are now required to build the
    WebLogin code.  They are included in Perl 5.10 or later and can be
    installed separately for older versions of Perl.

WebAuth 4.4.0 (2012-12-19)

    The WebKDC and WebLogin server now support allowing a user to assert
    an authorization identity other than their own identity.  This can be
    used to allow a user to access a test account on a particular WebAuth
    Application Server, pretend to be another user for testing or
    administrative reasons, or otherwise use an identity other than their
    own.  This support is disabled by default; to enable it, set the
    WebKdcIdentityAcl Apache directive to the path to an ACL file
    describing acceptable combinations of authentication and authorization
    identities for each site.  See the WebKdcIdentityAcl documentation in
    the mod_webkdc manual for more information.  Updates to the confirm
    and possibly the login templates in WebLogin will also be required.
    See the sample templates for the new parameters and fields.

    mod_webauth by default ignores the new authorization identities (and
    old versions will always ignore them) except for recording the
    authorization identity in the new environment variable
    WEBAUTH_AUTHZ_USER.  There is a new mod_webauth Apache directive,
    WebAuthTrustAuthzIdentity, which can be enabled to set REMOTE_USER to
    the authorization identity instead of the authentication identity and
    to use the authorization identity for access control (such as
    mod_webauthldap privilege group lookups).  WEBAUTH_USER will always be
    set to the authentication identity.  This directive is allowed in
    .htaccess files (if authentication overrides are allowed) as well as
    anywhere in the main Apache configuration.  Authorization identities
    will still be ignored if WebAuthSubjectAuthType is set to krb5.

    Add new mod_webkdc Apache directive WebKdcLoginTimeLimit, which
    controls the time limit for completing a multi-step login process
    (such as with multifactor authentication) and how recently
    authentication must have occurred to count for session factors and
    forced login.  The default value is five minutes, matching the
    previous default behavior for multifactor logins.

    WebAuthForceLogin no longer forces re-entry of the user's password if
    the user has done an interactive authentication within the
    WebKdcLoginTimeLimit interval (five minutes by default).  Initial
    authentication factors also count as session factors for single
    sign-on authentications within that time interval.  This allows
    WebAuthForceLogin to work in combination with other features such as
    multi-step authentication processes and authorization identities and
    improves the user experience when simultaneously visiting multiple
    sites with forced login set.  To disable this behavior and always
    force reauthentication, WebKdcLoginTimeLimit can be set to 0s, but
    this will make multi-stage login processes, such as multifactor,
    impossible.

    Add replay detection to WebLogin.  When enabled, only one username and
    password authentication is permitted with a given request token, and
    further authentications with the same request token are rejected as
    replays.  This can protect against an attacker using the back button
    in an abandoned browser to replay the form submission on the WebLogin
    server.  This support requires a memcached server be available for
    data storage and the Perl modules Cache::Memcached and Digest::SHA.
    The latter is available as part of Perl since 5.9.3.

    Add rate limiting of login attempts in WebLogin.  If enabled, after a
    configured number of failed login attempts, all password
    authentications for a given username will be rejected (valid or not)
    until a configurable interval of time has passed.  This support also
    requires a memcached server for data storage and the Perl module
    Cache::Memcached.

    The WebLogin error template has two new parameters: err_lockout and
    err_replay, corresponding to a replayed authentication and an account
    that was locked out due to too many login failures.  Local templates
    should be updated to handle those parameters, particularly if either
    of these features are in use.

    In WebLogin, set single sign-on cookies if present even when
    displaying an error.  This establishes single sign-on when errors are
    returned after authentication, such as authentication rejected errors
    from the user information service.  Without this behavior, if the
    custom error sent the user to another page that also required
    authentication, the user would have to log in again and may given up,
    thinking that authentication was looping.

    Support two additional WebLogin configuration settings:
    @REMUSER_LOCAL_REALMS and @REMUSER_PERMITTED_REALMS.  These provide
    the equivalent of WebKdcLocalRealms and WebKdcPermittedRealms for
    Apache REMOTE_USER authentication handled by the WebLogin front-end
    (such as when using Negotiate-Auth with mod_auth_kerb).  Previously,
    there was only a @REMUSER_REALMS setting, which combined both
    meanings.  @REMUSER_REALMS continues to be supported for backward
    compatibility, but will only be used if the more-specific variable is
    not set.  Patch from Tom Jones.

    Fix encoding of Kerberos credentials containing addresses or authdata
    when built against MIT Kerberos.  WebAuth 4.3.0 and later would fail
    to encode those credentials properly.  This bug only affects people
    using credential delegation with either Active Directory or with
    Kerberos configured to add addresses to tickets, which are relatively
    rare configurations.

    Fix encoding of ticket flags with Heimdal Kerberos and tolerate the
    old, incorrect encoding.  All previous versions of WebAuth, when built
    with Heimdal, encoded the ticket flags on the wire with the flag bits
    reversed (matching the in-memory Heimdal format).  Prior to this
    version, flags would be lost when reading credentials encoded via MIT
    Kerberos with Heimdal or vice versa.  As of this release, the portable
    flag encoding used for ticket caches is used when writing credentials
    with both MIT and Heimdal, and the flag order is detected when
    decoding credentials and fixed if necessary.  If you use delegated
    credentials and link with Heimdal Kerberos, upgrade mod_webauth prior
    to upgrading the WebKDC to ensure the ticket flags are conveyed
    correctly.

    Fix mapping of WebKDC error codes to names when reporting errors in
    WebLogin, fixing mostly cosmetic Perl warnings in the WebLogin server
    logs.

    Document the WebAuthRequireSSL configuration directive.  Under normal
    circumstances, this directive should always be left on (the default)
    to avoid serious security vulnerabilities, but there are some specific
    situations where it may be necessary to turn it off.

    Add webauth_token_encrypt and webauth_token_decrypt to the public API,
    including the Perl API.  These functions provide access to the
    low-level token encryption and decryption routines.  Normally, the
    high-level webauth_token_{encode,decode} functions will be used
    instead, but these functions are useful for constructing low-level
    tests.

    The webauth_base64_* functions have been removed from libwebauth, as
    have the corresponding Perl bindings.  For C programs, use the
    apr_base64_* functions from APR-Util instead.  For Perl programs, use
    MIME::Base64.

    The webauth_attr_*, webauth_attrs_*, and webauth_hex_* functions have
    been removed from libwebauth, as have the corresponding Perl bindings.
    These functions provided a low-level interface to internal WebAuth
    data structures that is no longer necessary.

    Remove webauth.h.  The only remaining contents of interest to clients
    were the WebAuth protocol error constants, which have now moved to
    webauth/tokens.h.

    Add public webauth_keyring_encode and webauth_keyring_decode functions
    that encode and decode keyrings into the serialization format used for
    storing them in files.  These are useful for sending WebAuth keyrings
    over other protocols.  Add a corresponding keyring_decode method to
    the Perl WebAuth class and encode and decode methods to the
    WebAuth::Keyring class.

    The WA_TK_*, WA_TT_*, and WA_SA_* preprocessor constants are no longer
    provided by webauth.h.  These contained a subset of the encoding rules
    for the WebAuth wire protocol, but were not really useful to clients
    of the library.

    The WA_ERR_KEYRING_* error codes have changed to WA_ERR_FILE_* and
    will be used for any errors inside the WebAuth library when reading or
    writing to files.  Now that WebAuth can report rich error messages,
    there is no need for the codes to be this specific.  Add new
    WA_ERR_FILE_NOT_FOUND error, which replaces WA_ERR_KEYRING_OPENREAD
    when the error is due to the file not existing.

    Update to rra-c-util 4.7:

    * Fix probing for Heimdal's libroken to work with older versions.
    * Checked asprintf variants are now void functions and cannot fail.
    * Include a replacement strndup for systems that don't have it.

WebAuth 4.3.3 (2012-11-05)

    Fix a memory initialization issue in the WebKDC that could cause
    incorrect handling of random multifactor verification, including
    requiring random multifactor when the WebAuth Application Server
    didn't request it.

    Fix a memory allocation error in the WebAuth Perl module that could
    cause memory corruption in the WebLogin server.

WebAuth 4.3.2 (2012-09-27)

    Fix a pool management bug when mod_webauth requested a service token
    from the WebKDC.  A premature release of an APR memory pool could
    result in a corrupted Kerberos authenticator, resulting in an
    inability to obtain new service tokens.

WebAuth 4.3.1 (2012-08-08)

    Allow WebAuthDoLogout in .htaccess files with AllowOverride
    AuthConfig.  Previously, WebAuthDoLogout could only be set in the
    Apache server configuration.

    Fix invalid free in webauth_webkdc_login when there are permitted
    realms configured.

    Add a replacement for krb5_cc_get_full_name for Kerberos libraries
    that don't have this function.  Fixes compilation against MIT Kerberos
    1.8 and earlier.

    Fix incorrect Perl module includes in pwchange.fcgi that prevented the
    WebLogin password change component from starting properly.

    Add an overloaded cmp operator for WebAuth::Exception, primarily to
    make testing easier.

    Document that while WebAuthLdapKeytab can be set in either the main
    server configuration or in a virtual host, separate configurations for
    different virtual hosts are not supported due to the way the module is
    currently implemented.

WebAuth 4.3.0 (2012-08-06)

    mod_webauth now sets the HttpOnly flag on all WebAuth session cookies
    by default.  This can be turned off at the server or virtual host
    level with the new WebAuthHttpOnly Apache directive.  (Although be
    aware that the structure of the WebAuth cookies is an internal
    implementation detail; if this directive is needed, the web site is
    probably doing something unsupported.)

    WebLogin now sets the HttpOnly flag on the single sign-on cookie, and
    on the test cookie used to probe whether cookies are supported.

    Add a new optional <userMessage> element to the specification of the
    <requestTokenResponse> reply from the WebKDC and a new error code.
    These are used to indicate a rejected authentication and to return an
    HTML error that should be displayed to the user.

    Support a new <error> return element inside the <authdata> reply from
    the user information service during WebLogin authentication.  Presence
    of this element indicates that the user information service has
    rejected this authentication.  The content is raw HTML content (which
    should be protected by a CDATA block in the XML) to display to the
    user.  Make appropriate changes to the webauth_user_info and
    webauth_webkdc_login APIs and to mod_webkdc to return this information
    via the new <userMessage> element and the new protocol error code.

    Add a new parameter, err_html, to the error page template in WebLogin.
    When this parameter is set, the contents should be used as the entire
    error message to display to the user.  Local WebLogin error templates
    should be updated to support this parameter.

    Fix wa_keyring compilation error when older versions of the WebAuth
    headers are installed in the APR header path.

    Change all Kerberos functions in the WebAuth library API to take the
    WebAuth context and use APR memory management and new-style error
    message handling.  There is a new include file, webauth/krb5.h, for
    the Kerberos functions.  Remove webauth_krb5_error_code and
    webauth_krb5_error_message in favor of the new-style error handling.
    Call the proper Kerberos error reporting functions to get more
    information than was available via com_err.

    Replace webauth_krb5_export_ticket and webauth_krb5_export_tgt with a
    new webauth_krb5_export_cred function that is parallel to
    webauth_krb5_import_cred and can do either operation.  Similarly,
    merge webauth_krb5_init_via_cred and webauth_krb5_import_cred into
    webauth_krb5_import_cred.

    Rename webauth_krb5_rd_req to webauth_krb5_read_auth and
    webauth_krb5_mk_req to webauth_krb5_make_auth.  Rename the _with_data
    variations of both to _data.

    Remove webauth_krb5_keep_cred_cache.  This was no longer used anywhere
    in the WebAuth source.

    Revise the Perl API for Kerberos-related functions to match the
    changes to libwebauth, including changes of method names and removal
    of now-unused functions, and complete the conversion to an
    object-oriented interface.  A WebAuth::Krb5 object is now returned by
    the krb5_new method, and all other Kerberos functions are now
    implemented as methods on that object.

    Fix decoding of Kerberos credentials that include a second ticket when
    built with MIT Kerberos.

    Kerberos realm names are no longer escaped before matching them
    against the Apache configuration.  This only affects handling realm
    names with unusual characters.

WebAuth 4.2.2 (2012-07-19)

    Fix WebKDC::WebRequest error introduced in 4.2.0 that broke WebLogin
    functionality.

    Fix Kerberos context cleanup bug after storing delegated credentials
    in a file cache, introduced in 4.2.0.  This bug would cause segfaults
    in the child Apache process after completion of the request.

WebAuth 4.2.1 (2012-07-18)

    Fix error decoding keyrings from files on 64-bit systems, preventing
    all use of keyring files.  Reported by Kai Lanz.

    Fix compilation with Apache 2.0, which does not have the mod_auth.h
    header.  Reported by Kai Lanz.

WebAuth 4.2.0 (2012-07-13)

    Port to Apache 2.4 (tested with Apache 2.4.1).

    Support for AuthType StanfordAuth has been deprecated and will be
    removed from mod_webauth and mod_webauthldap in a subsequent release.

    Support for AuthType StanfordAuth in mod_webauthldap is not available
    when built with Apache 2.4.  This includes treating "require group"
    directives where the group contains a colon as "require privgroup" and
    setting the SU_AUTH_DIRMAIL, SU_AUTH_DIRNAME, and SU_AUTH_UNIVID
    environment variables.  This behavior is currently still supported for
    now when built with Apache 2.2 or earlier, but is deprecated as
    mentioned above.

    Support Kerberos keyring ticket caches for passing delegated
    credentials from mod_webauth to CGI and embedded code.  Set possessor
    permissions on Kerberos keyring tickets so that other processes
    running as the same UID should not have access.  Patch from Benjamin
    Coddington.

    Fix merging of mod_webkdc Apache directives in some corner cases where
    the directive has a default value or is explicitly set to off.

    WebLogin now only sets a SIGTERM handler to defer exit while
    processing a request.  This will hopefully fix orphaned login.fcgi and
    pwchange.fcgi processes due to SIGTERM arriving while waiting in the
    FastCGI listen loop and then never being woken up again.

    The WebAuth Perl module API now requires creating a WebAuth object
    first and passing that object as the first argument to all other
    functions except the krb5_* functions.  This is the first step in
    making the API more object-oriented.  The only export groups provided
    are :const and :krb5, and all other export requests should be removed.
    All users will need code changes to work with the new API.
    WebAuth::Krb5 has not yet been converted, but will be in a subsequent
    release.  This means that the WebKDC and WebLogin Perl modules in this
    release require the WebAuth module from this release and vice versa,
    so be careful of partial upgrades.

    webauth_token_encode now correctly allows id tokens of type krb5 to
    omit the subject attribute.  The receiver is supposed to determine the
    subject via the Kerberos authenticator.

    All key and keyring functions in the WebAuth library API have changed
    to take the WebAuth context and use APR memory management and
    new-style error message handling.  All the *_free functions have
    therefore been removed.  Keyrings are now represented by an APR array;
    callers that want to walk through the keyring entries will need the
    relevant APR headers.  Functions that could only fail if memory
    allocation failed now either return new objects directly or are
    declared void, since APR code assumes memory allocation does not fail.
    The API now uses named structs instead of typedefs.

    webauth_key_create will now create a random key if passed NULL for the
    key material.  It also now returns a status code so that better error
    messages can be reported.

    webauth_keyring_read_file has been renamed to webauth_keyring_read.
    webauth_keyring_write_file has been renamed to webauth_keyring_write.

    The webauth_keyring_encode and webauth_keyring_decode functions have
    been removed from the public API.

    The constant WA_AES_KEY has been renamed to WA_KEY_AES.

    The webauth_random_bytes and webauth_random_key functions have been
    removed from the public API.

    webauth_keyring_best_key now takes a WA_KEY_DECRYPT or WA_KEY_ENCRYPT
    argument instead of a boolean.  This makes the meaning clearer at the
    call site.

    The Perl API for manipulating keyrings has been modified to include
    the WebAuth context.  The read_file method in the WebAuth::Keyring
    class has been renamed to read, calling an underlying keyring_read
    method in the WebAuth class.  The WebAuth::Keyring new constructor now
    takes a WebAuth context and calls a keyring_new method in the WebAuth
    class so that the WebAuth context can be tracked.  The capacity method
    on a WebAuth::Keyring object has been removed since it's not part of
    the abstraction.

    The Perl WebAuth::Key class now supports type, length, and data
    accessor methods so that Perl programs can inspect the contents of
    keys.  It also supports a convenience new constructor that calls
    WebAuth::key_create.

    The old webauth_token_create and webauth_token_parse functions have
    been removed from the public API in favor of the new _encode and
    _decode functions.  The token_create and token_parse methods have also
    been removed from the Perl API in favor of the new token_decode method
    and WebAuth::Token::* classes.

    The Perl WebKDC::Token module and the classes it defined have been
    removed.  Use the new WebAuth::Token::* classes instead.

    All WebKDC::* Perl modules now have POD documentation.

    Update to rra-c-util 4.5:

    * Pass --deps to krb5-config unless --enable-reduced-depends was used.
    * Do not use krb5-config results unless gssapi is supported.
    * Fix test suite portability to Solaris.
    * Suppress warnings on compilers that support gcc's __attribute__.

    Update to C TAP Harness 1.12:

    * Fix additional uses of local in the shell TAP library.
    * Suppress warnings on compilers that support gcc's __attribute__.

WebAuth 4.1.1 (2012-04-25)

    Fix a bug in webauth_user_info that misparsed timestamp attributes
    from the user information query results, causing timestamps to be
    ignored and always set to 0 in user login history information and
    causing the function to fail if any unknown attributes were returned.

    Fix the sample confirm template to use the correct attribute for login
    history timestamps and to suppress the timestamp section if that
    history entry had no associated timestamp.

    Fix the sample confirm template to properly suppress the history and
    token rights sections when there are no entries in the corresponding
    arrays.  Thanks, Sam Morris.

    Add explicit HTML filters to all interpolated variables in the
    sample WebLogin templates.  Previous versions of the sample templates
    (since the conversion to Template Toolkit in 4.0) did not uniformly
    apply the HTML filter, which could cause rendering problems or even
    cross-site scripting vulnerabilities in some corner cases.  For most
    attributes missing this filter there was no chance of HTML special
    characters, but now the filter is applied uniformly for consistency.
    Sites with custom templates should check their templates for any
    instance of a variable interpolation ([% variable %]) and ensure that
    the HTML filter is applied ([% variable FILTER html %] instead).

    Update the generated HTML version of the mod_webkdc manual to include
    the new directives introduced in WebAuth 4.1.0.

    Update to rra-c-util 4.3:

    * Update the set of flags enabled by make warnings.

    Update to C TAP Harness 1.11:

    * Only use feature-test macros when requested or built with gcc -ansi.
    * New tests/tap/macros.h header with some common definitions.
    * Drop is_double from the C TAP library to avoid requiring -lm.
    * Avoid using local in the shell libtap.sh library.

WebAuth 4.1.0 (2012-03-15)

    Add new mod_webkdc configuration option WebKdcUserInfoTimeout, which
    sets the network timeout used for user information service queries and
    multifactor authentications.  The default timeout is 30 seconds.
    Timeout support requires compiling with remctl 3.1 or later.

    Add new mod_webkdc configuration option WebKdcUserInfoIgnoreFail,
    which if set tells mod_webkdc to not fail the login if a user
    information service is configured but cannot be queried (either due to
    timeout or due to some other error).  By default, all logins will be
    rejected if a user information service is configured but returns an
    error.  If this option is set, the login can proceed, but only a
    password factor will be available and no level of assurance can be
    set.  Be aware that setting this option may allow bypassing a
    multifactor requirement expressed by the user information service
    rather than the destination site.

    Really fix compilation without remctl libraries.  The previous change
    would always define HAVE_REMCTL even if the libraries weren't found.

    If the remctl_set_ccache function is available, use it instead of
    setenv of KRB5CCNAME to set the ticket cache location when making user
    information service calls.  This at least only affects thread state
    instead of global process state and doesn't leak memory.

    Fix error handling in WebLogin when the password field on the login
    form is left blank.  The correct error is now returned, leaving the
    user at the login page, rather than giving the user a generic error
    page.  Thanks to Petr Grolmus for the report.

    Display the correct WebLogin error when the user enters a password and
    omits the username, and avoid attempting to authenticate with an empty
    username.

    Drop library support for base64-encoded token attributes.  This was
    never used in the WebAuth code.

    Drop the webauth_info_build and webauth_info_version functions from
    the libwebauth library and instead build the version and build
    information directly into the modules.  These functions were only used
    to get information for startup logging and reported versions in the
    modules.

    Document in the mod_webauth manual a problematic interaction of URL
    parsing between Apache and Tomcat that affects any Apache
    authentication mechanism used to protect URLs that are proxied to
    Tomcat.  Apache configuration to restrict access to proxied URLs needs
    to allow for URI path parameters at the end of path segments.

    Update to rra-c-util 4.2:

    * Improve the xstrndup utility function.
    * Kerberos test configuration now goes in tests/config.
    * The principal of the test keytab is determined automatically.
    * Build on systems where krb5/krb5.h exists but krb5.h does not.
    * Add bail_krb5 and diag_krb5 test utility functions.
    * Simplify the test suite calls for Kerberos and remctl tests.
    * Ensure config.h is included for portable/stdbool.h.
    * Add test wrappers around asprintf and vasprintf.

    Update to C TAP Harness 1.10:

    * Add test_tmpdir and test_tmpdir_free to TAP library.
    * Add bstrndup function to the C TAP library.
    * runtests now frees all allocated resources on exit.

WebAuth 4.0.2 (2011-12-02)

    Fix a typo that caused the cookie tracking whether a user had
    requested REMOTE_USER authentication to be reset as a session cookie.

    Fix compilation without remctl libraries.

    Port to APR 0.9, which comes with Red Hat Enterprise 4 and
    distributions derived from it.

    Ignore cookies with undefined values in WebLogin and tokens that
    aren't present in the password change page to avoid Perl warnings in
    the Apache error log.

    Document factor codes in the mod_webauth manual.

    Add additional Stanford-specific documentation for how to enable
    multifactor authentication on a WebAuth Application Server at
    Stanford.

    Update to rra-c-util 3.11:

    * Check for a missing ssize_t.
    * Correctly remove -I/usr/include from Kerberos and GSS-API flags.
    * Fix message utility library compiler warnings on 64-bit systems.

WebAuth 4.0.1 (2011-09-23)

    The protocol for getting suspicious login information from the user
    information service and conveying that information to WebLogin has
    changed to use the IP address as the content of the tag and move the
    hostname to an attribute, since the hostname is optional and may not
    be available.

    If the user information service returns suspicious logins, WebLogin
    now forces a confirmation page and displays those logins.  Full use of
    this functionality will require an update to the local confirm
    template to add the suspicious login display if the corresponding
    template variable is set.

    Log the return URL of authentication requests to the WebKDC.

    Fix a memory leak in token decoding.

    Properly initialize the creation time of the error token returned to
    the WAS when a login is canceled.

    Reduce the log level of the mod_webauth logging when retrieving
    credentials from the WebKDC.  The full XML exchange is now only logged
    when debug logging is enabled.

    Update to rra-c-util 3.9:

    * Use an atexit handler to clean up after Kerberos tests.

WebAuth 4.0.0 (2011-09-02)

    WARNING: This release is a major revision with significant changes to
    mod_webkdc and to the WebLogin code.  While the additions are not
    completely specific to Stanford University, it still has some
    limitations and missing components that will make it difficult to
    deploy new features outside of Stanford, and it's not yet been tested
    in a production deployment.  The new mod_webauth and mod_webauthldap
    are suitable for everyone, but sites outside of Stanford University
    will probably want to wait for subsequent releases before updating
    mod_webkdc and the WebLogin code.

    WebAuth now has support for multifactor authentication.  New WebAuth
    configuration directives WebAuthRequireInitialFactor,
    WebAuthRequireSessionFactor, and WebAuthRequireLOA can be used to
    require specific authentication factors, unspecified multiple factors,
    or a site-specific level of assurance value to allow access to
    particular content.  Using this feature currently requires a custom
    middleware service that returns information about users and their
    configured factors and that validates a provided OTP code.  New WebKDC
    configuration directives WebKdcUserInfoURL and WebKdcUserInfoPrincipal
    control how that middleware service is used.  WebKdcKerberosFactors
    controls what factors are assigned to webkdc-proxy tokens obtained
    directly from the WebKDC rather than via WebLogin.

    mod_webauth now exposes the user's initial and session authentication
    methods via environment variables WEBAUTH_FACTORS_INITIAL and
    WEBAUTH_FACTORS_SESSION, and the user's level of assurance (if known)
    via WEBAUTH_LOA.

    WebLogin now uses Template Toolkit for all templating instead of
    HTML::Template.  This means that all local WebLogin templates will
    have to be revised for the new syntax.  WebLogin has also dropped
    support for obsolete template variables and for templates that don't
    support the new variables that have been introduced over the years.
    See the sample templates in weblogin/templates for examples of what
    the new templates should look like.

    WebLogin now uses CGI::Application to control page flow through the
    WebLogin pages.  WebLogin servers will need CGI::Application plus
    additional plugin modules installed.  See docs/install-webkdc for a
    complete list.

    As part of multifactor support, WebLogin can now tell an external
    middleware service to send an OTP code to the user through
    site-specific means (such as an SMS message).  There are new
    configuration variables for webkdc.conf to specify how to contact this
    optional service.

    As part of multifactor support, WebLogin supports a new site-specific
    callback to determine the initial and session factors for a user who
    has been authenticated via some other Apache authentication mechanism
    (such as GSS-API via mod_auth_kerb).  See docs/weblogin-config under
    remuser_factors for more information.

    The libwebauth library API has changed significantly in this version
    and will be changing further in subsequent versions.  There are new
    webauth/*.h headers for the new API, but this API should not yet be
    considered stable.  External users of the libwebauth API should stay
    with previous releases until the libwebauth library changes have been
    completed, and should expect to require substantial changes (mostly
    simplifications).

    The proxy data attribute of webkdc-proxy tokens is now optional and
    may be omitted for webkdc-proxy token types (like remuser) that carry
    no additional data.  The WebKDC now accepts webkdc-proxy tokens with
    no data but always adds some data for backward compatibility with
    older servers.  It will stop generating that data in a future release.

    The keyring manipulation functions of the WebAuth Perl module have
    been rewritten to be object-oriented, introducing new WebAuth::Keyring
    and WebAuth::KeyringEntry objects.  Perl code using the WebAuth module
    to manipulate keyrings will have to be modified, since several
    functions were removed in favor of the new interface.  Methods to
    remove a key from a keyring, get the timestamps and keys associated
    with keyring entries, and choose the best key from a keyring have been
    added.

    Use PATH_KRB5_CONFIG as the environment variable to set the path to
    krb5-config rather than KRB5_CONFIG, since the latter is used by the
    Kerberos libraries to specify an alternative path to krb5.conf.

    Update to rra-c-util 3.8:

    * Add notices to all files copied over from rra-c-util.
    * Fix warnings when reporting memory allocation failure in messages.c.
    * Include strings.h for additional POSIX functions where found.
    * Avoid using krb5-config if --with-{krb5,gssapi}-{include,lib} given.
    * Fix use of long long in portable/mkstemp.c.

    Update to C TAP Harness 1.8:

    * Add bmalloc, bcalloc, brealloc, and bstrdup TAP library functions.
    * Fix runtests to honor -s even if BUILD and -b aren't given.

WebAuth 3.7.4 (2011-05-11)

    WebAuth now supports a new Apache configuration directive,
    WebAuthOptional, which can be used in directories and .htaccess files.
    If set to on, unauthenticated users are not redirected to WebLogin and
    are instead allowed access to the protected resource, but without any
    REMOTE_USER or related environment variables set.  However, if the
    user was previously authenticated to that server, their authentication
    information will be present in the environment as normal.  This is
    intended for use with dynamic content, such as embedded PHP or CGI
    scripts, that will inspect REMOTE_USER and decide what content to show
    based on the authentication status.  Normally, unauthenticated users
    would also be shown a login link to a URL protected by WebAuth without
    this directive so that they can authenticate if desired.  This feature
    is sometimes referred to as "passive authentication" or "lazy
    sessions."  Based on work by niklas.

    Previous versions of WebLogin interpreted a "message stream modified"
    error on password change as a failure of strength checking because
    that error was incorrectly returned by MIT Kerberos for password
    strength checking errors with a Heimdal KDC.  This turned out to be a
    bug in MIT Kerberos, which is now avoided by using a different library
    API call that doesn't have that bug.  This workaround has now been
    removed, so the error reporting from WebLogin on password change will
    now be more accurate.

    Disable TLS certificate verification in WebLogin if the WebKDC URL is
    at localhost, since the presented certificate will generally not be a
    localhost certificate.  This fixes an incompatibility with libwww-perl
    versions later than 5.837, which changed the default value for
    certificate validation.

    Fix compilation error in libwebauth if assert() calls are enabled and
    the local C library doesn't define an index function.  Fixes
    compilation problems on Solaris 10.

    Fix an Autoconf probe for the Heimdal Kerberos implementation.

    Export the defines to enable system extensions to the module config
    header as well.  Fixes build problems with APR on Red Hat Enterprise
    Linux 5, which requires _GNU_SOURCE be defined before including APR
    headers to define off64_t.

    Avoid problems with generating the pkg-config configuration file when
    the Kerberos linker flags contain commas.

    Print a clearer warning in WebLogin when used with a mod_webkdc
    older than 3.6.1 and therefore missing the request token type in the
    repsonse.

    Document the pt and sa key/value pairs in WebKDC logs in the
    mod_webkdc manual.

    Be more defensive in mod_webauth against an Apache request struct that
    doesn't have the notes table or per-directory configuration filled in,
    which seems to happen under the Apache included with Solaris 10 x86.
    Based on a patch by Gary Buhrmaster.

    Update to rra-c-util 3.4:

    * Fix broken GCC attribute markers causing compilation problems.
    * Kerberos library probing fixes without transitive shared libraries.
    * Fix Autoconf warnings when probing for AIX's bundled Kerberos.
    * Update warning flags for GCC 4.6.1.

    Update to C TAP Harness 1.7:

    * Fix compliation of runtests with more aggressive warnings.
    * Add a more complete usage message and a -h command-line flag.
    * Flush stderr before printing output from tests.
    * Better handle running shell tests without BUILD and SOURCE set.

WebAuth 3.7.3 (2010-09-20)

    Explicitly link the mod_webauthldap module with the portability glue
    library, fixing a build failure on Red Hat Enterprise 4 x86_64.

    Fix LDAP attribute retrieval in WebAuth 2.x backward compatibility
    mode, which was broken in 3.7.0.

    The WebAuth library also installs a pkg-config configuration file for
    the use of software that wants to link against it.

    Update to rra-c-util 2.7:

    * Look for krb5-config in /usr/kerberos/bin after the user's PATH.
    * Update utility library and test suite for newer GCC warnings.

WebAuth 3.7.2 (2010-08-12)

    Fix wa_keyring option parsing problems introduced in 3.7.0.  Correctly
    count arguments so that commands are recognized correctly and do not
    require -- before commands with negative time offsets, like "gc -90d".

    Fix uninitialized variable that caused wa_keyring to randomly default
    to verbose mode for list.

    mod_webkdc now returns a user rejected error instead of a generic
    Kerberos error for attempted authentications to expired accounts or
    accounts set to disallow authentication, allowing WebLogin to display
    a rejected user error message rather than a generic failure message.

    Add portability code for old MIT Kerberos and Heimdal libraries
    without krb5_get_init_creds_opt_free.

    Fix build problems with with Perl module (only built when the WebKDC
    is enabled) on platforms where all shared libraries need to be linked
    with explicitly.

WebAuth 3.7.1 (2010-07-23)

    Add new WebLogin configuration parameter $EXPIRING_PW_RESEND_PASSWORD.
    If set, a user who is changing their password due to either an expired
    password or by following the prompt to change a password that's
    expiring soon is required to re-enter their current password on the
    same screen as the new password, even if they had just authenticated
    with the old password.  This may be required by site security policy
    and is enabled by default.

    Improve error reporting in WebLogin when password change fails.

    Make mod_webkdc behavior match the documentation by changing the
    default WebKdcProxyTokenLifetime to be the lifetime of the underlying
    Kerberos credential.  Previously, the default was ten hours.

    When probing for Apache module build flags, call apr-config --includes
    and add it to the preprocessor flags.  Fixes build failures on Red Hat
    Enterprise Linux 4 and 5.

WebAuth 3.7.0 (2010-07-08)

    The WebAuthLdapAuthRule directive in mod_webauthldap has been fixed to
    do something closer to its documentation.  Previously, it was
    documented as containing "group <privgroup>" if the user was
    authorized by a privgroup directive, but actually contained only the
    privgroup.  Now, it contains "privgroup <privgroup>" if the user was
    authorized by a privgroup directive.  Patch from Ian Ward Comfort.

    mod_webauthldap supports a new WebAuthLdapPrivgroup directive that
    names a list of privgroups against which the authenticated user's
    membership should be checked.  All privgroups listed of which the user
    is a member will be put into the WEBAUTH_LDAPPRIVGROUP environment
    variable.  Patch from Ian Ward Comfort.

    The WebAuthLdapAttribute directive can now take multiple attributes on
    the same line.  Patch from Ian Ward Comfort.

    WebLogin now includes a password change script and associated template
    to allow users to change their Kerberos password.

    WebLogin now supports password expiration.  If the account password is
    expired when a user authenticates with a password at the WebLogin
    login screen, they are redirected to the password change screen,
    forced to change their password, and then reauthenticated with their
    new password so that they can continue as normal with their
    authentication.

    WebLogin can be optionally configured to warn users, via the
    confirmation screen, if their password is about to expire.  Currently,
    this warning requires remctl, configuration of a Kerberos ticket
    cache, and the kadmin-remctl backend running somewhere for that
    Kerberos realm.

    The WebAuth Apache modules are no longer built with apxs, which allows
    a cleaner build and installation process.  However, this means that
    the modules are now installed in <libexecdir>/apache2/modules by
    default, where <libexecdir> is specified via the --libexecdir flag to
    configure and defaults to /usr/local/libexec.

    The --with-apache option has been dropped.  Use --with-apxs to specify
    the full path to apxs if it's not in your PATH.

    The --enable-mod_webkdc flag is now --enable-webkdc, since it also
    controls installation of the WebLogin scripts and templates.

    The --enable-debug flag has been dropped.  Set CFLAGS on the configure
    command line if you want to override the default compiler flags.

    Catch SIGTERM in the login.fcgi script and only exit once processing
    of the current request has completed.  mod_fastcgi restarts FastCGI
    scripts periodically by killing the old one with SIGTERM, which
    previously could result in internal server errors handed back to the
    client if the script was killed in the middle of processing a request.

    Correctly encode RT and ST tokens in the URL when redirecting to an
    alternate URL to attempt REMOTE_USER authentication in WebLogin.
    Patch from Ian Ward Comfort.

    The majority of the WebLogin scripts have been moved into a new
    WebLogin Perl module, which should make it somewhat easier to further
    customize the WebLogin interface if desired.

    The timestamps output by wa_keyring list now contain dates in the ISO
    format YYYY-MM-DD instead of the US-centric and ambiguous MM/DD/YYYY.

    Removed the webauth_krb5_service_principal function from libwebauth
    and from the WebAuth Perl module.  This function's API was
    fundamentally flawed since it did not handle realms, and it was not
    used anywhere in the WebAuth code.

    Change the libwebauth API to use size_t and other data types more
    correctly instead of always using int.  This will require updates in
    all calling applications.

    wa_keyring calls the OpenSSL MD5 functions directly, so explicitly
    link it with libcrypto.  Fixes build failures with gold.

    Lower the logging level of mod_webauth messages about setting cookies
    (to debug) and environment variables (to info, since that's the best
    way right now to see a trace of authenticated users).

    Avoid importing isa from UNIVERSAL in the WebAuth Perl modules.  This
    is deprecated in Perl 5.12 and later.

    Mention setting $KEYRING_PATH in docs/install-spnego and expand the
    documentation in docs/weblogin-config.

    Changed terminology in the WebAuth protocol specification to refer to
    a KRB_AP_REQ rather than the results of krb5_mk_req.  The latter is a
    call specific to a particular API, whereas the former is the term used
    in the Kerberos protocol documentation.  Thanks, Liam Atkinson.

    The Autoconf probe for the cURL libraries now uses curl-config if
    available.  The path to curl-config can be overridden by setting the
    CURL_CONFIG variable on the configure command line or in the
    environment.

    Update to rra-c-util 2.5:

    * Use rra-c-util portability layer for libwebauth and wa_keyring.
    * Use rra-c-util utility library for wa_keyring.
    * Use --with-krb5 instead of --with-kerberos for Kerberos path.
    * Add --with-krb5-lib and --with-krb5-include configure flags.
    * Much better handling of Kerberos library detection.
    * Avoid deprecated Heimdal Kerberos functions.
    * Use Kerberos portability code from rra-c-util.

    Update to C TAP Harness 1.4:

    * Support running a single test with tests/runtests -o.
    * Better reporting of fatal errors in the test suite.
    * Rewrite of all test cases to use the new TAP library support.
    * Summarize results at the end of test execution.

WebAuth 3.6.2 (2009-09-10)

    SECURITY: When generating the redirect to test for cookie support if
    the test cookie is not already set, be sure not to include the
    username and password query fields in the redirect URL.  Otherwise,
    the user's password could be logged in the Apache logs and possibly be
    included in referrer information sent by the browser.

    SECURITY: Reject username/password logins via methods other than POST,
    since continuing risks exposing the password in the browser history
    and via referrer information.

    If the user submits the login form via POST without including the test
    cookie, assume that the browser supports cookies and proceed.  We
    won't present the initial login form without seeing the test cookie,
    so something strange is happening.  Continuing and assuming everything
    will work seems to be the best approach.

    Add tools/weblogin-passcheck to examine Apache logs looking for users
    who were affected by the above security vulnerabilities.  This script
    is not installed by default but is provided in the distribution for
    WebLogin administrators to use to determine the scope of this problem.
    For documentation, run tools/weblogin-passcheck -h.

WebAuth 3.6.1 (2009-07-14)

    Setting $BYPASS_CONFIRM in the WebLogin configuration now also
    suppresses the confirmation page after username/password login
    provided that the browser supports HTTP/1.1 (and the web server tells
    the WebLogin script that in the form Apache does).

    Setting $BYPASS_CONFIRM to the special value "id" in the WebLogin
    configuration suppresses the confirmation page only if the WebAuth
    Application Server requests an id token (in other words, only asks for
    the user's identity).  If it instead requests a proxy token, which
    would allow it to later ask for delegated user credentials, the
    confirmation page is still displayed.

    Add a new WebLogin configuration variable $TOKEN_ACL.  If set to the
    path of the token.acl file used by the WebKDC, and if the WebAuth
    Application Server requests a proxy token, the list of credentials the
    WAS may request is provided to the confirmation page template for
    display to the user.  See doc/weblogin-config for more information.

    WebLogin now sets and updates its cookies after successful
    authentication even if the confirmation screen is bypassed.  This
    primarily affects the update of the expiration time of the REMOTE_USER
    cookie.

    Handle err_confirm in the error.tmpl sample template and document this
    in doc/weblogin-config.  This error is returned when redisplaying the
    confirmation page after a change in the REMOTE_USER cookie.

    Fix a coding error in login.fcgi when redisplaying the confirmation
    page fails.  Thanks to pod for the report.

    Fix an off-by-one error in error code to error string mapping in
    WebKDC::WebKDCException that resulted in incorrect error names in
    WebLogin error messages.  Thanks to pod for the report.

    The WebLogin scripts and templates are now installed by default under
    /usr/local/share/weblogin.  This can be modified with the --prefix or
    --datadir options to configure.

    There is no longer an install-tests target; instead, to install the
    test suite, copy the directories under tests/mod_webauth recursively.
    This will be replaced by a better test suite mechanism in a future
    version of WebAuth.

    Update the mod_webauth documentation to reflect that separate WebAuth
    servers in the same load-balanced pool can use separate keytabs.  Only
    the keyring needs to be shared between systems.

    Improved the comments in the provided sample configuration files.

    Update the INSTALL documentation for obtaining keytabs for Stanford
    users to reference wallet instead of leland_srvtab.

WebAuth 3.6.0 (2008-03-22)

    Allocate all note keys and values in the top-most request pool in
    mod_webauth, avoiding problems with prematurely freed internal data
    structures.  This fixes problems with checking access permissions of
    subdirectories in mod_autoindex and may have fixed problems elsewhere.
    Thanks to Ian Ward Comfort for the patch.

    Add the WebKdcLocalRealms configuration option to mod_webkdc, which
    specifies the transformation behavior for authenticated identities.
    The default is "local", which runs krb5_aname_to_localname and uses
    the result as the authenticated identity (matching previous behavior).
    Setting it to "none" always keeps the fully-qualified Kerberos
    principal as the authenticated identity, and setting it to a list of
    realms strips the realm if it matches one of the listed realms and
    uses the fully-qualified Kerberos principal otherwise.  Thanks to
    Dmitri Priimak for the patch.

    Add the WebKdcPermittedRealms configuration option to mod_webkdc.  If
    set, only Kerberos principals in the listed realms will be able to
    obtain authentication tokens from the WebKDC.  This allows sites with
    Kerberos cross-realm trust to prevent users in foreign realms from
    obtaining WebAuth credentials that satisfy "require valid-user".
    Thanks to Dmitri Priimak for the patch.

    Add an additional check to webkdcProxyTokenRequest processing in
    mod_webkdc to ensure that the Kerberos authenticator and the included
    Kerberos TGT are for the same principal.

    The WebLogin login.tmpl template may be called with err_rejected set
    if the authenticating principal is rejected by the WebKDC.  Login
    templates should be modified to handle this variable.

    Add a new error to the WebKDC protocol, 18, indicating that the WebKDC
    did not permit that user to authenticate.  This error is returned when
    WebKdcPermittedRealms is set and the realm of the authenticating
    principal isn't included.  Add support for the new error in the
    WebLogin code, setting the template variable err_rejected.  Based on
    work by Dmitri Priimak.

    libwebauth provides a new webauth_krb5_get_realm function, which
    returns the realm of the current authenticated principal.

    The libwebauth webauth_krb5_get_principal function takes as its third
    argument, instead of a flag, an enum indicating what sort of
    canonicalization to perform.  Accepted values are WA_KRB5_CANON_LOCAL
    (to call krb5_aname_to_localname), WA_KRB5_CANON_STRIP (to strip any
    realm), and WA_KRB5_CANON_NONE (to return the fully-qualified
    principal).

    In the WebLogin script, work around a bug in the CGI module that
    causes it to misparse and die on WebLogin URLs that contain two
    slashes and two plus signs.

    WebLogin now supports delegated credentials, allowing browsers that
    support credential delegation via SPNEGO to still get single sign-on
    even to services that require proxy credentials or krb5
    authenticators.  See doc/install-spnego for configuration details.
    Based on work by Joachim Keltsch.

    WebLogin now supports a new configuration variable, $DEFAULT_REALM.
    If set, WebLogin will append @ and $DEFAULT_REALM to usernames that do
    not contain @ before passing them to the WebKDC.  This is primarily
    useful if principals should be authenticated in a different Kerberos
    realm than the default realm of the WebKDC.

    WebLogin now supports a new configuration file, $BYPASS_CONFIRM.  If
    set, the confirmation page will only be displayed if required by the
    HTTP protocol after a POST of the login form.  Otherwise, the user
    will be silently redirected to the destination site.

    Add support for a map_username function defined in the WebLogin config
    file.  If defined, this function will be called to map the
    user-supplied username to a Kerberos principal for authentication.

    Add support for a record_login function defined in the WebLogin config
    file.  If defined, this function will be called after any successful
    authentication.

    Many of the REMOTE_USER configuration variables have been renamed for
    consistency.  The old names are still supported for backward
    compatibility.  $REALM has been deprecated in favor of setting
    @REMUSER_REALMS to a list with a single value.

    Escape Mac OS X compiler flags for apxs, fixing build issues on Mac OS
    X 10.5.

WebAuth 3.5.5 (2008-01-14)

    Check for browser cookies on the first page visit to WebLogin via a
    redirect and show an error immediately if the user doesn't have
    cookies enabled.  This works correctly in the presence of Apache
    authentication.  Thanks to Joachim Keltsch for the patch.

    There is a new template variable, err_cookies_disabled, for the error
    template, indicating that the user doesn't have cookies enabled.  Old
    templates are supported but won't offer as nice of an error message.
    The err_cookies parameter to the login template is no longer used.

    Fix memory allocation in mod_webauthldap for the Kerberos ticket cache
    environment variable to use persistant rather than pool memory.  Fixes
    occasional segfaults in mod_php.

    Improve extraction of return URLs for user-friendly display when doing
    authentication for a Shibboleth IdP.  Thanks, Robert Basch.

    Show the correct pretty Shibboleth return URL when redisplaying the
    confirmation page.  Thanks, Robert Basch.

    Mark the test cookie secure to match other cookies so that we're
    testing what we're using.

    Use Javascript in the default login template to set focus to the
    username entry box.

WebAuth 3.5.4 (2007-04-24)

    Add a configuration option to WebLogin to attempt to decode return
    URLs pointing to a Shibboleth IdP and display on the confirmation page
    the final destination instead of the intermediate IdP.

    For pages that the browser should reload each time (WebAuthDoLogout or
    WebAuthDontCache), also always set the content modification time to
    now.  Otherwise, the browser may check the last modification time on
    the page and then serve its cached copy, ignoring any new Cookie
    headers from the server (such as cookie clearing from a logout page).

    For WebAuthDoLogout, WebAuthDontCache, and all WebLogin pages, set
    Cache-Control: no-store as well as no-cache.  no-store wasn't really
    intended for this purpose but preventing the browser from keeping a
    local copy is more likely to force the behavior we want.  (This is
    probably not necessary given the above change, but shouldn't hurt.)

    Properly merge configuration settings in mod_webauthldap.  This will
    correct problems with WebAuthLdapAuthrule, WebAuthLdapFilter, and
    WebAuthLdapPort configuration options not being honored inside virtual
    hosts.  Thanks to Wadud Miah for the bug report.

    Refresh the REMOTE_USER configuration cookie on each WebLogin page
    visit so that it won't expire if the user is using WebLogin
    regularly.

    Document the cookies used by the WebLogin service.

    Read ticket defaults from krb5.conf properly when built with Heimdal.

    Fix configure logic and Kerberos library analysis on systems with
    multiple versions of Kerberos installed.

    Escape -R linker flags from apxs, which doesn't understand them.
    Patch from Robert A. Basch.

WebAuth 3.5.3 (2006-09-12)

    Add the connection IP address and, for WebLogin logins, the client IP
    address to the WebKDC to the WebKDC log messages whenever processing
    XML requests.

    Document the log messages from the WebKDC in the mod_webkdc manual.

    Initial port to Apache 2.2.  Thanks to Jim Rodgers for the patch.

    Turn off debug-level logging in the WebLogin login.fcgi script by
    default.  The REMOTE_USER code now seems to be stable and working
    correctly and the extra verbose logging is not needed.

    Remove extraneous newlines from the messages logged by the mod_webauth
    module.

WebAuth 3.5.2 (2006-07-13)

    SECURITY: Modify the default templates to add ESCAPE=HTML when
    inserting the values of variables.  Without telling HTML::Template to
    escape values in this fashion, a cross-site scripting attack is
    possible with at least the username field of the login form.  Any site
    using customized templates should make the equivalent change to their
    templates.

    Set Pragma: no-cache and Cache-Control: no-cache in the HTTP headers
    of all responses from the WebLogin scripts.  This is particularly
    important for the logout script, since otherwise browsers may cache
    the logout page and not actually be logged out.

    Don't ever redirect the user to the URL that attempts Apache
    authentication if they've already submitted the login form, even if
    they didn't supply a username or password.  Once the user reaches the
    login page, the page flow should keep them there until they log in
    with username and password.

WebAuth 3.5.1 (2006-06-20)

    Allow the submit button on the login page to return any value rather
    than requiring it have the value "Login" so that the template can be
    more easily translated.  Instead, the login form must include the tag:

        <input type="hidden" name="login" value="yes">

    The form for attempting Apache remote-user authentication should not
    contain this tag.  Existing login.tmpl files must be updated
    accordingly when upgrading to this version of the WebLogin server.

    In the weblogin confirmation page, the variable remuser is now set to
    1 if the user has a cookie indicating they want to try REMOTE_USER and
    is not set otherwise.  This is a change from the previous behavior
    where it was set to either the string "checked" or the empty string.
    Templates using this variable will require modification.  This change
    was made so that the WebLogin scripts don't assume a particular UI
    presentation.

    Add an err_forced template variable for the login.tmpl file that
    indicates the user had a single sign-on configuration (either an
    existing cookie or a request to do REMUSER), but the authenticating
    web site requires username/password authentication.  Existing
    login.tmpl files must be updated to include a reference to this
    variable (even if not otherwise used).

    Add the @REALMS configuration option to the WebLogin configuration
    file, for use with Apache authentication where the resulting
    REMOTE_USER value may be in one of several realms and each realm
    should be treated identically.

    Modify the default login template to show a single error message if
    the user provided neither username nor password rather than showing
    the missing username and missing password errors one after the other.

    Fix decoding of time_t values in tokens on 64-bit platforms, a bug
    which usually manifested itself while reading keyrings.  Thanks to pod
    for the analysis.

    Properly check for apxs in configure so that an apxs under the
    provided Apache root will be found.  Thanks to Marco Wise for the
    debugging.

WebAuth 3.5.0 (2006-03-20)

    Rename the template variables used by the weblogin templates to be
    a bit more consistent and add an error variable to the login template
    that is set whenever there was any error.  Existing weblogin templates
    will require modifications.  See doc/weblogin-config for the new
    configuration and customization documentation.

    Sometimes an Apache authentication mechanism should only be attempted
    if the user explicitly requests it since it may fail in a way that
    doesn't allow weblogin to proceed.  SPNEGO is an example, since it has
    bad behavior with some browsers.  Implement weblogin script support
    for the required more complex page flow and additional template
    variables.

    Document in detail how to configure the weblogin front-end, including
    all of the template variables used and the configuration variables
    that can be set in /etc/webkdc/webkdc.conf.

    Document in detail the page flow for the weblogin script and the
    variables it uses when rendering page templates.

    WebAuthExtraRedirect is now the default.  If you don't want this
    behavior, you now need to turn it off explicitly in the Apache
    configuration.

    WebAuthExtraRedirect is now accepted at the server and virtual host
    level as well as in <Directory> and .htaccess files.

    In the WebKDC installation instructions, stop recommending that the
    WebkDC /webkdc-service URL run on a different port than the regular
    SSL port.  There's no reason why it and the weblogin service can't
    both run on the regular SSL port.

    Preliminary port to Heimdal 0.6 (0.7 was previously supported).  This
    has not yet been well-tested.

    Recommend installing an SSL certificate before testing in INSTALL,
    since otherwise WebAuth would be unhappy.  Combine a few steps
    together and also recommend WebAuthSSLRedirect on.

    Change WebAuthSSLRedirect to on in the recommended and default
    configuration files, since it works with the standard installation
    instructions.

WebAuth 3.4.2 (2006-02-17)

    Don't try to build the modules with -z defs.  If it actually works, it
    breaks the build, since Apache modules refer to symbols that are only
    in httpd, not in any linked library.

    Transform -pthread or -pthreads in the Kerberos compiler flags into
    something that apxs can handle.  This is needed for some builds of
    Heimdal.

    Add another fix for finding et/com_err.h on Red Hat, this time for
    mod_webauthldap.

    Search for apxs2 in the path before apxs.  WebAuth requires Apache
    2.x, so if apxs2 is available, it's more likely the right thing to use
    than apxs.  This change allows the WebAuth build to find apxs properly
    on Debian without extra configure flags.

    Document the Kerberos ticket encoding for WebAuth tokens in the
    protocol specification.

WebAuth 3.4.1 (2006-02-06)

    Revert the change in 3.4.0 to not strip WebAuth data from the URLs for
    unprotected URLs since it didn't work with .htaccess files.

    Document the WebAuthStripURL directive as a partial replacement for
    the problem the reverted change was supposed to solve.  This directive
    has always been supported but it was previously undocumented and not
    guaranteed to remain.

    Port to Heimdal.  The Kerberos implementation dependencies are all
    inside libwebauth, which can now be built with either MIT Kerberos or
    Heimdal.  Mixed environments with some Heimdal-based WebAuth modules
    and some MIT-based modules should work correctly.

    Avoid deprecated OpenLDAP interfaces whose prototypes are unavailable
    by default in OpenLDAP 2.3.

    Support et/com_err.h as well as com_err.h for portability to Red Hat
    Enterprise Linux 4 and possibly other newer Red Hat-based Linux
    systems.

WebAuth 3.4.0 (2006-01-24)

    Add support to the weblogin server and WebKDC module to trust an
    authentication identity asserted by Apache.  This allows use of any
    authentication type that Apache supports as WebAuth authentication, in
    particular SPNEGO/GSSAPI.

    Allow login.fcgi to be used as the target of an ErrorDocument Apache
    directive and read the query parameters from the redirect environment
    variable.  This lets one use SPNEGO as the default and fall back on
    password authentication if it fails.  To support this feature, there
    is an additional template variable for the login template,
    script_name, that should be used as the action of the login form.

    The WebAuth module no longer strips WebAuth data (WEBAUTHR and
    WEBAUTHS) from the internal URL for requests to URLs not protected by
    WebAuth.  This way, Apache with mod_webauth loaded will not interfere
    with applications that wish to implement the WebAuth protocol
    themselves.  Thanks to Mats Henrikson for the report.

    Rewrite the WebAuth protocol documentation in RFC 2629 XML.  In the
    process, edited it extensively for consistency of terminology, updated
    it in a few places, and clarified the wording.

    Better Kerberos library checks, including support for MIT Kerberos 1.4
    and use of krb5-config where appropriate.

    Add --enable-reduced-depends to configure to request the minimal
    possible shared library dependencies be encoded at run-time.  This is
    for systems that properly implement transitive shared library
    dependencies, in order to minimize shared library conflicts introduced
    by SONAME changes and upgrades (mainly for Linux distribution
    packagers).

    The public interface for the libwebauth library now uses char *
    uniformly instead of unsigned char *, since using the latter is too
    annoying and causes too many compiler warnings.

    Remove more vestiges of S/Ident support.  mod_webkdc will no longer
    recognize the old Apache S/Ident directives.

    Ask the linker to be sure that all external references are defined
    when linking the Apache modules on Linux.

    Lots of general documentation updates for clarity and style.

WebAuth 3.3.0 (2005-10-04)

    All WebKDC support for S/Ident removed.  The S/Ident protocol is
    inherently vulnerable to an active man-in-the-middle attack that is
    particularly severe for WebAuth, since S/Ident authentication is done
    by a single server and WebAuth users regularly visit that server.
    Exploiting this protocol flaw would allow an attacker to capture a
    single sign-on cookie and then impersonate the user to all WebAuth
    sites in that domain.

    Add WebAuthLdapSeparator to specify the separator for multivalued
    attributes.  When set in the server configuration, all values of a
    multivalued attribute are concatenated together, separated by that
    separator, and put into the base WEBAUTH_LDAP_* environment variable
    (rather than only the first one).

    Clean up, expand, and improve the module documentation for
    mod_webauthldap.

    Add symbol versioning for libwebauth on Linux.  Symbol versioning is
    not supported on other platforms (at least yet).

WebAuth 3.2.8 (2005-06-03)

    mod_webauth now treats empty keyrings the same as keyrings that cannot
    be read, which will force the creation of a new keyring if auto-update
    is turned on.

    The mod_webkdc manual has been expanded and improved, fixing several
    documentation bugs (including a badly incorrect wa_keyring gc
    example).

WebAuth 3.2.7 (2005-04-23)

    Update libtool to 1.5.6 (the Debian version) to support proper shared
    library builds on Linux MIPS.

    In the weblogin login script, check to be sure the service token is
    set as well as the request token to avoid weird error messages from
    the WebKDC module later on.

WebAuth 3.2.6 (2005-04-19)

    Rename the Perl bindings from WebAuth3 to WebAuth to match the name of
    the shared library.

WebAuth 3.2.5 (2005-04-14)

    Downgrade most of the messages from mod_webauthldap to info from
    notice, including the messages about authorization.  Downgrade the
    message about failed authorization from warning to notice.  This seems
    more consistent with the Apache documentation of log levels.

WebAuth 3.2.4 (2004-08-25)

    In the weblogin script, only check for cookies when the user is not
    using S/Ident to authenticate.  This fixes the problem with users
    seeing the login page even if S/Ident is enabled, and then being
    allowed to proceed with S/Ident authentication after a simple page
    reload.

    Clean up and comment the weblogin login and logout scripts and
    remove Perl module uses that are no longer needed.

    Fix the error reporting in the WebKDC module when S/Ident requests
    fail.  Previously, the actual error would never be reported.

WebAuth 3.2.3 (2004-06-23)

    Long delays for some clients after redirects from mod_webauth should
    improve.  The redirect was being returned without a body but also
    without a Content-Length, forcing clients supporting keep-alive to
    wait for a timeout.  This may (but hopefully won't) cause more looping
    problems.

    The WebKDC package now looks at /etc/webkdc/webkdc.conf and paths can
    be overridden by modifying that file.

    Replace the sample WebLogin server templates with generic templates
    that don't use any Stanford-copyrighted logos or design.

    Install a man page for wa_keyring and the header file for the webauth
    library.

WebAuth 3.2.2 (2004-03-02)

    Add new WebAuthSSLReturn directive. If an unauth'd user shows up
    via http at a webauth-protected page and gets redirected to weblogin,
    the return URL will be https.

    Fix a bug in libwebauth that prevented wa_keyring from adding keys to
    an empty keyring file.

    Add a new mod-config.h for Autoconf results that we want to use in
    module builds, and use this to fix compatibility in mod_webauthldap
    for older versions of the Kerberos libraries and remove code to add
    Autoconf results to the compile command line for mod_webkdc builds.

    Fix various compilation problems with Sun cc, including signed vs.
    unsigned char mismatches and C++-style comments.

    Fix invalid HTML in the templates for the weblogin pages.

    Include the right compiler flags to find the extra Kerberos libraries
    we need when probing for S/Ident, if they're in a non-standard
    location that isn't the same as the S/Ident location.

    Support older 1.2.x Kerberos libraries in mod_webauthldap.

    Fix some portability issues with non-GNU make.

WebAuth 3.2.1 (2003-09-10)

    When AuthType is StanfordAuth, don't default to WebAuthDontCache.
    This appears to break IE 6.0 downloads.

    Add WebAuthPostReturnURL directive to allow an app to deal with
    handling a POST that didn't have authentication.

    When operating in legacy mode, only check LDAP for a group if it
    contains a colon.  Otherwise, defer to Apache's normal group handling.
    This fixes handling of user-defined groups in .htaccess files when
    backward compatibility is turned on.

    When a call to the LDAP server fails, try binding again and retrying
    the call before actually failing.  The connection may have timed out
    or something else may have temporarily gone wrong.  This will help
    with error messages about the LDAP server not being available.

    Fix the setting of the interactive flag on S/Ident queries in the
    WebKDC.

    Correct handling of successful S/Ident calls returning errors in
    mod_webkdc when debugging is turned off.

WebAuth 3.2.0 (2003-08-07)

    Add S/Ident support to weblogin and the WebKDC.

    Add a preliminary port to Windows.  See windows/BUILD.txt for more
    information.

    Fix a bug when handling sub-requests (like in mod_autoindex).  This
    could have caused authentication information to be incorrect in pages
    generated by fancy indexing.

    Add new WebKDC commands webkdcProxyToken and webkdcProxyTokenInfo.

    Add three new functions to libwebauth: webauth_krb5_init_via_cache
    and webauth_krb5_{mk,rd}_req_with_data.

    Remove the WebAuthProxyHeaders directive.  Add new documentation to
    mod_webauth.xml that recommends people use mod_headers instead.  See
    "Using WebAuth with Proxy Servers" in that document.

    Modify WebAuthDontCache so it also adds "Pragma: no-cache" and
    "Cache-Control: no-cache" headers in addition to the "Expires" header.

    Modify WebAuthDoLogout so that it enables WebAuthDontCache
    automatically.  (If the logout page was cached, second and subsequent
    visits wouldn't remove the login cookie correctly.)

    When returning redirects, make sure to set r->header_only so there
    is no extra content generated by Apache.  Also set the same Expires,
    Pragma, and Cache-Control headers that WebAuthDontCache sets.  This
    will hopefully work around the bugs that occur when caching redirects
    in some browsers.

    Increased robustness of the privgroup handling in mod_webauthldap when
    the LDAP query returns multiple entries.  Errors when looking for
    attributes in one entry no longer prevent checking for attributes in
    additional entries.

    The WebLogin test cookie is now a session cookie like the WebAuth
    cookie, so we test what we use, and so it works correctly with
    browsers that disable non-session cookies.

    Build portability fix for Tru64 and other platforms whose sed cannot
    handle multiline patterns.

    Remove extra logging from mod_webauth/webkdc.c, and moved other
    extraneous logging so it's only logged at a level of APLOG_DEBUG when
    WebAuthDebug is turned on.

WebAuth 3.1.2 (2003-05-29)

    Multiple bugs were fixed in mod_webauthldap, it now supports multiple
    virtualhosts, and it now has better memory utilization and thread
    safety improvements.

    Correctly construct the return URL for reverse proxies.

    Don't try to decode a zero length service token cache file.  Log a
    warning and return NULL as if there were no file.

    Ported to Solaris 7 with gcc 2.95.  Basic WebAuth (but not LDAP)
    ported to AIX 4.3.

    Modify wa_keyring to not use getopt (not available on windows), and
    change strftime format from %T to %H:%M:%S (%T also not available on
    windows strftime).

WebAuth 3.1.1 (2003-05-08)

    Fix HTML_TEMPLATE_ROOT in src/webkdc/logout.fcgi script by changing
    the path to relative instead of absolute.

WebAuth 3.1.0 (2003-05-01)

    Add a new Apache module, mod_webauthldap, for LDAP directory
    information lookups via Kerberos v5 GSS-API binds.  This module
    provides the same directory lookup capability as older versions of
    WebAuth, but does so against OpenLDAP servers, via Kerberos v5
    authentication, and with considerably more flexible support for what
    attributes to query. See the mod_webauthldap manual for more details.

    Add WebAuthSSLRedirect and WebAuthSSLRedirectPort directives so that
    users can be redirected from http to https when accessing a
    WebAuth-protected resource.

    Add a WebAuthAuthType directive to help people transition to
    mod_webauth from older versions.  This directive allows you to specify
    an additional AuthType name that will be treated the same as WebAuth.
    If this directive is set to StanfordAuth, it will also set two extra
    environment variables: SU_AUTH_USER and SU_AUTH_AGE (these were set by
    WebAuth 2.5).

    Add more backward compatibility support for WebAuth 2.5 by allowing
    the following directives to appear in .htaccess files:

    StanfordAuthConfirmMsg  -> ignored

    StanfordAuthDoConfirm   -> warns to error_log if set to on

    StanfordAuthDontCache   -> maps to WebAuthDontCache. If AuthType
                               is set to StanfordAuth, defaults to 1.

    StanfordAuthForceReload -> maps to WebAuthExtraRedirect

    StanfordAuthLife        -> maps to WebAuthAppTokenLifetime and enables
                               WebAuthForceLogin

    StanfordAuthReturnURL   -> maps to WebAuthReturnURL

    StanfordAuthGroups      -> unsupported, if specified access is denied

    Allow these directives to be present in .htaccess files (they were
    previously only allowed in <Directory>/<Location> directives):

        WebAuthExtraRedirect
        WebAuthReturnURL
        WebAuthLoginCanceledURL
        WebAuthVarPrefix

    This is in partial support of backward compatibility.

    Add WebAuthProxyHeaders directive to pass WebAuth information to a
    proxied server.  See the WebAuth module documentation for more
    information.

    Add WebAuthWebKdcSSLCertCheck directive to enable/disable checking of
    the WebKDC SSL certificate.  Defaults to "on" and should only be
    turned off for debugging/testing purposes.

    Add new WebAuthDontCache directive, which signals a browser not to
    cache those web pages.  Defaults to 0 (allow documents to be cached).

    Modify the WebAuthKeytab and WebKdcKeytab directives so you can
    optionally specify which principal to use with the specified keytab,
    instead of using the first principal found.  This is useful if the
    keytab contains multiple keys.

    Remove the service token cache on restarts, so that a restart will
    clear up any inconsistencies between the server and the WebKDC.

    Have the WebKDC re-read the token ACL file if its mtime changes.

    Clean up environment variable setting.  Set environment variables
    (r->subprocess_env) in check_user_id hook instead of waiting until
    fixups hook to make them more accessible to other hooks/modules.

    Add --with-apxs configure option to set the path to apxs independently
    from the path to the Apache installation.  This was needed in order to
    easily build WebAuth on Linux distributions that install Apache
    following the Linux Filesystem Standard.

    Fix several bugs in scrubbing WebAuth tokens from the URL.

    If we are proxying or the URI passed to the server in the HTTP request
    has a scheme, use it as the return URL instead of constructing one
    relative to the server.

    Restructure the mod_webauth code to define a pluggable credential
    interface, isolating all credential-related functions so that new
    credential types can easily be supported.

WebAuth 3.0.0 (2003-02-18)

    Initial public release of WebAuth v3.  This is a complete rewrite of
    the WebAuth system, sharing no common code with the previous release.
    It is now based on Apache 2.0, Kerberos v5, and a new infrastructure
    for managing authentication tokens.

    This is the initial release with basic authentication support and Perl
    bindings only.