[pubcookie-dev] CVS update: dors; webiso/pubcookie/doc install-login.html,1.37,1.38

Tue Oct 18 10:39:09 PDT 2005

Update of /usr/local/cvsroot/webiso/pubcookie/doc
 In directory webiso-cvs.cac.washington.edu:/var/tmp/cvs-serv8845

 Modified Files:
 	install-login.html 
 Log Message:
 initial mods for 3.3.0 release

 - updated what's new 
 - updated upgrade & compatibility notes
 - added PUBCOOKIE_LOGIN_CONFIG_FILE
 - noted that host keys work with aes and des encryption
 - removed outdated UWash ok_browsers fiction
 - updated ldap verifier config
 - added revision history
 - some other minor edits

Index: webiso/pubcookie/doc/install-login.html
diff -c webiso/pubcookie/doc/install-login.html:1.37 webiso/pubcookie/doc/install-login.html:1.38
*** webiso/pubcookie/doc/install-login.html:1.37	Fri Jul  1 09:51:00 2005
--- webiso/pubcookie/doc/install-login.html	Tue Oct 18 10:39:06 2005
***************
*** 59,64 ****
--- 59,65 ----
    <li><a href="#apacheconfig">Appendix A: Apache Configuration</a></li>
    <li><a href="#security">Appendix B: Permissions &amp; Security</a></li>
    <li><a href="#openssl">Appendix C: OpenSSL Commands</a></li>
+   <li><a href="#history">Appendix D: Revision History</a></li>

    </td>
  </table>
***************
*** 75,132 ****
  deploying a Pubcookie application server which authenticates using your
  local login server.</p>

! <h4><a name="new"></a>What's New</h4>

Significant improvements and changes to the login server components included in 
! Pubcookie 3.2.1:

<ul>
! <li>Added kerserver support for subjectAltName wildcards.</li>
! <li>Fixed login cgi to put redirect messages into the normal audit logging stream.</li>
! <li>Added <a href="config.html#login_host_cookie_domain">login_host_cookie_domain</a> to make login cookie domain configurable.</li>
! <li>Added remote realm, if present, to authentication success message in flavor_basic logging.</li>
! <li>Fixed LDAP verifier to default to LDAPv3 for all LDAP SDKs and added
! "x-Version" parameter to the LDAP URL.</li>
! <li>Revised "fork" verifier to pass username and password via stdin to
! the forked executable. The config file variable has been changed from
! <tt>fork_exe</tt> to <tt>verify_exe</tt> to avoid accidentally 
! running the wrong executable.</li>
! </ul>

! Significant improvements and changes to the login server components included in 
! Pubcookie 3.2.0:

- <ul>
- <li>Added support for <a href="#loginmsgs">custom per-application login messages</a></li>
- <li>Added keyserver support to allow keyclient authentication by wildcard
-     certificates and Subject Alt Names</li>
- <li>Added keyserver support to allow keyclient certificates signed by
-     untrusted CAs to cache a public key on the keyserver and use it in
-     server authentication</li>
- <li>Added keyclient <tt>-U &lt;certfile&gt;</tt> option for admins to upload a 
-     public key certificate to the keyserver</li> 
- <li>Added version string to login server template as HTML comment</li>
- <li>Improved POST-based messaging between application servers and login server</li>
- <li>Deprecated the use of third-party relay cgi</li>
  </ul>

  <p>See <tt>doc/CHANGES.txt</tt> for bug fixes and other improvements.</p>

  <h4><a name="upgrading">Upgrading &amp; Compatibility</a></h4>

! Sites upgrading from previous versions of the login server can build and
! install the new version while safely maintaining their existing configuration
! file (<tt>PREFIX/config</tt>) and login templates. Running <tt>make
! install</tt> will not overwrite these files. Note, however, that it will
! install new keyserver, keyclient, and login cgi binaries into
! <tt>PREFIX/keyserver</tt>, <tt>PREFIX/keyclient</tt>, and
! <tt>PREFIX/login/index.cgi</tt>, respectively. A new sample configuration file
! (<tt>PREFIX/config.login.sample</tt>) is installed and can be compared with
! your current configuration file.
! 
! Sites upgrading to version 3.2 will need to update the following templates
! from <tt>PREFIX/login_templates.default</tt>. They contain new variable
! substitutions used by the new login cgi.

  <ul>
  <li><tt>login</tt> (adds new <tt>%reason%</tt> and <tt>%version%</tt> variables)
--- 76,153 ----
  deploying a Pubcookie application server which authenticates using your
  local login server.</p>

! <h4><a name="new">What's New</a></h4>

Significant improvements and changes to the login server components included in 
! Pubcookie 3.3.0:

<ul>
! <li>Added AES encryption support. The module and filter ask for AES or DES
! in the authentication request. The login cgi encrypts messages accordingly. 
! AES encryption is the default. See ... section.</li>

! <li>Changed login cgi to use AES encryption on its private login cookies.</li>
! 
! <li>New <tt>PUBCOOKIE_LOGIN_CONFIG_FILE</tt> environment variable can be used
! to define an alternate config file for the login cgi.</li>
! 
! <li>Added support for the Apache module's wildcard subdomain key encryption mode 
! for large multi-user web-hosting environments.</li>
! 
! <li>Added <a href="config.html#kerberos5_extralife"><tt>kerberos5_extralife</tt></a> 
! config file variable to extend the lifetime of delegated tickets past the SSO
! lifetime.</li>
! 
! <li>Modified minimum <tt>LDAP_VENDOR_VERSION</tt> in configure script for 
! better compatibility with Sun LDAP SDK.</li>
! 
! <li>Other minor login cgi fixes to error handling and cookie clearing.</li>

  </ul>

+ 
  <p>See <tt>doc/CHANGES.txt</tt> for bug fixes and other improvements.</p>

  <h4><a name="upgrading">Upgrading &amp; Compatibility</a></h4>

! In general, the login server components can be built and installed on a 
! live system (if you do that sort of thing) while safely maintaining your existing 
! configuration file (<tt>PREFIX/config</tt>) and login templates. Running <tt>make
! install</tt> will not overwrite these files, but it will install new keyserver, 
! keyclient, and login cgi binaries into <tt>PREFIX/keyserver</tt>, 
! <tt>PREFIX/keyclient</tt>, and <tt>PREFIX/login/index.cgi</tt>, respectively. 
! A new sample configuration file is installed into 
! <tt>PREFIX/config.login.sample</tt>, and an updated set of generic login templates
! is installed into <tt>PREFIX/login_templates.default</tt>. Sites should compare 
! their current config file and current templates against the new ones and resolve
! significant differences before copying the new login cgi in production.
! 
! Here are some additional compatibility notes for upgrading between specific 
! versions:
! 
! <dl>
! 
! <dt>Upgrading from version 3.2 to 3.3:</dt>
! 
! <dd>Sites upgrading from 3.2 to 3.3 should be aware that in version 3.3 the
! login cgi uses AES encryption on all login cookies. Earlier versions use DES
! encryption. As a result, login cookies obtained by users prior to upgrading 
! the login cgi will be invalid after the upgrade. This means some users will 
! have to reauthenticate where they might not have had to before. Others might 
! notice that the login page no longer remembers (i.e. pre-fills) their username.
! 
! There are no template changes between version 3.2 and version 3.3.
! 
! <dt>Upgrading from version 3.0/3.1 to 3.3:</dt>
! 
! <dd>Sites upgrading from 3.0/3.1 to version to 3.3 should be aware of the 
! switch to AES encryption noted in the section above.
! 
! Sites upgrading from 3.0/3.1 to version 3.3 will also need to update 
! several templates from <tt>PREFIX/login_templates.default</tt>.
! The following templates include new variable substitutions (introduced in
! version 3.2) that you should identify and compare relative to your current
! templates:

  <ul>
  <li><tt>login</tt> (adds new <tt>%reason%</tt> and <tt>%version%</tt> variables)
***************
*** 135,159 ****
  <li><tt>pinit_response2</tt> (adds new  <tt>%version%</tt> variable)
  </ul>

! Use <tt>diff</tt> to locate these differences relative to your current
! templates. This shouldn't be much work. There are only a few lines that have
! changed.
! 
! Version 3.2 also adds several new templates (<tt>notok</tt>,
! <tt>notok_badagent</tt>, <tt>notok_form_multipart</tt>, <tt>notok_generic</tt>,
! and <tt>notok_need_ssl</tt>); and two templates have been removed
! (<tt>notok_part1</tt>, <tt>notok_part2</tt>). You will want to make sure you've
! updated your template directory accordingly.
! 
! Compatibility note on third-party relays: 
! The 3.2 login cgi deprecates the use of relays hosted on third-party servers.
! New POST-based messaging support allows use across DNS domains without the use 
! of a separate relay cgi. To continue to support third-party cgi-based 
! relays, YOU MUST USE the <tt>--enable-unsafe-relay</tt> 
! configure option while building the login cgi. The other option is to
! upgrade application servers using third-party relays to use the version 3.2
! modules. Once they're all using the new POST-based login method, there's no 
! need to support third-party relays in your login cgi.

  <h4><a name="components">System Components</a></h4>

--- 156,192 ----
  <li><tt>pinit_response2</tt> (adds new  <tt>%version%</tt> variable)
  </ul>

! The following templates are new (also as of version 3.2) and should be 
! reviewed and added to your production templates:
! 
! <ul>
! <li><tt>notok</tt>, 
! <tt>notok_badagent</tt>,
! <tt>notok_form_multipart</tt>,
! <tt>notok_generic</tt>,
! <tt>notok_need_ssl</tt>
! </ul>
! 
! The following templates have been removed (again, with version 3.2) and
! safely can be removed from your production templates:
! 
! <ul>
! <li><tt>notok_part1</tt>, <tt>notok_part2</tt>
! </ul>
! 
! <dt>Compatibility note on version 3.1 relays:</dt> 
! 
! <dd>The need for the cgi-based relays introduced in version 3.1 to authenticate
! across DNS domains was redressed by the POST-based messaging method introduced 
! in version 3.2 and, thenceforth, use of third-party 3.1 relays has been
! deprecated. To continue to support third-party relays at all, you must
! use the <tt>--enable-unsafe-relay</tt> configure option while building the 
! login cgi. Preferably, upgrade all your application servers using third-party 
! relays to version 3.2 or higher, and configure them to use the POST-based
! messaging method. Then there will be no need to support third-party relays
! in your login cgi.
! 
! </dl>

  <h4><a name="components">System Components</a></h4>

***************
*** 244,250 ****
  of the method, or methods, used by the login server to authenticate user 
  credentials.</p>

! <p>For example, a site might migrate from LDAP-based to Kerberos 
  authentication. It's attractive to hide the transition from applications. 
  Here applications would continue to use their institutional "netid" 
  authentication type, corresponding with their site's basic login flavor, 
--- 277,283 ----
  of the method, or methods, used by the login server to authenticate user 
  credentials.</p>

! For example, a site might migrate from LDAP-based authentication to Kerberos 
 authentication. It's attractive to hide the transition from applications. 
 Here applications would continue to use their institutional "netid" 
 authentication type, corresponding with their site's basic login flavor, 
***************
*** 361,370 ****

  <h4><a name="config">Run-Time Config File Setup</a></h4>

! The login cgi and keyserver share a run-time configuration file
! located at <tt>PREFIX/config</tt>. The file format is one 
! attribute-value-pair per line, except where a trailing backslash 
! <tt>\</tt> character continues a value to the next line.

  <p>A sample config file appropriate for a login server is provided (see
  <tt>PREFIX/config</tt> or <tt>PREFIX/config.login.sample</tt> if you're
--- 394,412 ----

  <h4><a name="config">Run-Time Config File Setup</a></h4>

! The login cgi and keyserver read configuration settings from a 
! run-time configuration file. The default location, <tt>PREFIX/config</tt>,
! is compiled in by default.
! 
! The login cgi will use an alternate config file if a <tt>PUBCOOKIE_LOGIN_CONFIG_FILE</tt>
! environment variable defines one. This is useful when more than one logical login server
! is running on the same machine (using virutal hosts in Apache).
! 
! The keyserver will use an alternate config file if the <tt>-f &lt;filename&gt;</tt> 
! command-line option defines one.
! 
! The config file format is one variable name-value pair per line, except where 
! a trailing backslash <tt>\</tt> character continues a value to the next line.

  <p>A sample config file appropriate for a login server is provided (see
  <tt>PREFIX/config</tt> or <tt>PREFIX/config.login.sample</tt> if you're
***************
*** 492,497 ****
--- 534,544 ----
  -rw-r--r--  root  root   1224 pubcookie_granting.cert
  </pre>

+ <p>Each host key can be used for DES encryption or AES encryption. The login
+ cgi (as of version 3.3) uses AES encryption for login cookies. It uses either
+ AES or DES for granting cookies, depending on the algorithm specified by the
+ application server in its authentication request.</p>
+ 
  <p><b>New key generation:</b><br />
  New host keys are generated and issued by the keyserver upon request. Running 
  keyclient on a host initiates the request. If the keyclient host is 
***************
*** 683,695 ****
  cookies when they should) or don't work with Pubcookie. The ok_browsers
  file is optional.</p>

- <p>Note: At the University of Washington, we've so far been too chicken
- to use the 'ok_browsers' functionality to block browsers that we
- suspect don't work. Our ok_browsers file has a single line: 
- <tt>Mozilla</tt>. This pattern matches most of the browsers we support
- or encounter; which is mainly Internet Explorer, Netscape, Mozilla, and
- Safari.</p>
- 
  <h4><a name="logout">Logout Configuration</a></h4>

  <p>The login cgi handles logout requests initiated by, and redirected
--- 730,735 ----
***************
*** 888,900 ****

  <pre>./configure --enable-login --disable-apache --enable-ldap</pre>

! If needed, the configure script has other options for adjusting the
! location of the LDAP header files and libraries.

- <p>To configure the login cgi to use the LDAP verifier, edit your
- config file and set <tt>basic_verifier</tt> to <tt>ldap</tt> and
- set <a href="config.html#ldap_uri"><tt>ldap_uri</tt></a> to your 
- LDAP URI.</p>

  <h4><a name="clusters">Redundant Login Server Configuration</a></h4>

--- 928,951 ----

  <pre>./configure --enable-login --disable-apache --enable-ldap</pre>

! Note: Other configure options can help you specify the location of
! your LDAP header files and libraries. See <tt>./configure
! --help</tt>.
! 
! To configure the login cgi to use the LDAP verifier, set <a
! href="config.html#basic_verifier"><tt>basic_verifier</tt></a> to
! <tt>ldap</tt> in your config file.
! 
! To configure the LDAP verifier itself, add an <a
! href="config.html#ldap_uri"><tt>ldap_uri</tt></a> to your config file.
! This variable defines how the verifier connects to your LDAP
! directory.
! 
! <pre># ldap verifier config
! <a href="config.html#basic_verifier">basic_verifier</a>: ldap
! <a href="config.html#ldap_uri">ldap_uri</a>: ldaps://host/o=searchbase???(uid=%s)?x-BindDN=Bind%20DN,x-Password=Password
! </pre>

  <h4><a name="clusters">Redundant Login Server Configuration</a></h4>

***************
*** 1034,1046 ****
  <p>The man pages for <tt>x509</tt>, <tt>rsa</tt>, and <tt>req</tt>
  have many other useful OpenSSL command examples.</p>

  <hr>
  <p>
  Copyright 1999-2005, University of Washington.  All rights reserved.<br />
  See doc/LICENSE.txt for terms of use.
  </p>
  <pre>
! $Id: install-login.html,v 1.37 2005/07/01 16:51:00 dors Exp $
  </pre>
  </body>

--- 1085,1132 ----
  <p>The man pages for <tt>x509</tt>, <tt>rsa</tt>, and <tt>req</tt>
  have many other useful OpenSSL command examples.</p>

+ <h4><a name="history">Appendix D: Version History</a></h4>
+ 
+ <p>Significant improvements and changes to the login server components included in 
+ Pubcookie 3.2.1:</p>
+ 
+ <ul>
+ <li>Added kerserver support for subjectAltName wildcards.</li>
+ <li>Fixed login cgi to put redirect messages into the normal audit logging stream.</li>
+ <li>Added <a href="config.html#login_host_cookie_domain">login_host_cookie_domain</a> to make login cookie domain configurable.</li>
+ <li>Added remote realm, if present, to authentication success message in flavor_basic logging.</li>
+ <li>Fixed LDAP verifier to default to LDAPv3 for all LDAP SDKs and added
+ "x-Version" parameter to the LDAP URL.</li>
+ <li>Revised "fork" verifier to pass username and password via stdin to
+ the forked executable. The config file variable has been changed from
+ <tt>fork_exe</tt> to <tt>verify_exe</tt> to avoid accidentally 
+ running the wrong executable.</li>
+ </ul>
+ 
+ <p>Significant improvements and changes to the login server components included in 
+ Pubcookie 3.2.0:</p>
+ 
+ <ul>
+ <li>Added support for <a href="#loginmsgs">custom per-application login messages</a></li>
+ <li>Added keyserver support to allow keyclient authentication by wildcard
+     certificates and Subject Alt Names</li>
+ <li>Added keyserver support to allow keyclient certificates signed by
+     untrusted CAs to cache a public key on the keyserver and use it in
+     server authentication</li>
+ <li>Added keyclient <tt>-U &lt;certfile&gt;</tt> option for admins to upload a 
+     public key certificate to the keyserver</li> 
+ <li>Added version string to login server template as HTML comment</li>
+ <li>Improved POST-based messaging between application servers and login server</li>
+ <li>Deprecated the use of third-party relay cgi</li>
+ </ul>
+ 
  <hr>
  <p>
  Copyright 1999-2005, University of Washington.  All rights reserved.<br />
  See doc/LICENSE.txt for terms of use.
  </p>
  <pre>
! $Id: install-login.html,v 1.38 2005/10/18 17:39:06 dors Exp $
  </pre>
  </body>

end of message