HTTPS and Webmin

Summary:

• What Is It
• Installation And Testing
• Securing Webmin

(Notice: From release 7.2 on Webmin uses HTTPS by default.)

What Is It

HTTPS stands for HTTP via SSL, the Secure Socket Layer.
The Hyper Text Transfer Protocol is an inherently insecure protocol as all information is sent in clear text between unauthenticated peers over an insecure network. It belongs to the group of 'old' protocols like telnet and ftp which are bound to be replaced - or at least enhanced - by transfer protocols which allow authentication and encryption.

HTTPS allows client and server-side authentication via certificates, which have been in turn signed by a Certification Agency. The client's web-browser must support SSL, almost all (Mozilla, MSIE, Konqueror, Opera, Lynx, w3m) do. The server must listen on a port other than 80, usually this is port 443.
Upon connecting to the secure part of a website, signified by 'https://' (thus indicating port 443 instead of port 80), the server and the client negotiate the SSL protocol version to use and a unique session-ID is established. If the certificate presented by the server is unknown to the client, the client is free to accept or reject the certificate. In turn the server can also demand a certificate from the client. Server and client now share a common key which allows them to encrypt and decrypt messages they send to each other. For a far more detailed and accurate introduction, read the excellent mod_ssl user manual.

The Webmin system configuration utility allows you to configure your linux system(s) via a browser. This makes remote administration very easy and comfortable. However, since the web-server running Webmin must be run 'setuid root', an improperly configured Webmin can pose a huge security threat to the system running it. One method of securing Webmin is to use HTTPS, another tunneling via SSH, still another will be introduced at the end of this article.

section index

Installation And Testing

The most straightforward method of installing webmin is to use the Software Manager and select the webmin package from the list of "Installable" packages and press the "Add/Remove" button. If you prefer the commandline, you can run

urpmi webmin

and it will prompt you for CD 2 and install it. If there are any other packages that it requires, it will prompt you if it's ok to install those as well. You should answer "Y" for yes. Commonly it will want to install the 'perl-Net_SSLeay' and 'perl-Authen-PAM' packages, both standard rpms provided by Mandrake versions 8.0 and higher. With modern (8.x) versions of Mandrake, your webmin installation is now complete.

You can run Webmin either via the supplied minimal web-server called 'miniserv' or via 'Apache'. Since the server running Webmin must have root privileges and some Webmin modules do not work with Apache at all, using 'miniserv' might be the preferable option. In both cases you will need to have ~OpenSSL installed on your system. You may install it with Software Manager or by running

urpmi openssl

from the commandline. Since it's listed as a required package for webmin, the installation of the webmin package will have already installed the openssl package for you.

For SSL to work with the Webmin-supplied 'miniserv', you have to install the 'Net_SSLeay.pm-1.05' perl module from CPAN. Mandrake provides this rpm for you and it too was automatically installed in the webmin installation above.

Start the Webmin service with

service webmin start

and point your browser at 'https://127.0.0.1:10000'. You should now be presented with the Webmin SSL certificate.

If you want to use Apache anyway, you have to install the mod_ssl package. You may install with Software Manager or by running 'urpmi mod_ssl' from the commandline. Having done this, test the installation with:

openssl s_client -connect localhost:443 -state -debug

You will get lots of output which should conclude with these lines:

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 4F33B6210{...} Session-ID-ctx: Master-Key: 789949D2C{...} Key-Arg : None Start Time: 969269809 Timeout : 300 (sec) Verify return code: 0 (ok)

You can now use HTTPS on Apache by connecting your browser to https://127.0.0.1

In order to use Apache with Webmin, you have to apply some changes to '/etc/httpd/conf/httpd.conf':

• Change

  User

  and

  Group

  directives to

  root

  .
• Set

  ~DocumentRoot

  to '/usr/share/webmin'.

• ~SetEnv WEBMIN_CONFIG /etc/webmin

• ~SetEnv WEBMIN_VAR /var/webmin

• ~SetEnv MINISERV_C0NFIG /etc/webmin/miniserv.conf

• ~AuthType basic, ~AuthUserFile /etc/webmin/miniserv.users

• require valid-user

  .

section index

Securing Webmin

A remotely accessible 'setuid root' application is one of the biggest possible security threats imaginable. Securing Webmin by using HTTPS or tunneling alone will not do.

Use Webmin's 'IP Access Control' ('Webmin Configuration') and 'Port And Address' to limit the number of clients which are granted access and the number of addresses Webmin listens on. Use 'Webmin Modules' to delete modules you don't need or which you don't want anyone to access via Webmin.

Note that simply changing from the Webmin interface to another page will not log you out1.1 As long as the browser window is open everyone is able to access Webmin without providing a password by simply using the 'Back' button of the browser.

If you are on a dialup-connection, stop the Webmin service every time you connect to the net and restart it when you disconnect. A single line like

service webmin stop

service webmin start

Convenience is fine as long as it's for the right people ;-).

section index

Related Resources:

Using SSL With Webmin
mod_ssl user manual

Revision / Modified: Sept. 27, 2001 / Mar. 05, 2002
Author: Tom Berger, Todd Lyons

Legal: This page is covered by the GNU Free Documentation License. Standard disclaimers of warranty apply. Copyright LSTB and Mandrakesoft.