RFE: Secure Cluster Authentication

I have wanted to use the cluster features in Webmin for a while now, especially for the Cluster Slave Servers feature in the BIND DNS module. However, I have avoided it because it seems incredibly insecure in its current form. I have always been wary of storing usernames and passwords in files on my systems, and this one is a prime concern, because they are most likely root passwords to other systems! This is a treasure trove just waiting to be discovered by attackers.

The information appears to be encoded in base64 now, which offers no security whatsoever if someone gains access to these files. At a bare minimum, the passwords should be stored with a strong symmetric encryption algorithm, such as AES, Blowfish, or Twofish, using the Webmin (i.e. root) user's password as the key. Of course, this means that the cluster modules could only be used while they are logged in, but that is a small price to pay for good security, and most of the cluster modules are run interactively anyway.

A better solution would involve the use of RSA/DSA public/private keys, thus eliminating the storing of passwords altogether. These are very commonly used for secure unattended logins with SSH and/or RSync. There are many documented examples of this, and here is one:

http://www.snailbook.com/faq/no-passphrase.auto.html

Finally, security could be enhanced even further by allowing these connections to be tunnelled through an SSH connection. This is how I use Webmin most often now. Since most Unix systems allow access to SSH port 22 by default, this is the only port that would need to be open on the machine and/or firewall. Ports 10000 and 20000 are restricted to localhost and never appear open to the Internet, thus completely eliminating Webmin/Usermin from exposure to attack.

Webmin is a wonderful and extremely powerful tool. However, its capabilities could be disastrous in the wrong hands, so it must be well-protected.

Status: 
Closed (fixed)

Comments