[Webmin-maintainers] Bug#298483: marked as done (webmin: Instructions for completing initial setup inadequate)
Debian Bug Tracking System
owner@bugs.debian.org
Mon, 28 Mar 2005 22:03:09 -0800
Your message dated Tue, 29 Mar 2005 00:47:04 -0500
with message-id <E1DG9ZA-00082y-00@newraff.debian.org>
and subject line Bug#298483: fixed in webmin 1.180-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 7 Mar 2005 20:17:35 +0000
>From 56468084@exon.dyndns.org Mon Mar 07 12:17:35 2005
Return-path: <56468084@exon.dyndns.org>
Received: from ppp-82-135-65-152.mnet-online.de (charly.exon.dyndns.org) [82.135.65.152]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D8OfX-0002x8-00; Mon, 07 Mar 2005 12:17:35 -0800
Received: from mexon by charly.exon.dyndns.org with local (Exim 4.44)
id 1D8OfU-0007Ok-Ir
for submit@bugs.debian.org; Mon, 07 Mar 2005 21:17:32 +0100
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Matthew Exon <56468084@exon.dyndns.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: webmin: Instructions for completing initial setup inadequate
X-Mailer: reportbug 3.8
Date: Mon, 07 Mar 2005 21:17:32 +0100
Message-Id: <E1D8OfU-0007Ok-Ir@charly.exon.dyndns.org>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-5.1 required=4.0 tests=BAYES_01,FROM_ALL_NUMS,
FROM_ENDS_IN_NUMS,HAS_PACKAGE autolearn=no
version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: webmin
Version: 1.180-1
Severity: important
There isn't sufficient instructions in the README.Debian file explaining
how to change the root password. It says the following:
"Be sure to set the access controls as soon as possible. By default an account
called root is setup with your real root password. It is a very good idea to
change this username/password to something completely different so on the
remote chance someone is able to crack webmin, they will not have root access
to your server.
See update-webmin(8) for additional information."
The manual page for update-webmin has almost nothing in it, and definitely
nothing that explains anything about how to set a password.
I next tried looking at the webmin interface itself:
Webmin 1.180 on charly.exon.dyndns.org (Debian GNU/Linux 3.0)
Webmin 1.180 on charly.exon.dyndns.org (Debian GNU/Linux 3.0) Debian
GNU/Linux
Version 1.180 on charly.exon.dyndns.org (Debian GNU/Linux 3.0)
_________________________________________________________________
Webmin System Networking Hardware Others
Change Language and Theme
Usermin Configuration
Webmin Actions Log
Webmin Configuration
Webmin Servers Index
Webmin Users
_________________________________________________________________
Logout
Hmm, no optoin to change a password there. Let's try "Webmin Configuration":
Webmin Configuration (p1 of 2)
Webmin Index
Module Config
W e b m i n C o n f i g u r a t i o n
Webmin version 1.180
_________________________________________________________________
IP Access Control
Ports and Addresses
Logging
Proxy Servers
User Interface
Webmin Modules
Operating System and Environment
Language
Index Page Options
Upgrade Webmin
Authentication
Reassign Modules
Edit Categories
Webmin Themes
Trusted Referrers
Anonymous Module Access
File Locking
SSL Encryption
Certificate Authority
_________________________________________________________________
Start at boot time (*) Yes ( ) No Change this option to control
whether Webmin is started at boot time or not. If it is not currently
started at boot and Yes is chosen, a new init script will be created.
Restart Webmin Click this button to re-start the Webmin server
process. This may be necessary if you have recently upgraded Perl.
_________________________________________________________________
Wow, still nothing about passwords. Let's try "Authentication":
Authentication (p1 of 3)
Webmin Index
Module Index
A u t h e n t i c a t i o n
_________________________________________________________________
When enabled, password timeouts protect your Webmin server from
brute-force password cracking attacks by adding a continuously
expanding delay between each failed login attempt for the same user.
When session authentication is enabled, each logged in users' session
will be tracked by Webmin, making it possible for idle users to be
automatically logged out. Be aware that enabling or disabling session
authentication may force all users to re-login.
Authentication and session options
( ) Disable password timeouts
(*) Enable password timeouts
[X] Block hosts with more than 3___ failed logins for 300_
seconds.
[X] Log blocked hosts, logins and authentication failures to syslog
( ) Disable session authentication
(*) Enable session authentication
[X] Auto-logout after 5_________ minutes of inactivity
[X] Offer to remember login permanently?
[X] Show hostname on login screen?
[ ] Show real hostname instead of name from URL?
(*) No pre-login page ( ) Show pre-login file
______________________________ [BUTTON]
(*) Always require username and password
( ) Allow login without password for matching users from localhost
(*) Use PAM for Unix authentication, if available
( ) Never use PAM for Unix authentication
If PAM is unavailable or disabled, read users and passwords from
file ____________________ columns __ and __
When using Unix authentication ..
(*) Always deny users with expired passwords
( ) Always allow users with expired passwords
( ) Prompt users with expired passwords to enter a new one
External squid-style authentication program
________________________________________
(*) Use standard Unix crypt encryption for Webmin passwords
( ) Use MD5 encryption for Webmin passwords (allows long passwords)
Save
_________________________________________________________________
Lots of stuff about passwords, but no way to *change* them. As you
say in the README.Debian, it really is crucial that users set this stuff
up properly. If they're clueless, they really can't be left to flounder
around for themselves, because they'll just get it wrong and leave their
machine open to be 0W|\|3D by any twat who can use Google. And then we
all get the spam relayed through their machine.
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i586)
Kernel: Linux 2.6.8-2-386
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Versions of packages webmin depends on:
ii debconf 1.4.30.11 Debian configuration management sy
ii libauthen-pam-perl 0.14-1 This module provides a Perl interf
ii libnet-ssleay-perl 1.25-1.1 Perl module for Secure Sockets Lay
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii openssl 0.9.7e-2 Secure Socket Layer (SSL) binary a
ii perl 5.8.4-6 Larry Wall's Practical Extraction
-- debconf information:
* webmin/passwordexplanation:
* webmin/hostname: webmin
webmin/upgradewarning:
---------------------------------------
Received: (at 298483-close) by bugs.debian.org; 29 Mar 2005 05:54:12 +0000
>From katie@ftp-master.debian.org Mon Mar 28 21:54:12 2005
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DG9g4-0000SN-00; Mon, 28 Mar 2005 21:54:12 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1DG9ZA-00082y-00; Tue, 29 Mar 2005 00:47:04 -0500
From: jaldhar@debian.org (Jaldhar H. Vyas)
To: 298483-close@bugs.debian.org
X-Katie: $Revision: 1.55 $
Subject: Bug#298483: fixed in webmin 1.180-2
Message-Id: <E1DG9ZA-00082y-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Tue, 29 Mar 2005 00:47:04 -0500
Delivered-To: 298483-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Source: webmin
Source-Version: 1.180-2
We believe that the bug you reported is fixed in the latest version of
webmin, which is due to be installed in the Debian FTP archive:
webmin-core_1.180-2_all.deb
to pool/main/w/webmin/webmin-core_1.180-2_all.deb
webmin_1.180-2.diff.gz
to pool/main/w/webmin/webmin_1.180-2.diff.gz
webmin_1.180-2.dsc
to pool/main/w/webmin/webmin_1.180-2.dsc
webmin_1.180-2_all.deb
to pool/main/w/webmin/webmin_1.180-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 298483@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jaldhar H. Vyas <jaldhar@debian.org> (supplier of updated webmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 29 Mar 2005 00:00:36 -0500
Source: webmin
Binary: webmin-core webmin
Architecture: source all
Version: 1.180-2
Distribution: unstable
Urgency: high
Maintainer: Debian Webmin maintainers <webmin-maintainers@lists.alioth.debian.org>
Changed-By: Jaldhar H. Vyas <jaldhar@debian.org>
Description:
webmin - web-based administration toolkit
webmin-core - core modules for webmin
Closes: 296534 298483
Changes:
webmin (1.180-2) unstable; urgency=high
.
* webmin: Show 3.1 as OS version. (Closes: #296534) In the process,
also make the OS name "Debian GNU/Linux" not just Debian.
* webmin: Improve instructions in README.Debian for changing default
account and password. (Closes: #298483)
* Fixes RC bug, hence urgency high.
Files:
2ebfc44a6cd4365ed6ef3e36dd849368 691 admin optional webmin_1.180-2.dsc
16d802799f4b5fc7d2d62230b309387f 29534 admin optional webmin_1.180-2.diff.gz
3b1832a724a7c0f702a62cfa0b96fd77 1097082 admin optional webmin_1.180-2_all.deb
74eddd7ff97dce66de9be8a8e4c7a31c 1120912 admin optional webmin-core_1.180-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCSOU42kYOR+5txmoRAjyHAJ9ghZECKjBcSw70TleRuvpfR1VCRQCeMQOK
kg3V32nj5G/PdMR+N+PByt8=
=oIon
-----END PGP SIGNATURE-----