Click on the Authentication icon on the module's main page to bring up the authentication form.

When Enable password timeouts is selected, Webmin will detect multiple failed login attempts from the same IP address and lock that host out for a configurable amount of time. This feature should always be turned on, as it stops attackers using millions of login attempts to guess passwords on your system. The Block hosts with more than field specifies the number of login attempts allowed from a single host before blocking is triggered, while the failed logins for field sets the number of seconds for which a host is blocked. The defaults are reasonable, but you can increase the timeout if you are feeling paranoid.

When Log blocked hosts, logins and authentication failures to syslog is selected, Webmin will send messages to the system logs (covered in Chapter 13) when a user logs in, logs out, or enters an incorrect password. All messages are sent with the authpriv facility. You should leave this option turned on so suspiciously large numbers of login failures can be detected.

When Enable session authentication is selected, Webmin will use its own login form to ask users for a username and password, and set a cookie after the login is complete to identify authenticated clients. To switch to normal HTTP authentication, select Disable session authentication instead.

When using session authentication, Webmin can be configured to automatically log users out if they have been inactive for longer than a certain period of time. To enable this, check the Auto-logout after box and enter a number of minutes into the text field next to it. This feature and the next three are not available when using HTTP authentication.

When Offer to remember login permanently? is checked (as it is by default), the login form will include a check box for permanently remembering the login. When selected, the cookie sent to the user's browser will be marked to indicate that it should be saved even if the browser is shut down and rerun later. This is convenient because it means that the user will not have to log in to Webmin again, but you may consider it a security risk. If so, unchecking this box will remove the remember option from the login form.

The login page includes the hostname from the URL in the message above the username and password fields by default. To hide it, deselect the Show hostname on login screen? box.

Some people like to have a welcome message shown on the login page the first time a user accesses it, perhaps giving information about the server or telling unauthorized people to go away. To enable this on your system, first create an HTML page containing the message that you want to appear. Then, select Show pre-login file and enter the full path to the HTML file in the text field. After a user reads it, he must reload or revisit the page (perhaps by following a link in the page itself) to force the real login form to appear.

Webmin can automatically authenticate connections from localhost by determining which UNIX user is making the connection, and checking to see if a Webmin user of the same name exists. To enable this, select Allow login without password for matching users from localhost. If you run a browser as root on the same system on which Webmin runs and have a Webmin user called root, this feature allows you to access http://localhost:10000/ and be logged in without needing to enter a username and password. It is convenient, but potentially insecure if an attacker can trick a program (such as Squid) into connecting to that URL, which would grant access to Webmin as the user as whom the program runs. For this reason, Always require username and password is selected by default.

When the UNIX authentication option is selected for a user in the Webmin users module, his password can be checked by using PAM or by reading the UNIX password file directly. If the Use PAM for UNIX authentication, if available option is selected and the Authen::PAM Perl module is installed, Webmin will attempt to use PAM to validate the user. On Linux, however, this will only work if the /etc/pam.d/webmin service file is set up correctly. This file is included in the RPM package of Webmin.

If your operating system does not support PAM, if the Perl module is not installed, or if the Never use PAM for UNIX authentication option is selected, Webmin will fall back to directly reading the password file. This is more reliable, but will not prevent the use of passwords that are marked as expired. The read users and passwords from file fields specify the file from which to get passwords and the columns to use for the username and password, but should rarely need to be changed as they are set by default to match your operating system.

Because Webmin will use PAM where it can, or read the appropriate password file if PAM is not available, the fields covered in this step should not need to be changed.

The External squid-style authentication program field can be used to enter the full path and parameters to a program that validates passwords. If it is filled in, the External authentication program option will appear in the Password menu for a user in the Webmin Users module, indicating that the user's password should be checked using this command. The program must behave exactly like a Squid's external authenticator, covered in Section 44.9 “Setting Up Proxy Authentication”.

Finally, hit Save at the bottom of the form to activate the new authentication settings for subsequent logins.