Securing Webmin using OpenSSL

Feb 26, '02 11:50:50PM

Contributed by: Anonymous

Webmin is a great tool for Unices, just OK for OS X client and server. I use it to manage my Sun Solaris 8 servers at work rather than SMC. The big caveat is that using it as-is over http is unsecure. Anyone using snoop or a packet sniffer can compromise your machine(s). Using OpenSSL under MacOS X secures this wonderful and free tool.

Until recently, the headers for ssl were not available, but now they are. Apple has released the "Darwin Development Environment" which includes these headers.

For a Step-by-Step on securing Webmin via SSL, read on...

Start by getting Webmin at:

curl -0 http://www.webmin.com/download/webmin-0.92.tar.gz
I then placed it in the Utilities Folder, ou can put it anywhere you like.

Untar the file:
tar -zxvf webmin-0.92.tar.gz
Now read the manual to see how to setup webmin.

Download "Darwin Development Environment for Mac OS X" and install it. If you have troubles installing Darwin, you might want to check out this hint (you will need your admin password here):
curl -0 http://www.opensource.apple.com/projects/darwin/1.4/darwintools.pkg.tar
tar -xvf darwintools.pkg.tar
Download and install the Perl Mod "Net_SSLeay.pm"
curl -0 http://www.cpan.org/modules/by-module/Net/Net_SSLeay.pm-1.13.tar.gz
tar -zxvf Net_SSLeay.pm-1.13.tar.gz
cd Net_SSLeay.pm-1.13
./Makefile.PL -t # builds and tests it, or "perl Makefile.PL"
make install # You probably have to su to root to do this
perldoc Net::SSLeay # optional, but highly recommended
perldoc Net::SSLeay::Handle
If the command perl -e 'use Net::SSLeay' doesn't output any error message, then the SSL support that Webmin needs is properly installed.

You can now log into Webmin and enable SSL by going here:
http://127.0.0.1:10000/webmin/edit_ssl.cgi

Now you can use HTTPS by simply going to:
https://127.0.0.1:10000/

You'll notice your browser will say somethings wrong (can't be verified) with the certificate. It's a "self-signed certificate" not verified by an external yahoo like verisign, hence the error. It is encrypted however.

You can create other certificates per webmin user. You'll have to change the path to openssl in webmin at:

https://127.0.0.1:10000/config.cgi?acl

The correct path under 10.1 is:

/usr/bin/openssl

You can also create another certificate authority (CA) at:

https://127.0.0.1:10000/webmin/edit_ca.cgi

That's it, you should now have a secure working copy of WebMin running.

[Editor's note: This hint requires a fair amount of knowledge at the command line prompt. If you are unsure of how to proceed, you might not want to try this without some help.]

Comments (5)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20020226235050467