Topic: Remote access to /user-password?

[DanB35]

A forum search finds a couple of questions on this going back 15+ years (e.g., https://forums.contribs.org/index.php/topic,3711.msg12713.html#msg12713; https://forums.contribs.org/index.php/topic,2691.msg9075.html#msg9075), but no answers.  My SME box is used for my family, and I have accounts for a number of remote family members.  There's no reason that they need access to my LAN, and most of them wouldn't know how to set up a VPN connection in any event.  So, is there a way to (1) allow remote users to access /user-password (but not /server-manager), or (2) allow them to change their passwords some other way?

Ah, looks like this is Bug #3 (https://bugs.contribs.org/show_bug.cgi?id=3).  I can't be the only one with remote users.

[Jean-Philippe Pialasse]

Well in this bug i might have oversimplified.

There is a common login system for both user password and server  manager. So technically it would open both at least for the part allowto guess the admin password and then change it. Locking you out this is the paranoid speaking.


On the other hand, more and more servers are on the cloud, then you might see more abd more the need to connect to the manager from anywhere.

For the moment, my aswer would be if they have a static ip, just add them to ValidFrom.

If they have not you could add their isp ip block.

The next step would rather be to add a restriction to server-manager folder to restrict to your lan only. Leaving server-common and user-password open. This could be a simple template custom.

Any way this would need a complete rethinking for a 2020 world before doing something with bug 3  

[DanB35]

There is a common login system for both user password and server  manager. So technically it would open both at least for the part allowto guess the admin password and then change it.

Really?  Because that's not what the manual (https://wiki.contribs.org/SME_Server:Documentation:User_Manual:Chapter1) says:

Unlike user passwords, the admin/root passwords can not be set via www.yourserver.net/user-password, nor can they be set on a windows client via Ctrl+Alt+Del. Admin/root passwords must be set via the server manager or via the console commands passwd, either on the console directly or via SSH.

And no, none of them have static IPs.

[Jean-Philippe Pialasse]

Really?  Because that's not what the manual (https://wiki.contribs.org/SME_Server:Documentation:User_Manual:Chapter1)

you are right I was mixing with user-manager

And no, none of them have static IPs.

still you might not want to open this page to the whole internet, and you could start by checking their usual ip adresses and make a whois on those to obtain the ip block you need to add to a whitelist


seeing at /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/27ManagerProxyPass

you might be able to do some changes

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts
cp   /etc/e-smith/templates/etc/httpd/conf/httpd.conf/02externalSSLAccessString /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/02externalSSLAccessStringUserPassword

cp /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/27ManagerProxyPass  /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/



then start editing
/etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/02externalSSLAccessStringUserPassword to get this

Code: [Select]

{
    #---------------------------------------------------------------------
    # Grab UserPasswordValidFrom access list property of httpd-admin
    # SSL enabled virtual hosts should only allow access from IP's in
    # this list, as well as local networks.
    #---------------------------------------------------------------------

    $externalSSLAccess = '';
    $OUT = '';

    my $UserPasswordValidFrom = ${'httpd-admin'}{'UserPasswordValidFrom'};
    return unless defined $UserPasswordValidFrom;

    $UserPasswordValidFrom =~ s/,/ /g;
    $UserPasswordValidFrom =~ s:/255.255.255.255::g;
    $UserPasswordexternalSSLAccess = $UserPasswordValidFrom;
}


then update  /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/27ManagerProxyPass ; change this

Code: [Select]

        elsif (($haveSSL eq 'yes') && (($port eq $sslPort) || ($plainTextAccess ne 'yes')))
        {
            $OUT .= "        allow from $localAccess $externalSSLAccess\n";
        } else {


Code: [Select]

        elsif (($haveSSL eq 'yes') && (($port eq $sslPort) || ($plainTextAccess ne 'yes')))
        {
           if ($place eq 'user-password')
           {
                        $OUT .= "        allow from $localAccess $externalSSLAccess $UserPasswordexternalSSLAccess\n";
            }
           else
           {
                        $OUT .= "        allow from $localAccess $externalSSLAccess\n";       
           }
        } else {

finally you just have to fill the ip block you want (replace with what is needed):

config setprop httpd-admin UserPasswordValidFrom ip.ip.ip.ip/255.255.0.0,ip.ip.ip.ip/255.255.0.0
and
signal-event remoteaccess-update


it might do the trick; another approach would be to simply "allow from all" for user-manager if UserPasswordValidFrom eq all