From: Scott M. <sco...@ya...> - 2002-06-03 13:02:47
|
Hiyas, Is there a more secure version of the password change module? I am workin on restricting it down (disallow you to change root password, only change password of unlocked users or those with a specific '*expired*' keyword), and noticed that the security checks are not too tight. Namely, save_passwd.cgi does not seem to do the same validation for password change rights as the other modules. -Scott __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com |
From: Jamie C. <jca...@we...> - 2002-06-04 00:34:29
|
Scott MacKay wrote: > > Hiyas, > Is there a more secure version of the password > change module? I am workin on restricting it down > (disallow you to change root password, only change > password of unlocked users or those with a specific > '*expired*' keyword), and noticed that the security > checks are not too tight. Namely, save_passwd.cgi > does not seem to do the same validation for password > change rights as the other modules. You can configure some of those access controls already in the password change module, by going into the Webmin Users module and clicking on 'Change Passwords' next to the name of a user. If there are any access control restrictions that you would like that are currently missing, tell me and it should be possible to add them. - Jamie |
From: <dwi...@dn...> - 2002-06-04 05:42:04
|
Speaking of passwd module, anyone adapted it to use kerberos? I just converted all machines to use kerberos so I only have 1 password to keep track of and was trying to find an easy way for people to change passwords.. ? Dan On Tue, 4 Jun 2002, Jamie Cameron wrote: > Scott MacKay wrote: > > > > Hiyas, > > Is there a more secure version of the password > > change module? I am workin on restricting it down > > (disallow you to change root password, only change > > password of unlocked users or those with a specific > > '*expired*' keyword), and noticed that the security > > checks are not too tight. Namely, save_passwd.cgi > > does not seem to do the same validation for password > > change rights as the other modules. > > You can configure some of those access controls > already in the password change module, by going into > the Webmin Users module and clicking on 'Change Passwords' > next to the name of a user. If there are any access > control restrictions that you would like that are > currently missing, tell me and it should be possible > to add them. > > - Jamie > > _______________________________________________________________ > > Don't miss the 2002 Sprint PCS Application Developer's Conference > August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm > > - > Forwarded by the Webmin development list at web...@we... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-devel > |
From: Jamie C. <jca...@we...> - 2002-06-04 06:12:13
|
Since webmin 0.970, the passwd module has had support for running an external command (like /usr/bin/passwd) for doing the change, which you can set in the module config. If kerberos has some similar command, you might be able to use that .. - Jamie dwi...@dn... wrote: > > Speaking of passwd module, anyone adapted it to use kerberos? I just > converted all machines to use kerberos so I only have 1 password to keep > track of and was trying to find an easy way for people to change > passwords.. ? > > Dan > > On Tue, 4 Jun 2002, Jamie Cameron wrote: > > > Scott MacKay wrote: > > > > > > Hiyas, > > > Is there a more secure version of the password > > > change module? I am workin on restricting it down > > > (disallow you to change root password, only change > > > password of unlocked users or those with a specific > > > '*expired*' keyword), and noticed that the security > > > checks are not too tight. Namely, save_passwd.cgi > > > does not seem to do the same validation for password > > > change rights as the other modules. > > > > You can configure some of those access controls > > already in the password change module, by going into > > the Webmin Users module and clicking on 'Change Passwords' > > next to the name of a user. If there are any access > > control restrictions that you would like that are > > currently missing, tell me and it should be possible > > to add them. > > > > - Jamie |
From: Daniel W. <dan...@st...> - 2002-06-04 15:39:27
|
Unfortunately this doesn't work with kerberos though, because you have to get a token first before you can change the password. So if you just tell it to use kpasswd instead, it will try to change it and get an error. Basically before you run the kpasswd, all you have to do is do a kinit with the user login/pass, then you can run kpasswd. So I think it's simple, I just haven't dived into the setup of the password module and would like to avoid it if someone else has done this...make sense? Dan On Tue, 2002-06-04 at 01:12, Jamie Cameron wrote: > Since webmin 0.970, the passwd module has had support for running > an external command (like /usr/bin/passwd) for doing the change, which > you can set in the module config. If kerberos has some similar command, > you might be able to use that .. > > - Jamie |
From: Scott M. <sco...@ya...> - 2002-06-04 10:26:10
|
Ah, OK. I have not tried that. I did see that 2 of the 3 CGIs (I think index.cgi and update_passwd.cgi) used some kind of lookup to control access. the save_passwd.cgi did not, however. The first one seems to have the access control build right in, while the second CGI did a lookup from a library routine. The third had no apparent lookup. I am hoping to make a really secure and restrictable set of modules available to helpdesk... --- Jamie Cameron <jca...@we...> wrote: > Scott MacKay wrote: > > > > Hiyas, > > Is there a more secure version of the password > > change module? I am workin on restricting it down > > (disallow you to change root password, only change > > password of unlocked users or those with a > specific > > '*expired*' keyword), and noticed that the > security > > checks are not too tight. Namely, save_passwd.cgi > > does not seem to do the same validation for > password > > change rights as the other modules. > > You can configure some of those access controls > already in the password change module, by going into > the Webmin Users module and clicking on 'Change > Passwords' > next to the name of a user. If there are any access > control restrictions that you would like that are > currently missing, tell me and it should be possible > to add them. > > - Jamie > > _______________________________________________________________ > > Don't miss the 2002 Sprint PCS Application > Developer's Conference > August 25-28 in Las Vegas -- > http://devcon.sprintpcs.com/adp/index.cfm > > - > Forwarded by the Webmin development list at > web...@we... > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-devel __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com |
From: Scott M. <sco...@ya...> - 2002-06-04 17:46:40
|
Actually, found the problem. In save_passwd.cgi, the section if ($config{'passwd_cmd'}) { is missing something. After the @user || &error($text{'passwd_euser'}); it should have the line &can_edit_passwd(\@user) || &error($text{'passwd_ecannot'}); This would be consistent with the else clause and the previous modules. Also, if the original 'index.cgi' called can_edit_passwd, that would be a little more consistent. For me, I added the following changes: 1) Only allow normal and expired passwords to be reset. (Expires is the password set to '*expired*' for me). This allows you to keep peeps form giving a password to a system account 2) Disallow password to be changed for UID <=100 This was done (hopefully correctly) by doing the following in can_edit_passwd: if ($_[0]->[2]<=100 || $_[0]->[1] =~ 'NP' || (($_[0]->[1]=~/^[*]+.*$/)&&($_[0]->[1]!~/\*expired\*/))) { return 0; } --- Jamie Cameron <jca...@we...> wrote: > You can configure some of those access controls > already in the password change module, by going into > the Webmin Users module and clicking on 'Change > Passwords' > next to the name of a user. If there are any access > control restrictions that you would like that are > currently missing, tell me and it should be possible > to add them. __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com |
From: Jamie C. <jca...@we...> - 2002-06-05 00:48:04
|
Scott MacKay wrote: > > Actually, found the problem. > > In save_passwd.cgi, the section > if ($config{'passwd_cmd'}) { > > is missing something. After the > @user || &error($text{'passwd_euser'}); > > it should have the line > &can_edit_passwd(\@user) || > &error($text{'passwd_ecannot'}); > > This would be consistent with the else clause and the > previous modules. Absolutely correct .. there is now an update at http://www.webmin.com/updates.html that fixes this as well. > Also, if the original 'index.cgi' called > can_edit_passwd, that would be a little more > consistent. Yeah, but if there are a lot of users calling can_edit_passwd repeatedly would be very slow. > For me, I added the following changes: > 1) Only allow normal and expired passwords to be > reset. (Expires is the password set to '*expired*' for > me). This allows you to keep peeps form giving a > password to a system account > 2) Disallow password to be changed for UID <=100 > This was done (hopefully correctly) by doing the > following in can_edit_passwd: > > if ($_[0]->[2]<=100 || $_[0]->[1] =~ 'NP' || > > (($_[0]->[1]=~/^[*]+.*$/)&&($_[0]->[1]!~/\*expired\*/))) > { > return 0; > } There is already support for controlling access by UID though. You can just enter 100 as the minimum, and enter no maximum. - Jamie |