Has any attempted to put an alternative authentication "front-end" on Webmin that relies on session cookies?
We have a global login utility that creates a unique session cookie and session ID, as well as providing the user's ID. We use this today in web applications via a redirect to the global authentication site. If you successfully authenticate, you are redirected to the application, which now knows your ID and can validate that you are who you say you are via the session cookie.
a powerful server managment system that would rely on remote authentication would not only be risky but for myself, decades experience in this and never been hacked, would NEVER rely on such a thing.
but i think i know whre you are coming from. the current way to handle that is to just add on admin users within the webmin interface. your method would require either S2S or some embedded "master key" - isnt that what Two-Factor Authentication is about?
I'm using Apache as the web server instead of miniserv, which allows you to use any number of authentication methods. I use it for Kerberos authentication, but that's outside of Webmin at that point, so you could do anything you want.
Note that it's not quite trivial to get Apache set up, but it's not overly complicated either. The doxfer wiki has a document which is basically correct. I would've updated it by now, but it seems that creation of a new account hasn't worked there for quite some time. :)
Log in to post a comment.