Shawn wrote:
Webmin works over the HTTP protocol - which is easy enough to get information from. Even with SSL, only the packets between the host and client are encrypted - except for the initial handshake needed for SSL. (I get the feeling this might be a point I'm about to be corrected on?) With SSH, EVERYTHING is encrypted in all communications between the two boxes involved. The point can be argued either way, I guess.Webmin works over HTTPS - running it over HTTP, which is possible to set up is the equivalent of specifically allowing Telnet, rather than SSH, to as far as I'm concerned it is a downright silly argument.
If you can explain to me how there is more encryption via SSH than there is via SSL, I'm all ears.
Are you doing web based banking? Are you using SSH or are you using a browser with SSL?
My apologies if I'm wrong, but I think Kin was looking to remotely manage his Linux servers. In that case, EVERYTHING can be done from the command line. If that's not the case, then I'll concede the point - there are some apps that just need the graphical interface in Windows to manage - MS Exchange for instance.not everyone likes to do EVERYTHING from the command line; if you do, then SSH/BASH or whatever shell is a fine choice.
this is equivalent to saying: don't use BASH (a command line interface), because you can run it over Telnet. Of course, you'd be rather silly to run webmin without SSL, just as it is silly to use BASH over Telnet. Webmin is a GUI tool, just like BASH is a command line tool. If you prefer a command line interface, by all means use SSH to connect to your command line interface of choice. If you like a GUI tool, Webmin is an interesting option to look at, and of course, it should be run over HTTPS/SSL.
http://www.webmin.com/faq.html - helpful document, but if you read it with a view on security, there are a few points that "could" lead to compromise easier than with SSH - for instance, you don't HAVE to use SSL.
They do offer methods to tighten security as well (allowed IP list), but the question is a) if the default configuration is secure enough (for you), and b) if the average person installing webmin knows enough to make/keep it secure. Yep, the same could be said about SSH.restricting to certain IP's is the same possibility for Webmin (with a GUI); the default installation uses SSL/HTTPS.
so why bring up something that is ancient history - are you FUD'ing? If I wanted to FUD, I could easily list a series of past SSH vulnerabilities, which have been fixed. I don't think mentioning web pages, which are clearly years out of date is any better than slamming KDE, because of some web page about version 1.From a php3 document, so is likely dated..."One thing to be aware of in Webmin is that the username and password are sent unencryted between your browser and the server. You should only use it on a private network, or on your local host."
- http://www.linuxnovice.org/main_software.php3?VIEW=VIEW&t_id=84
er.. Caldera is now known as SCO - nuff said? (they've lost MY trust at least)
I'm sure it's just an old document though.... :)
"Developed independently, Webmin was acquired by Caldera in the first quarter of 2000" - http://linuxbook.orbdesigns.com/ch13/btlb_c13.html
Yep, SSH could be setup badly, and present as big a security hole as a badly set up web server. I think this is one of those discussions where the "right" answer is highly subjective and is only really pertinent to the system in question (in this case, Kin's servers/workstations, and his comfort level with the tools available). For me, using a web interface to manage my network just seems wrong, and asking for trouble - but that's only opinion/intuition based on my experiences.That's a much better way of saying things than your earlier statement about what Kin wants. I have no idea what Kin wants. Maybe a command line interface is perfectly fine. I just offered another alternative to look at, which is especially attractive to someone, who may not be a hardcore command line interface user.
But then you slammed that alternative with some rather unsubstantiated general statements. I'm saying, the slamming was unfair, and if I wanted to slam, I could apply it to SSH, too.
What's the last time you have actually used Webmin? Is it fair to slam something with ancient web pages? Is it fair to slam something in general because it "just seems wrong" to you personally? I know a company in Redmond famous for such methods. I was hoping we could do better.
I am using both: SSH and Webmin on a daily basis. I am keeping my Webmin security updated via point and click. I'm keeping my SSH updated via apt-get, yast2 or yum (depending on distro). They're both fine.
I use both (Webmin and SSH/BASH) for different things, and sometimes just because I happen to feel like one over the other. I'm not trying to talk you into using webmin. But I don't think it's fair to talk Kin out of using it, unless you can substantiate the reasons better.
Sorry for ranting.
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
