[Webmin-maintainers] Bug#298483: webmin: Instructions for completing initial setup inadequate
Matthew Exon
Matthew Exon <56468084@exon.dyndns.org>, 298483@bugs.debian.org
Mon, 07 Mar 2005 21:17:32 +0100
Package: webmin
Version: 1.180-1
Severity: important
There isn't sufficient instructions in the README.Debian file explaining
how to change the root password. It says the following:
"Be sure to set the access controls as soon as possible. By default an account
called root is setup with your real root password. It is a very good idea to
change this username/password to something completely different so on the
remote chance someone is able to crack webmin, they will not have root access
to your server.
See update-webmin(8) for additional information."
The manual page for update-webmin has almost nothing in it, and definitely
nothing that explains anything about how to set a password.
I next tried looking at the webmin interface itself:
Webmin 1.180 on charly.exon.dyndns.org (Debian GNU/Linux 3.0)
Webmin 1.180 on charly.exon.dyndns.org (Debian GNU/Linux 3.0) Debian
GNU/Linux
Version 1.180 on charly.exon.dyndns.org (Debian GNU/Linux 3.0)
_________________________________________________________________
Webmin System Networking Hardware Others
Change Language and Theme
Usermin Configuration
Webmin Actions Log
Webmin Configuration
Webmin Servers Index
Webmin Users
_________________________________________________________________
Logout
Hmm, no optoin to change a password there. Let's try "Webmin Configuration":
Webmin Configuration (p1 of 2)
Webmin Index
Module Config
W e b m i n C o n f i g u r a t i o n
Webmin version 1.180
_________________________________________________________________
IP Access Control
Ports and Addresses
Logging
Proxy Servers
User Interface
Webmin Modules
Operating System and Environment
Language
Index Page Options
Upgrade Webmin
Authentication
Reassign Modules
Edit Categories
Webmin Themes
Trusted Referrers
Anonymous Module Access
File Locking
SSL Encryption
Certificate Authority
_________________________________________________________________
Start at boot time (*) Yes ( ) No Change this option to control
whether Webmin is started at boot time or not. If it is not currently
started at boot and Yes is chosen, a new init script will be created.
Restart Webmin Click this button to re-start the Webmin server
process. This may be necessary if you have recently upgraded Perl.
_________________________________________________________________
Wow, still nothing about passwords. Let's try "Authentication":
Authentication (p1 of 3)
Webmin Index
Module Index
A u t h e n t i c a t i o n
_________________________________________________________________
When enabled, password timeouts protect your Webmin server from
brute-force password cracking attacks by adding a continuously
expanding delay between each failed login attempt for the same user.
When session authentication is enabled, each logged in users' session
will be tracked by Webmin, making it possible for idle users to be
automatically logged out. Be aware that enabling or disabling session
authentication may force all users to re-login.
Authentication and session options
( ) Disable password timeouts
(*) Enable password timeouts
[X] Block hosts with more than 3___ failed logins for 300_
seconds.
[X] Log blocked hosts, logins and authentication failures to syslog
( ) Disable session authentication
(*) Enable session authentication
[X] Auto-logout after 5_________ minutes of inactivity
[X] Offer to remember login permanently?
[X] Show hostname on login screen?
[ ] Show real hostname instead of name from URL?
(*) No pre-login page ( ) Show pre-login file
______________________________ [BUTTON]
(*) Always require username and password
( ) Allow login without password for matching users from localhost
(*) Use PAM for Unix authentication, if available
( ) Never use PAM for Unix authentication
If PAM is unavailable or disabled, read users and passwords from
file ____________________ columns __ and __
When using Unix authentication ..
(*) Always deny users with expired passwords
( ) Always allow users with expired passwords
( ) Prompt users with expired passwords to enter a new one
External squid-style authentication program
________________________________________
(*) Use standard Unix crypt encryption for Webmin passwords
( ) Use MD5 encryption for Webmin passwords (allows long passwords)
Save
_________________________________________________________________
Lots of stuff about passwords, but no way to *change* them. As you
say in the README.Debian, it really is crucial that users set this stuff
up properly. If they're clueless, they really can't be left to flounder
around for themselves, because they'll just get it wrong and leave their
machine open to be 0W|\|3D by any twat who can use Google. And then we
all get the spam relayed through their machine.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i586)
Kernel: Linux 2.6.8-2-386
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Versions of packages webmin depends on:
ii debconf 1.4.30.11 Debian configuration management sy
ii libauthen-pam-perl 0.14-1 This module provides a Perl interf
ii libnet-ssleay-perl 1.25-1.1 Perl module for Secure Sockets Lay
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii openssl 0.9.7e-2 Secure Socket Layer (SSL) binary a
ii perl 5.8.4-6 Larry Wall's Practical Extraction
-- debconf information:
* webmin/passwordexplanation:
* webmin/hostname: webmin
webmin/upgradewarning: