This is a bit of a brainstorm idea, but for securing an SSH server, a couple of basic recommendations are to disable direct root logins and enable public key authentication. However if Virtualmin is installed on the server, users (and root) can still log into it using regular passwords. An idea I had would be SSH validation, which would require users to first log in to SSH and execute a token-generating script, which would provide them with a login token to be used to validate the user in Virtualmin instead of a password.
Of course, this would only work if the following conditions are met:
- The specific user has SSH access (and is not limited to SFTP by some chroot environment)
- Public key authentication is enabled and password authentication is disabled for SSH (or else there is little to no security benefit)
+1 would really like to hear more about such an improvements.
I’d already disabled direct root SSH access and changed default ports of virtualmin & ssh, but as you’ve already said, it isn’t enough, root still have password access via virtualmin…
I don’t think it should be a hack, imo, it should be a core feature.
When I originally posted this, I wasn’t aware of client SSL certificates for browsers. I cross-posted this to github (https://github.com/webmin/webmin/issues/16#issuecomment-2124490) and you’ll see that there are some answers there. Unfortunately it’s currently busted on Debian-based operating systems (http://sourceforge.net/tracker/index.php?func=detail&aid=3526687&group_id=17457&atid=117457)
Thanks for notifying me, I’m currently on CentOS but was planning to convert to Ubuntu.
What are you doing on your debian server? are you using any workaround fix?
There are no workarounds that I know of since, according to the comments of the second link above, it’s based on a perl module that is very integrated into other areas Webmin that is either broken or has changed in recent releases and can’t be easily modified. If it’s a show stopper for you, stick with CentOS. If not, you can always just keep webmin disabled and start it up only when you want to using:
Personally, I manage almost everything by SSH anyway.
Had you or jcameron contacted the developers of SSLeay in order to find what has been changed?
It might be helpful…
Had you tried to use the Google Authenticator? is it possible to use it only for the root user?
I haven’t contacted them, and I’m not sure if jcameron did either.
And the site I linked to says that you have to individually set which users you want to use PAM authentication for, so you can enable it only for the root user.