Continuing to evaluate Neth… My server is used by a number of family members for email and Nextcloud. Most of them are remote, have no reason to need VPN access to my LAN, and I don’t particularly want to give them access either. But they really need a way to be able to change their passwords. Is there a way to do this in Neth, either built-in or as a module?
Server-manager allows users to change its password from profile page.
And that’s accessible from outside the LAN?
Only you can tell to us…
I dont know which is your RED interface configuration or how is setup internet access.
Also, firewall configuration can block connection to admin interface from any connection.
Yes if 980 is accessible from outside the LAN
It’s probably my background with SME–in that environment, the server manager isn’t available to the WAN at all, at least by default. And that seems like a good security measure–if system administration isn’t accessible from the Internet at all, that closes off a lot of attack vectors. But it sounds like you’re saying that the only way a remote user can change his/her password is if the server manager is exposed to the Internet. That sounds like a lot of exposure for a very small operation.
Also in the SME environment, there’s a separate user-password page. I’d feel a lot better about exposing that than about exposing the entire server manager.
Can I expose it? Sure, it’s behind a pfSense router, so I can easily forward another port. But putting the server manager out on the Internet, protected only by a password (no matter how strong), doesn’t give me warm fuzzies.
1 Like
By design, admin interface has crypted access.
If passwords are good enough, associate the service at fail2ban, it’s not the safest setting.
But for me is quite safe enough.
1 Like
I prefer not exposing it to WAN. Don’t know if there are other options than VPN or SSH forwarding.
1 Like
Did you try to access with user credentials at admin interfaces?
Yes, and getting trusted certs through Let’s Encrypt is easy as well–all of which is good. But all that does is prevent some one from getting usable data by sniffing on the wire. It doesn’t stop brute-forcing a password (though fail2ban would help here), and it doesn’t protect against any vulnerabilities in the server manager.
Likewise. VPN and SSH forwarding work around the issue by making a remote user effectively non-remote, but add a step that most of my users wouldn’t know how to do.
What about the groupware apps? Horde/Sogo/WebTop–does any of them have a “change password” function, and would it work for this?
Yes, and that works–I can log in as a user and change that user’s password. So if I do feel comfortable exposing the server manager to the Internet, that’s a way to do what I’m looking for.
It would be nice to have an isolated page for users to change their password. But then again, I would never want my authentication server exposing anything to the wan.
SOGo lacks the option to change the password afaik. Outlook might be able to handle the forced change and be of use there, haven’t tested that tho.
I have read that, for implementation reasons, passwords should be changed through server manager. I would expect this not to be the case for AD account provider being used for all authentication (nor single server implementations where only mail is used by users)
For apps it could depend on ldap bind parameters ( write permissions)…
Horde and Nextcloud have it if I recall correctly, but never tried.
For Nextcloud with Active Directory account provider:
- Admin > LDAP/AD integration > Advanced > Directory Settings:
- Enable LDAP password changes per user (checkbox)
- Default password policy DN
Ah, hadn’t thought about Nextcloud–and I would be running that, too. I’ll have to test to make sure it works, but that’s a possibility. Though I’d still be concerned about the “implementation reasons” @planet_jeroen mentions.
I agree. But there are thousand of services which allow change of passwords throught the internet. Consequently, it’s still not the safest choice, but for me a safe enough one.
Indeed, which is what I’m wanting to do as well. But I expect most of them keep their overall administration interface much more locked down.
I don’t know if Cockpit implementation would change anything in this regard.
Otherwise, would something like this be a viable solution?
- Self Service Password (github) (php, rpm package)
- PWM (java)
1 Like
Looks very nice, and the existing RPM is a bonus. Besides, I’m kind of Java-phobic. Would changing the password via the LDAP backend be the only thing that would be needed?