[gentoo-user] Re: [OT] Webmin Question - was Print to cups printer from Windows?
On Wednesday 17 December 2008, Dale wrote: Mark Knecht wrote: I know I had webmin installed for a long time but rarely used it. I just couldn't remember if I used it for setting up printing from windoze or not. A friend is running webmin on a server and it makes setting up some services (like CUPS) easier to visualise/understand. However, the login into webmin is set up with the root passwd. This on an Internet facing port is making me nervous, but he is sooo attached to GUI solutions I cannot convince him that ssh is all he needs. Is there a way to only allow logins as a plain user and then elevate privileges to root (just like you would su on the CLI sort-of-thing)? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: [OT] Webmin Question - was Print to cups printer from Windows?
On Wednesday 17 December 2008 20:59:54 Mick wrote: On Wednesday 17 December 2008, Dale wrote: Mark Knecht wrote: I know I had webmin installed for a long time but rarely used it. I just couldn't remember if I used it for setting up printing from windoze or not. A friend is running webmin on a server and it makes setting up some services (like CUPS) easier to visualise/understand. However, the login into webmin is set up with the root passwd. This on an Internet facing port is making me nervous, but he is sooo attached to GUI solutions I cannot convince him that ssh is all he needs. Have you tried using a clue by 4[1] on him? It's the tried and trusty Unix tool developed for this very use case Best demonstrated by pwning his box with a brute-force attack, followed by the spoken word See? -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Re: [OT] Webmin Question - was Print to cups printer from Windows?
On Wed, Dec 17, 2008 at 12:20 PM, Alan McKinnon alan.mckin...@gmail.com wrote: On Wednesday 17 December 2008 20:59:54 Mick wrote: On Wednesday 17 December 2008, Dale wrote: Mark Knecht wrote: I know I had webmin installed for a long time but rarely used it. I just couldn't remember if I used it for setting up printing from windoze or not. A friend is running webmin on a server and it makes setting up some services (like CUPS) easier to visualise/understand. However, the login into webmin is set up with the root passwd. This on an Internet facing port is making me nervous, but he is sooo attached to GUI solutions I cannot convince him that ssh is all he needs. Have you tried using a clue by 4[1] on him? It's the tried and trusty Unix tool developed for this very use case Best demonstrated by pwning his box with a brute-force attack, followed by the spoken word See? -- alan dot mckinnon at gmail dot com Gawd I love good Linux lists with cool contributors. There is so much for me to learn! What the heck is a clue by 4[1]? I suspect this is a dumb question but I freely admit that I'm Oh, no I don't! ;-) - Mark
Re: [gentoo-user] Re: [OT] Webmin Question - was Print to cups printer from Windows?
On Wednesday 17 December 2008 22:30:55 Mark Knecht wrote: On Wed, Dec 17, 2008 at 12:20 PM, Alan McKinnon alan.mckin...@gmail.com wrote: On Wednesday 17 December 2008 20:59:54 Mick wrote: On Wednesday 17 December 2008, Dale wrote: Mark Knecht wrote: I know I had webmin installed for a long time but rarely used it. I just couldn't remember if I used it for setting up printing from windoze or not. A friend is running webmin on a server and it makes setting up some services (like CUPS) easier to visualise/understand. However, the login into webmin is set up with the root passwd. This on an Internet facing port is making me nervous, but he is sooo attached to GUI solutions I cannot convince him that ssh is all he needs. Have you tried using a clue by 4[1] on him? It's the tried and trusty Unix tool developed for this very use case Best demonstrated by pwning his box with a brute-force attack, followed by the spoken word See? -- alan dot mckinnon at gmail dot com Gawd I love good Linux lists with cool contributors. There is so much for me to learn! What the heck is a clue by 4[1]? It's a word play :-) Know what a 2 by 4 is? A 2 inch by 4 inch plank that you clobber someone ever the head with when they are being thick. A thick user needs to get a clue. Clue rhymes with two :-) Clue by 4 is also known by the other name of LART - Luser Attitude Readjustment Tool. Very handy thing for sysadmins to have, very handy indeed. But back onto your original question. Webmin is a problem that cannot be fixed. It needs to have root priviledges, the root password needs to go over the wire to the webmin http server, and to the best of my knowledge is not subject to routine security scrutiny. I would not trust it further than I can throw it, and that's not very far. So, someone who insists on using it deserves to have their machines pwned, lose their data, be blacklisted for being a zombie bot and have their kittens eaten. Rather than appease your friend's reluctance to use anything other than a GUI, you should batter some sense into his skull. Tell him I say it is highly unlikely that he knows more about how to do this job than the 1000s of Unix admins who have been doing it for almost 40 years. He really, really, wants ssh. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Re: [OT] Webmin Question - was Print to cups printer from Windows?
On Wednesday 17 December 2008, 23:13, Alan McKinnon wrote: But back onto your original question. Webmin is a problem that cannot be fixed. It needs to have root priviledges, the root password needs to go over the wire to the webmin http server, True, although all the webmin installations I've seen run on https. and to the best of my knowledge is not subject to routine security scrutiny. I would not trust it further than I can throw it, and that's not very far. So, someone who insists on using it deserves to have their machines pwned, lose their data, be blacklisted for being a zombie bot and have their kittens eaten. Rather than appease your friend's reluctance to use anything other than a GUI, you should batter some sense into his skull. Tell him I say it is highly unlikely that he knows more about how to do this job than the 1000s of Unix admins who have been doing it for almost 40 years. He really, really, wants ssh. Agreed. (and, btw, you can just use ssh port forwarding and run webmin over that without exposing webmin directly on the Internet, if you really want it)
Re: [gentoo-user] Re: [OT] Webmin Question - was Print to cups printer from Windows?
On Wed, Dec 17, 2008 at 2:13 PM, Alan McKinnon alan.mckin...@gmail.com wrote: On Wednesday 17 December 2008 22:30:55 Mark Knecht wrote: On Wed, Dec 17, 2008 at 12:20 PM, Alan McKinnon alan.mckin...@gmail.com wrote: On Wednesday 17 December 2008 20:59:54 Mick wrote: On Wednesday 17 December 2008, Dale wrote: Mark Knecht wrote: I know I had webmin installed for a long time but rarely used it. I just couldn't remember if I used it for setting up printing from windoze or not. A friend is running webmin on a server and it makes setting up some services (like CUPS) easier to visualise/understand. However, the login into webmin is set up with the root passwd. This on an Internet facing port is making me nervous, but he is sooo attached to GUI solutions I cannot convince him that ssh is all he needs. Have you tried using a clue by 4[1] on him? It's the tried and trusty Unix tool developed for this very use case Best demonstrated by pwning his box with a brute-force attack, followed by the spoken word See? -- alan dot mckinnon at gmail dot com Gawd I love good Linux lists with cool contributors. There is so much for me to learn! What the heck is a clue by 4[1]? It's a word play :-) Know what a 2 by 4 is? A 2 inch by 4 inch plank that you clobber someone ever the head with when they are being thick. A thick user needs to get a clue. Clue rhymes with two :-) Clue by 4 is also known by the other name of LART - Luser Attitude Readjustment Tool. Very handy thing for sysadmins to have, very handy indeed. But back onto your original question. Webmin is a problem that cannot be fixed. It needs to have root priviledges, the root password needs to go over the wire to the webmin http server, and to the best of my knowledge is not subject to routine security scrutiny. I would not trust it further than I can throw it, and that's not very far. So, someone who insists on using it deserves to have their machines pwned, lose their data, be blacklisted for being a zombie bot and have their kittens eaten. Rather than appease your friend's reluctance to use anything other than a GUI, you should batter some sense into his skull. Tell him I say it is highly unlikely that he knows more about how to do this job than the 1000s of Unix admins who have been doing it for almost 40 years. He really, really, wants ssh. -- alan dot mckinnon at gmail dot com Alan, OK, now I get it, even if I don't. I'm in California but have some British friends who do those word game sayings. They consider me quite thick as I never get them. that's OK. It''s cool that they're having fun. I agree about root passwords over the net. I'm fairly careful about not using them even with ssh. I always try to go with my own account at the far end and then su to root after I'm there. for the reocrd it wasn't me asking about webmin. That was someone else. cheers, Mark
Re: [gentoo-user] Re: [OT] Webmin Question - was Print to cups printer from Windows?
Mick wrote: On Wednesday 17 December 2008, Dale wrote: Mark Knecht wrote: I know I had webmin installed for a long time but rarely used it. I just couldn't remember if I used it for setting up printing from windoze or not. A friend is running webmin on a server and it makes setting up some services (like CUPS) easier to visualise/understand. However, the login into webmin is set up with the root passwd. This on an Internet facing port is making me nervous, but he is sooo attached to GUI solutions I cannot convince him that ssh is all he needs. Is there a way to only allow logins as a plain user and then elevate privileges to root (just like you would su on the CLI sort-of-thing)? I haven't read the other replies but here is my thinking. Start the webmin service, change/setup what ever needs doing then shut down webmin. That was how I did it. That way it is only up for a few minutes and I never had to have webmin running to keep the other services working. Your mileage may vary tho. Dale :-) :-)
Re: [gentoo-user] Re: [OT] Webmin Question - was Print to cups printer from Windows?
On Thu, 18 Dec 2008 00:13:28 +0200, Alan McKinnon wrote: But back onto your original question. Webmin is a problem that cannot be fixed. It needs to have root priviledges, the root password needs to go over the wire to the webmin http server, and to the best of my knowledge is not subject to routine security scrutiny. I would not trust it further than I can throw it, and that's not very far. To be fair, they do recommend that you run webmin over HTTPS if using it over the Internet, but SSH does give the added benefit of key-based authentication. -- Neil Bothwick I've got the taglines if you've got the time! signature.asc Description: PGP signature
Re: [gentoo-user] Re: [OT] Webmin Question - was Print to cups printer from Windows?
Neil Bothwick wrote: On Thu, 18 Dec 2008 00:13:28 +0200, Alan McKinnon wrote: But back onto your original question. Webmin is a problem that cannot be fixed. It needs to have root priviledges, the root password needs to go over the wire to the webmin http server, and to the best of my knowledge is not subject to routine security scrutiny. I would not trust it further than I can throw it, and that's not very far. To be fair, they do recommend that you run webmin over HTTPS if using it over the Internet, but SSH does give the added benefit of key-based authentication I used to use webmin and I found that it made me forgot how to do real things. However, it is nice on occasion. If you want to go secure yet run over the internet, only push ssh to your firewall, and connect to your server via pubkeys. Tunnel server:80 (or server:443) via ssh to your localhost and now you have webmin running through an ssh tunnel. signature.asc Description: OpenPGP digital signature
