Webmin Virtualmin Password Recovery

Where are we going to get these users’ emails from though?

Don’t want to load you up with feature requests. Some feature proposals for the long term:

Rather than requiring everyone to have an email, why not allow multiple communication methods that may or not include email? For security sensitive communication, such as a password reset link, when no email address is available or email is not working, some notification can be given to contact admin in an approved way.

Approved methods to communicate with admin (automatically or manually) without verification by sent email can include:

  1. A pre generated list of one time use tokens
  2. Public/Private key use
  3. A secure Signal channel (cannot be automated)

I think is a pity that is the current rush to demonise password use we are being shepherded into trusting institutional or corporate control of private key stored solutions.

Virtualmin could take a lead in allowing users to request verification by public key using private keys they store in whatever means they want. I realise physical security devices use this method and there are browser APIs to allow signing.

I am aware Two Factor Authentication is a working option in both Usermin and Webmin, such as TOTP Authentication. As a long term solution it looks dubious. Both authenticating parties share the same secret key, which is even worse than using hashed passwords, from a security perspective. Also multiple sets of shared keys need to be maintained and updated, which is a nightmare and places enormous trust in keeping backups and relying on complex corporate controlled solutions. On the other hand, it does work and is currently easier to get to work than using a private/public key set where the private key is never shared.

Dunno, where from? :slight_smile:

From software.virtualmin.dev.

From page above link is
https://software.virtualmin.dev/virtualmin-install-7.7.202504151239.sh

However it can also be accessed non visibly as:
https://software.virtualmin.dev/virtualmin-install.sh

That’s expected.

FYI, the next Webmin release will also have a button in the Webmin Users module to allow the admin to send reset emails.

3 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

With the new Webmin 2.402 out, everyone is welcome to try the new built-in password reset feature!

You can enable it under “Webmin → Webmin Configuration: Authentication” page by turning on the “Allow forgotten password recovery” option.

Just remember to uninstall the “Virtualmin Password Recovery” module first!

Can this button be place on :20000 too or instead?

If I’ve stored my passwords in plain text and set the password I see the password. If I reset the password with this I no longer see the password (but I can see the password again if I reset the password manually in Webmin):


Mine is an out-of-the-box install of virtualmin just to test this (using my hosts file).

FTR (Ubuntu 24.04.2) it does not recognize logins without adding @testdomain.com

Logins only work on :20000, not to :10000 (I may have forgotten some setting that allows webmin access somewhere… this being out of the box).

I mention it because for a mail user, who would be used to going to :10000, there is no password reset button. If I personally instruct them to go to :20000 so that they can reset their password, it seems natural to want to login there and see what it is but out of the box they can’t (again, I probably just forget what that takes).

Thanks.

You need to enable forgotten password recovery in both the Webmin and Usermin configuration modules.

Thanks (duh).

Is the disappearing plain-text domain a bug or a feature?

Also just a wishlist feature but if the were a way to preserve the sending domain in the reset mail that would be nice. I go to testdomain.com:20000 to send the reset mail, but the link to restore it has the real server name in it and its text:

https://-real-server-name-:10000/?forgot=552431e973d367638ee7196da829b99b&username=test%40testdomain%2Ecom&return=https%3A%2F%2Fmail%2Etestdomain%2Ecom%3A20000

However if I change that url to:

https://testdomain.com:10000/?forgot=552431e973d367638ee7196da829b99b&username=test%40testdomain%2Ecom&return=https%3A%2F%2Fmail%2Etestdomain%2Ecom%3A20000

in my browser, it works.

It’s a minor thing but it would be great if it just only ever mentioned testdomain.com anywhere.

Is this something we all have to do, or was it an experimental add on?

The next Virtualmin release will handle this automatically when you upgrade your packages.

If you switch the login theme to Framed Theme on the “Webmin → Webmin Configuration: Webmin Themes” page, how does it behave then?

“Framed” takes Webmin back to the old-skool look. The password reset mail that arrives is the same (revealing the server’s name… a minor concern only).

If I set Framed on Usermin too, usernames without @the-domain.com still fail on :20000.

Ron

I think I know what you mean—you can customize the “Webmin URL for use in email” on the “Webmin ⇾ Webmin Configuration: Sending Email” page.

Thanks, this will help some I think (I could call it “password-recovery.main-company.com:10000” or something and email from techsupport@). This would only for system-wide change though, unless it accepts some kind of “originating domain” notation like https://“$DOM”:10000, but that seems unlikely (and is probably overkill).