Topic: Change user password from outside

[Mike Scott]

I've see some requests for this before, but couldn't find an answer.
I'm setting up a SME v5.6 server primarily for email.
All of my users will be 'remote' and accessing the server via webmail.
I would also like to make the "Change Account Password" function
available via https://mydomain/user-password without having to set them up with VPN.  This is important as I don't want to have to babysit non-technical users  through a VPN install just to change a password.

I don't want the entire management suite available, I'd just like users to be able to simply change their passwords (only through https, like I
currently have webmail).

I've spent the last hour playing with remote access options in server-manager and trying to figure out what's changing.  I figured it would modify httpd.conf, but alas it wasn't so.

Is there an easy way to make this change.  Please feel free to refer me to past archives, I've searched, but perhaps am not using the correct keywords.

I may just have to roll my own.  I don't care about SAMBA on this box and will probably end up disabling it.  This is just a web/email server box..  Any help would be greatly appreciated.  Thanks.

[Bill Talcott]

/server-manager/, /user-password/, and /user-manager/ are all available via HTTPS to addresses specified at the bottom of the Remote Access panel. http://www.e-smith.org/docs/howto/remote-mgr-access-howto.html describes how to add the value(s) manually for <5.5.

[Graham]

You can move the userpassword cgi file to a publically accessable place, such as your primary cgi directory.
/etc/e-smith/web/panels/password/cgi-bin/userpassword

I suggest you passwod protect the area where you put it though.

[Mike Scott]

Yeah, but what if I don't know what those addresses are?
Or, if they connect via dial-up with DHCP, I would have to open up each ISP's entire network and modify things every time they change.
You can see how this can become unwieldy very quickly
I would like the users to be able to connect from anywhere via webmail, and they should be able to change their password from any https web browser.
Since user-password already requires prior knowledge of the username and old password, plus https provides encryption, this should be safe.

[Jon Blakely]

Mike,

You can use the ip address 0.0.0.0  subnet 0.0.0.0

This will allow https access to user-password, user-manager from anywhere on the net.

However it will also allow https access to server-manager which you may consider to much of a security risk.

Jon

[Mike Scott]

Well, that seemed to work, sort of.  I tried to cheat and just symlink it, but Linux saw right through that .  I copied the file to my default page's cgi-bin directory.

When I view the page via https, I don't get the graphic and the fonts are all default.  Looking at the source, I think it has something to do with files in the /server-common directory.  There's a stylesheet and the graphic there.  Funny though, if I open it http (no s), it looks normal.

I haven't yet tried changing the password to see if it works.  Is there a way to force users to open it in https, or generate another page that redirects them to the https if they open in http?

I have to dig out my perl books, been awhile since I wrote perl code.

[Richard Dols]

hello,

I tried to do the same, i changed a little bit on the configuration (look below) but more importent, there seems to be een little bug in the templates. It tries to set a proxyset for every virtual domain, but thats bogus because the links are exactly the same so only the last entry is used for every domain.

But the above bug doesn't change the effect you want:

very simple, but ok solution:

Copy the file:
  92ProxyPassPassword
from
  /etc/e-smith/templates/etc/httpd/conf/httpd.conf
to
  /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf

Edit the the destination file, remove the last line with $OUT completely including the { on the previous and the } on the next line, replace it with "allow from all" without the "".

The simplest way to activate this setting is to create (and delete) an ibay through the server-manager.

Now http://yourdomain.com/user-password should work from the internet.

Regards,
  Richard Dols

[Mike Scott]

I just found this in the Wishlist forum:

http://forums.contribs.org/index.php?topic=20014.msg78712#msg78712

It looks like Dungog Networks has a package that makes the user password and some other stuff externally available.

http://www.dungog.net/sme/howto/delegate.php

This looks like it will do exactly what I want AND some things I didn't think of!

According to their web page, it's compatible with v5.6, I'm going to give it a try and I'll report back to the group.

[Mike Scott]

Well, the Dungog enhancements are pretty cool and add a bunch of worthwhile utilities.  I still had to open the server-manager up to the internet by setting a network address and subnet mask of 0.0.0.0 on the remote access screen.

Thanks to Jon Blakely for that tip:
http://forums.contribs.org/index.php?topic=16500.msg63827#msg63827

[Ray Mitchell]

Jon Blakely wrote:
> You can use the ip address 0.0.0.0  subnet 0.0.0.0
> However it will also allow https access to server-manager
> which you may consider to much of a security risk.

The access is still via https so in what way do you feel that the security risk is too much.
The risk is no greater than VPN'ing, is it ?
I still need to enter the admin user name and password either way

Thanks & Regards
Ray Mitchell

[Danny Wong]

Does anyone feel like this is a severe security risk?  I too want to allow external access.  but setting to 0.0.0.0 does not open the firewall it just allows access to local server manager right?

[Ray Mitchell]

It is allowing access to your server manager to "anyone", they will of course need the correct admin password, and as that is the only level of security then your password should be a "strong" one. Nonetheless, your server manager is wide open to continued attempts to crack the password.

I personally would not leave it set to 0.0.0.0 all the time, it's probably OK for short term occasional use (ie turn it on and off as needed), but not really secure considering you effectively open your whole server if the password is cracked(same password as root).

A far better way is to make a VPN connection to your server (with your user name and password) and then connect via IP to your server manager (with admin user and password) ie http://yourIP/server-manager. This is very secure, as secure as VPN can get.

Regs
Ray

[Danny Wong]

Yes, VPN is how I have accessed in the past, but allowing password changes, would then require allowing VPN access which I do not want to do.  Are there better ways to allow remote password changes than is discussed here?

[Ray Mitchell]

Danny

> Yes, VPN is how I have accessed in the past, but allowing password changes, > would then require allowing VPN access which I do not want to do.

Why don't you want to allow VPN access ?
If you set up your server correctly using groups, and set ownership of ibays to different groups (as required), you will be able to limit the access a user has to ibays via VPN.
If a user is not a member of any group then they will not be able to access resources on the server. They will only be able to access http://yourIP/user-password and https://yourIP/user-manager (if installed). You can limit access to user manager panels though for each user.

Regs
Ray

[Jim Huneycutt]

I am also looking for an easy way to allow users to change their passwords remotely from any location, and without resorting to vpn. These 200 or so "users" only use email and are not part of any particular organization. They are also accustomed to going to a web site and clicking on a link to change their passwords with a competitor and that's what I've been asked to provide.

I have not been able to accomplish this with SME so I'm still looking for a viable solution. As far as VPN goes, I know there have been many posts here discussing the issue and points have been made as to how VPN can be setup seamlessly. I have not had much succes with users and VPN although I use it myself when necessary. I have some very intelligent professionals as users, some in technical areas, that cannot get VPN (specifically pptp) to work without a lot of handholding as connections are dropped or they can't remember the sequence of events (connect first, then map a drive for example). In every case, despite taking a lot of time to setup the users computer and train them on how to make the connection, etc., they have stopped using the "feature" because it's too much trouble (I'm just quoting the users, I would love to turn them around and have them eager VPN users!)

But for this one case, I cannot support 200 email users doing VPN just to change a passwork now and then. Compare having to setup a vpn connection, make the connection, login, load something like the dungog user-panel (great product!!! by the way), login to the user panel, and then finally change your password vs clicking on a change password (https) link on a web page.

I'm hopeful someone out there has solved this problem already!

Many thanks,
jim