52.7. Requesting a Client SSL Key

Users normally authenticate themselves to Webmin with a username and password. If they are running in SSL mode and using a modern browser like IE or Netscape, however, it is possible to set up Webmin to authenticate them via a client-side SSL key, instead. Usually an SSL web server sends its certificate to the client for authentication purposes, but the protocol also allows clients to send their certificates to the server.

The advantages of this method are that there is no longer a need to remember a username and password and that the old method of authentication can be disabled so that only clients with the SSL key can connect. Attackers, therefore, cannot break in by guessing your password or by looking over your shoulder as you type. Some browsers even support the storage of SSL keys on removable smart cards, which is even more secure.

Before a client key can be issued, Webmin must be switched to SSL mode and a certificate authority key generated. Both these subjects are covered in Chapter 51. Once this is done, the steps to request a key are:

1.
Log in to Webmin as the user for whom you want to create a key, using the browser in which the key should be stored. Browsers keep a list of client-side keys, usually protected by some password that must be entered only once when a key is first needed. It is usually possible to export keys to another browser of the same type.

2.
Go to the Webmin Users module and click on the Request an SSL Certificate icon at the bottom of the page.

3.
The form that appears will be different depending on whether you are running Internet Explorer or Netscape. The following instructions apply to Netscape and Mozilla, as they are the most common browsers on UNIX systems.

4.
Enter a name into the Your name field, such as Joe Bloggs.

5.
Enter your email address into the Email address field, such as [email protected].

6.
If your Webmin system is on a company or organization network, fill in the Department and Organization fields. Otherwise, they can be left blank.

7.
Enter the state your system is in into the State field, such as California.

8.
Enter a two-letter country code like US into the Country code field.

9.
From the Key size menu, select the number of bits in the SSL key that will be created. The higher the number, the more secure, but the longer it will take to be authenticated. 1024 bits should be secure enough for anyone.

10.
Click on the Issue Certificate button. Your browser should pop up a window showing the key-generating progress, which is done on the client system. When it is complete and has been sent back to Webmin, a success page will be displayed.

11.
Click on the pick up your certificate link to store the newly generated and signed key in your browser. You may be asked by the browser for a password to secure your certificates.

12.
To test that everything worked, log out of Webmin and quit your browser. Then, rerun it and attempt to connect. The login page should be bypassed and the main menu displayed. The text SSL certified should appear next to your username in the browser's status bar.

13.
Once SSL client authentication is working, you may no longer want clients to be able to log in as this Webmin user with a username and password. To enforce this, go to the Webmin Users module, click on your username, select No password accepted from the Password menu, and hit Save.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.98.120