|
(Notice: From release 7.2 on Webmin uses HTTPS by default.)
HTTPS stands for HTTP via SSL, the Secure Socket Layer.
The Hyper Text Transfer Protocol is an inherently insecure protocol as all
information is sent in clear text between unauthenticated peers over an insecure
network. It belongs to the group of 'old' protocols like telnet and ftp which
are bound to be replaced - or at least enhanced - by transfer protocols which
allow authentication and encryption.
HTTPS allows client and server-side authentication via
certificates, which have been in turn signed by a Certification Agency. The
client's web-browser must support SSL, almost all (Mozilla, MSIE, Konqueror,
Opera, Lynx, w3m) do. The server must listen on a port other than 80, usually
this is port 443.
Upon connecting to the secure part of a website, signified by 'https://'
(thus indicating port 443 instead of port 80), the server and the client
negotiate the SSL protocol version to use and a unique session-ID is established.
If the certificate presented by the server is unknown to the client, the
client is free to accept or reject the certificate. In turn the server can
also demand a certificate from the client. Server and client now share a
common key which allows them to encrypt and decrypt messages they send to
each other. For a far more detailed and accurate introduction, read the excellent
mod_ssl user manual.
The Webmin system configuration utility allows you to
configure your linux system(s) via a browser. This makes remote administration
very easy and comfortable. However, since the web-server running Webmin must
be run 'setuid root', an improperly configured Webmin can pose a huge security
threat to the system running it. One method of securing Webmin is
to use HTTPS, another tunneling via SSH,
still another will be introduced at the end of this article.
 section index  top
The most straightforward method of installing webmin
is to use the Software Manager and select the webmin package from the list
of "Installable" packages and press the "Add/Remove" button. If you prefer
the commandline, you can run
urpmi webmin
and it will prompt you for CD 2 and install it. If there are any other
packages that it requires, it will prompt you if it's ok to install those
as well. You should answer "Y" for yes. Commonly it will want to install
the 'perl-Net_SSLeay' and 'perl-Authen-PAM' packages, both standard rpms
provided by Mandrake versions 8.0 and higher. With modern (8.x) versions
of Mandrake, your webmin installation is now complete.
You can run Webmin either via the supplied minimal web-server
called 'miniserv' or via 'Apache'. Since the server running Webmin must have
root privileges and some Webmin modules do not work with Apache at all, using
'miniserv' might be the preferable option. In both cases you will need to
haveOpenSSL installed
on your system. You may install it with Software Manager or by running
urpmi openssl
from the commandline. Since it's listed as a required
package for webmin, the installation of the webmin package will have already
installed the openssl package for you.
For SSL to work with the Webmin-supplied 'miniserv',
you have to install the 'Net_SSLeay.pm-1.05' perl module from CPAN. Mandrake
provides this rpm for you and it too was automatically installed in the webmin
installation above.
Start the Webmin service with
service webmin start
and point your browser at 'https://127.0.0.1:10000'.
You should now be presented with the Webmin SSL certificate.
If you want to use Apache anyway, you have to install
the mod_ssl package. You may install with Software Manager or by running
'urpmi mod_ssl' from the commandline. Having done this, test the installation
with:
openssl s_client -connect localhost:443 -state
-debug
You will get lots of output which should conclude with
these lines:
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 4F33B6210[...] Session-ID-ctx:
Master-Key: 789949D2C[...]
Key-Arg : None
Start Time: 969269809
Timeout : 300 (sec)
Verify return code: 0 (ok)
You can now use HTTPS on Apache by connecting your browser
to https://127.0.0.1
In order to use Apache with Webmin, you have to apply
some changes to '/etc/httpd/conf/httpd.conf':
- Change
User and Group directives
toroot.
- Set
DocumentRoot to '/usr/share/webmin'.
Further add these directives:
SetEnv WEBMIN_CONFIG /etc/webminSetEnv WEBMIN_VAR /var/webminSetEnv MINISERV_C0NFIG /etc/webmin/miniserv.confAuthType basic, AuthUserFile /etc/webmin/miniserv.usersrequire valid-user.
Now you should be able to connect to https://127.0.0.1
and be presented with the Webmin certificate.
section index top
A remotely accessible 'setuid root' application is one
of the biggest possible security threats imaginable. Securing Webmin by using
HTTPS or tunneling alone will not do.
Use Webmin's 'IP Access Control' ('Webmin Configuration')
and 'Port And Address' to limit the number of clients which are granted access
and the number of addresses Webmin listens on. Use 'Webmin Modules' to delete
modules you don't need or which you don't want anyone to access via Webmin.
Note that simply changing from the Webmin interface
to another page willnot log you out! As long as the browser
window is open everyone is able to access Webmin without providing a password
by simply using the 'Back' button of the browser.
If you are on a dialup-connection, stop the Webmin service
every time you connect to the net and restart it when you disconnect. A single
line likeservice webmin stop in '/etc/ppp/ip-up.local' and service
webmin start in '/etc/ppp/ip-down.local' will do that for you.
Convenience is fine as long as it's for the right people
;-).
section index top
|
