Hello friends,
I have installed Self-service-password changes from danb35 on my nethserver. The software works really great. But what bothers me is the direct visibility on the internet. What do I have to do so that access works only from the LAN or via a VPN connection? The command “config setprop ssp access private” and a subsequent “signal-event nethserver-self-service-password-update” brings me no success. Is there another screw I have to turn?
Greetings…
Uwe
Hi @transocean,
Try restarting Self Service Password or reboot the server.
I did some documentations in French in december 2019 for installing and using SSP on NethServer. Another documentation aslo in French for using SSP & AD.
NethServer-201, Cahier-08:Self Service Password – Boutique Micronator.
NethServer-301, Cahier-03:SSP & Active Directory – Boutique Micronator.
Hoping it will help you,
Michel-André
Hi@michelandre,
Thanks for the advice, but it doesn’t do it.
Anyone else have an idea?
Regards…
Uwe
Hi @transocean
I think the solution is to include the Require directive in the Directory section in the Apache conf file for the Self Service Password.
In my case, I use /etc/httpd/conf.d/ self-service-passord.conf as the Apache conf file for the SSP.
In your case, you have to add the 3 Require lines as below:
<Directory /usr/share/self-service-password>
...
Require host localhost
Require ip 127.0.0.1
Require ip 192.168
...
</Directory>
This will allow only localhost, 127.0.0.1 (loopback), and your LAN addresses 192.168.x.x
Reference:
Require directive
mod_authz_core - Apache HTTP Server Version 2.4.
Michel-André
Hi@michelandre,
thank you again for this. I will test it within the next days.
Regards…
Uwe
That was kind of the whole point of having it. Users on the LAN can already change their passwords using the user settings page (or, if using Active Directory, directly on a client computer if it’s joined to the domain), but (without SSP) there was no way for a remote user to change a password without exposing all of the server-manager (then) or Cockpit (now) to the Internet as a whole.
Edit: See:
Hi@danb35.
I also understood the meaning of your software as you describe it. Perhaps I am also too concerned about security, which does not exist one hundred percent.
Regards…
Uwe
Security is always a valid concern, and as you say it’s never 100%. But again, if you wanted LAN users to be able to change their passwords, there were already other solutions for that–the stock Nethserver installation gives that capability. But that capability, at the time I wrote this, existed only in the server-manager (Cockpit wasn’t the norm at the time), which is going to be accessible from the LAN in any event. But if I wanted remote users to be able to change their passwords, that meant I had to expose the server-manager to the whole Internet, which (in the interests of security) I didn’t want to do.
If you want local users to be able to change their passwords, I really don’t see any reason to install this–they can already do it through Cockpit. And today, I don’t know that there’s much point in this module even for remote users–Cockpit now allows remote users to change their passwords without exposing the rest of the system to the Internet.