Menu
▾
▴
webadmin-list
|
From: boricua <bo...@de...> - 2005-09-29 22:57:59
|
this is becoming a security concern. i asked several weeks and no soluton has come up. going to usermin i removed all password from cache and saved password in browser and still i am automaticly logged in..... anywhere else i can look into |
|
From: Jamie C. <jca...@we...> - 2005-09-29 23:05:14
|
On Fri, 2005-09-30 at 08:54, boricua wrote: > this is becoming a security concern. > i asked several weeks and no soluton has come up. > > going to usermin i removed all password from cache and saved password in browser > and still i am automaticly logged in..... > > anywhere else i can look into Did you remove all your browser cookies that came from the usermin server too? It uses a cookie to track sessions.. - Jamie |
|
From: boricua <bo...@de...> - 2005-09-29 23:28:22
|
On 30 Sep 2005 09:05:05 +1000 Jamie Cameron <jca...@we...> wrote: > On Fri, 2005-09-30 at 08:54, boricua wrote: > > this is becoming a security concern. > > i asked several weeks and no soluton has come up. > > > > going to usermin i removed all password from cache and saved password in browser > > and still i am automaticly logged in..... > > > > anywhere else i can look into > > Did you remove all your browser cookies that came from the usermin > server too? It uses a cookie to track sessions.. > > - Jamie yes i did and still i am auto login |
|
From: boricua <bo...@de...> - 2005-09-29 23:31:26
|
On 30 Sep 2005 09:05:05 +1000 Jamie Cameron <jca...@we...> wrote: > On Fri, 2005-09-30 at 08:54, boricua wrote: > > this is becoming a security concern. > > i asked several weeks and no soluton has come up. > > > > going to usermin i removed all password from cache and saved password in browser > > and still i am automaticly logged in..... > > > > anywhere else i can look into > > Did you remove all your browser cookies that came from the usermin > server too? It uses a cookie to track sessions.. > > - Jamie even worse!!!! i changed my passwd on command line and still autologin to usermin |
|
From: Jamie C. <jca...@we...> - 2005-09-29 23:35:35
|
On Fri, 2005-09-30 at 09:28, boricua wrote: > On 30 Sep 2005 09:05:05 +1000 > Jamie Cameron <jca...@we...> wrote: > > > On Fri, 2005-09-30 at 08:54, boricua wrote: > > > this is becoming a security concern. > > > i asked several weeks and no soluton has come up. > > > > > > going to usermin i removed all password from cache and saved password in browser > > > and still i am automaticly logged in..... > > > > > > anywhere else i can look into > > > > Did you remove all your browser cookies that came from the usermin > > server too? It uses a cookie to track sessions.. > > > > - Jamie > > > even worse!!!! i changed my passwd on command line and still autologin to usermin Are you connecting using the URL http://localhost:20000/ ? If so, try editing /etc/usermin/miniserv.conf and removing the localauth=1 line, then re-starting usermin.. - Jamie |
|
From: boricua <bo...@de...> - 2005-09-29 23:46:00
|
> > even worse!!!! i changed my passwd on command line and still autologin to usermin > > Are you connecting using the URL http://localhost:20000/ ? If so, try > editing /etc/usermin/miniserv.conf and removing the localauth=1 line, > then re-starting usermin.. > > - Jamie > > > yes i connect via localhost:20000 but it also occured from the outside via a url ok comenting the line and restarting does the fix . i think the bug is that when you autologin once the logout feature does not show in the browser.... so for now i disable localauth from the file |
|
From: Jamie C. <jca...@we...> - 2005-09-29 23:49:22
|
On Fri, 2005-09-30 at 09:42, boricua wrote: > > > even worse!!!! i changed my passwd on command line and still autologin to usermin > > > > Are you connecting using the URL http://localhost:20000/ ? If so, try > > editing /etc/usermin/miniserv.conf and removing the localauth=1 line, > > then re-starting usermin.. > > > > - Jamie > > > > > > > > > yes i connect via localhost:20000 > > but it also occured from the outside via a url > > ok comenting the line and restarting does the fix . > > i think the bug is that when you autologin once the logout feature does not show in the browser.... > so for now i disable localauth from the file The localauth feature completely bypasses the need to login, by checking the Unix user that is connecting and authenticating as him. That is why you couldn't logout .. - Jamie |
|
From: boricua <bo...@de...> - 2005-09-30 00:00:04
|
> > The localauth feature completely bypasses the need to login, by checking > the Unix user that is connecting and authenticating as him. That is why > you couldn't logout .. > > - Jamie > > does that mean that if you want to logout you would have to disable localauth..... would that occur also from the outside? via url? |
|
From: Jamie C. <jca...@we...> - 2005-09-30 00:04:24
|
On Fri, 2005-09-30 at 09:56, boricua wrote: > > > > The localauth feature completely bypasses the need to login, by checking > > the Unix user that is connecting and authenticating as him. That is why > > you couldn't logout .. > > > > - Jamie > > > > > > > does that mean that if you want to logout you would have to disable localauth..... Yes.. > would that occur also from the outside? via url? That would only happen if you are using some kind of local proxy, such as an Apache ProxyPass directive. Then usermin would auto-login as the Apache user! Personally, I recommend against using that localauth feature, except in very limited circumstances, such as a non-network box that is only running a browser locally. - Jamie |
|
From: Alan D. <We...@Om...> - 2005-09-30 12:34:56
|
Since you recommend against using this feature (which I agree with), then can it be disabled by default for new installations? Most people won't know to turn it off manually, and it would increase security by disabling it. Thanks, Alan On 9/29/2005 8:04 PM, Jamie Cameron wrote: > > That would only happen if you are using some kind of local proxy, such > as an Apache ProxyPass directive. Then usermin would auto-login as the > Apache user! > > Personally, I recommend against using that localauth feature, except in > very limited circumstances, such as a non-network box that is only > running a browser locally. |
|
From: Jamie C. <jca...@we...> - 2005-09-30 13:23:36
|
Um .. it is disabled by default though, at least in the Webmin packages from www.webmin.com. Other vendors may have enabled it, but that is out of my control :-)<br /><br />=A0- Jamie<br /><br />On 30/Sep/2005 22:36 Alan Dobkin wrote .. <blockquote type=3D"cite"> Since you recommend against using this feature (which I agree with), then can it be disabled by default for new installations?<br /> <br /> Most people won't know to turn it off manually, and it would increase security by disabling it.<br /> <br /> Thanks,<br /> Alan<br /> <br /> On 9/29/2005 8:04 PM, Jamie Cameron wrote: <blockquote type=3D"cite" cite=3D"http://fudu.home:20000/mailbox/mid...@te..."><br /> <pre><!---->That would only happen if you are using some kind of local proxy, such<br />as an Apache ProxyPass directive. Then usermin would auto-login as the<br />Apache user!<br /><br />Personally, I recommend against using that localauth feature, except in<br />very limited circumstances, such as a non-network box that is only<br />running a browser locally.</pre> </blockquote> </blockquote><br /> |
|
From: Alan D. <We...@Om...> - 2005-09-30 13:31:09
|
Okay, my mistake. I thought it was enabled by default in my installation, but maybe that was brought over from an older version, or maybe I inadvertently turned it on in the past. Thanks, Alan On 9/30/2005 9:23 AM, Jamie Cameron wrote: > Um .. it is disabled by default though, at least in the Webmin > packages from www.webmin.com. Other vendors may have enabled it, but > that is out of my control :-) > > - Jamie > > On 30/Sep/2005 22:36 Alan Dobkin wrote .. >> Since you recommend against using this feature (which I agree with), >> then can it be disabled by default for new installations? >> >> Most people won't know to turn it off manually, and it would increase >> security by disabling it. >> >> Thanks, >> Alan >> >> On 9/29/2005 8:04 PM, Jamie Cameron wrote: >>> >>> That would only happen if you are using some kind of local proxy, such >>> as an Apache ProxyPass directive. Then usermin would auto-login as the >>> Apache user! >>> >>> Personally, I recommend against using that localauth feature, except in >>> very limited circumstances, such as a non-network box that is only >>> running a browser locally. |
|
From: boricua <bo...@de...> - 2005-09-30 00:00:52
|
> > The localauth feature completely bypasses the need to login, by checking > the Unix user that is connecting and authenticating as him. That is why > you couldn't logout .. > > - Jamie BTW webmin did not do that, only usermin |
