Take advantage of public key authentication to improve login security about webmin HOT 7 CLOSED

Here is the solution if you want to secure with SSH keys. Create a SSH tunnel to your server on port 10000 (or whatever your Virtualmin/Webmin port is) using Putty. When it's working you should be able to open a browser to https://localhost:10000 and get your Virtualmin/Webmin server GUI. Set Webmin to only listen to 127.0.0.1 in the Webmin GUI at Webmin>Webmin Configuration>Ports and Addresses. After confirming that works go into /etc/ssh/sshd_config and set "PasswordAuthentication no" if it isn't already.

Now the only way to get to Virtualmin/Webmin GUI login prompt is with SSH tunnel using putty or some other SSH client and if PasswordAuthentication is set to no then the only way to do that is with ssh keys. You still have to log into the GUI with root password but for administration it should not be much of an inconvenience and is an extra layer of security.

If you are already using ssh keys and know how to set up Putty ssh tunnel this should be trivial to set up. If not don't be intimidated, it's not as hard as it first seems. Just stick to it and you will figure it out and realize it's not that complicated. There are lots of how to's on the internet.

I've only done this on my own VPS with no other users. Not sure if or how it could work in a shared environment.

from webmin.

Webmin already supports SSL key-based authentication. You can find that in Webmin->Webmin Users->Request Certificate. There's no reason to jump through all the odd hoops of trying to authenticate against SSH keys, when there is a standard key-based authentication method supported by browsers and Webmin.

from webmin.

Strange. I don't have the option "Request certificate" anywhere.

from webmin.

You first need to create a CA at Webmin -> Webmin Configuration -> Certificate Authority.

from webmin.

Thanks for the response. I didn't even know that this was even a feature of web browsers. Now, the only issue I had was that none of the users (except root) are able to request a certificate by default since they are unable to see that module, so I had to give permissions to the users to access 'webmin' -> 'webmin users' with everything disabled except "Can request certificate".

Oh, and it doesn't appear to work in Opera even though according to http://www.opera.com/support/kb/view/436/ it should be supported. I have no idea about how it would be accomplished though.

from webmin.

Yes, browser support for requesting client-side certificates is inconsistent. The most reliable one is Firefox..

from webmin.

@shadowym Sorry for the delayed response. For some reason it didn't notify me of your comment. I just have to say, you are a genius. That is exactly what I was looking for since browser certificates are bugged on Debian servers. Using FoxyProxy to only use the proxy for specific sites, and adding an entry to my /etc/hosts file, I can now go to https://virtualmin:10000 and not have to worry about it interfering with other sites, including localhost on other ports.

from webmin.