You are here
On my local machine I'm using SSH Local Forwarding to connect to administration applications on my server that are bound only to the local loopback address; they are not bound to any other addresses. I am also using an SSH Public Key file of 4096 bits. This way the only port I have to expose inside my network is the port I'm running SSH on.
This would all work out fine, except that I appear to be unable to do the same with my Webmin interface. I looked into the configuration for webmin, and externally it appears to run on port 12321 accessible via https; closer inspection of the configurations in /etc reveals that it is run over a stunnel ssl tunnel, and that it is actually running on port 10000 on the local loopback, using the mini-server config.
However, if I setup an SSH Local Forwarding tunnel on my machine to access webmin on port 10000 and try to login; I have two issues:
- I have to access it over plain HTTP
(Though this is encrypted with the tunnel...so it probably doesn't matter...it needn't be doubly encrypted)
- When I try to login, I get an error that my browser does not support cookies.
(My guesss is that since I'm using 127.0.0.1:XXXX to access it using SSH Local Forwarding, there is an issue because the expected domain is not supplied to the cookies)
I'm not sure if webmin is running from Apache or not, but it doesn't look like it is.
Is there any way to change webmin's configuration so that it is possible to hide webmin behind SSH; only binding it to the 127.0.0.1 address?
Thank you,
leeand00
Cookies Authentication
I tried turning off Cookies authentication, but this did not fix the issue it still tries to run over HTTPS, otherwise I think it would work.
Without SSL and bound to only 127.0.0.1
Alright, so if I turn off Cookies Authentication, and then go to:
When webmin comes back up, it appears to work correctly using my SSH Local Forwarding to hit the local port.
I also checked the webmin configuration for "Ports and Addresses" and it's set to bind only to 127.0.0.1
Only thing that has me spooked is the "Listen for broadcasts on UDP Port", what does that listen for?
TBH I'm not sure...
I ended up enabling stunnel but binding it to the local address
In the stunnel configuration, you can bind it to the local address:
; Note: I bound Stunnel to just 127.0.0.1 so that
; webmin can only be accessed via Local Fowarding
; in an SSH Client using our private key.
;
[webmin]
accept = 127.0.0.1:XXXXX
connect = 127.0.0.1:10000
My reasoning for this has to do with the setting in "Authentication": "Enable Session Authentication"; in all of the other programs I was looking at they had "session authentication" to provide protection against CSRF attacks. While I still don't have any verification that webmin 1.76 has this protection (post 1) (post 2) (post 3 is on their mailing list), it sounds alot like it does from the name of the setting; and if I want to run it with Session Authentication Enabled, I must run it through stunnel because if I don't with the setting turned on I end up with an error about my browser not supporting cookies after I login:
Cool, that works! :)
As for CSRF; I don't know how much effort they've put into it or how well it works in the real world but IIRC it does provide some protection by default. I rarely use Webmin myself but I recall that if a Webmin page (other than the login page) is accessed from a non-Webmin page (i.e. not referred by a previous webmin page) then it will throw an error.
Add new comment