Password timeouts and expiry - Need these options clarifying

shoulders · May 1, 2024, 8:42am

SYSTEM INFORMATION
OS type and version	Ubuntu Linux 22.04.4
Webmin version	2.111
Usermin version	2.010
Virtualmin version	7.10.0
Theme version	21.10
Package updates	All installed packages are up to date

On the page Webmin --> Webmin configuration --> Authentication there are some options with no tool tips so I cannot fully figure out how they work:

Password timeouts
- where is the timer set for how long before a password is timed out?
- is this in reguards to sessions?
- does this option control all options on this page?
  - if so, should this be renamed Authentication Control or something better as this page controls more than passwords?
Password expiry policy
- Where do you expire the passwords?
- Where is the option to specify how old a password is before it gets expired?

Block hosts with more than 5 failed logins for 60 seconds.

does this mean IP addresses?

Any help explaining these would be appreciated.

Ilia · May 1, 2024, 9:57am

Hello,

Thanks for the heads up!

No, I think Authentication is best. Besides, it has been used for decades.

Yes.

@Jamie, can you comment on this?

This is a native Linux feature. Check the System ⇾ Users and Groups module.

shoulders · May 1, 2024, 10:10am

I did look in this module earlier but there was nothing relevant. the closet I found was

no mention of password expiry.

and obviously password restrictions is not the right thing

stefan1959 · May 1, 2024, 10:36am

edit a user you will see a expiry, but I thought a webmin user where different type of user.

there this as well

shoulders · May 1, 2024, 10:45am

thanks @Ilia the information is very helpful.

Thanks @stefan1959 I will update my notes.

Jamie · May 1, 2024, 8:50pm

What do you mean by password timed out though? Do you mean how long till the user is forced to change it?

shoulders · May 2, 2024, 6:54am

@Jamie
The relevant section is

Webmin --> Webmin configuration --> Authentication --> Password timeouts

i do not know what this option does
it implies there are password timers that you can set somewhere
there is not tooltip
I am a windows guy
Proposed solution: Add a tooltip and make sure the option name fits its function
- if this controls all the options on this page, rename it to something like Authentication Control

also stuck on whast this does

Webmin --> Webmin configuration --> Authentication --> Failed login blocks --> Block hosts

does this mean IP addresses?
does this mean rDNS?
or referrer header?
or both?

jimr1 · May 2, 2024, 7:16am

did you read the arrowed text ?

host will = host … a host has an IP address

Jamie · May 3, 2024, 4:51am

I’ll add a tooltip with details on what password timeouts mean, but basically when this is enabled there will be an increasing delay between failed login attempts.

As for the “block hosts” option, it means client IP addresses. I’ll update the text to make this clearer.

shoulders · May 3, 2024, 6:48am

and if possible, where the timeout values(s) come from

Jamie · May 3, 2024, 3:18pm

There’s no way to configured the password timeout delays … they are fixed in Webmin

shoulders · May 3, 2024, 3:19pm

i will add this to my notes. thanks

system · May 11, 2024, 3:19pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.