serial-port-json-server icon indicating copy to clipboard operation
serial-port-json-server copied to clipboard
verified publisher icon johnlauer

Add authentication

Open samyk opened this issue 9 years ago • 5 comments

John, awesome project! This has been working great so far.

As the project grows, more and more users are going to be running this on public IPs so they can reach their CNC mill at home. The day will come when someone uses shodan.io or similar to find all (publicly accessible) SPJS servers and mass-carves something bad into everyone's waste board! Especially as more people run it on RasPis and port forward so they can access their cam/mill/etc remotely.

Wanted to start considering an authentication feature to prevent this. Some requirements I think would be good:

  • on by default (config option to turn it off)
  • generates a strong, random password for the user upon first startup and provides it in the console
  • passwords are hashed using strong hash+salt (eg bcrypt)
  • stores the user/hashed password(s) in a simple text file (config file time?)
  • in web interface, remember username/password forever by default so user never needs to log in again (not part of SPJS technically)
  • optional mode (NOT on by default) to not require passwords for the same subnet (eg, their LAN, based off of ifconfig/ip settings)
  • optional mode (NOT on by default) to not require passwords at all
  • option to flush/reset passwords

Thoughts? Happy to possibly implement this myself as well but wanted to work out the requirements and get your ideas.

samyk avatar Mar 17 '16 08:03 samyk

One core thought has been to not have SPJS handle authentication rather have it handled at an alternate/higher layer. Memcache works this way with no password management and it's a hugely popular server. The model is to let the firewall handle the security.

However, I think authentication would be cool to even have the CP cloud know that you have SPJS running so that CP can auto connect to your SPJS rather than having you scan your subnet.

I would just go with Google's authentication and follow suit exactly with how I did CP's login system.

On Thu, Mar 17, 2016 at 1:32 AM, Samy Kamkar [email protected] wrote:

John, awesome project! This has been working great so far.

As the project grows, more and more users are going to be running this on public IPs so they can reach their CNC mill at home. The day will come when someone uses shodan.io or similar to find all (publicly accessible) SPJS servers and mass-carves something bad into everyone's waste board! Especially as more people run it on RasPis and port forward so they can access their cam/mill/etc remotely.

Wanted to start considering an authentication feature to prevent this. Some requirements I think would be good:

  • on by default (config option to turn it off)
  • generates a strong, random password for the user upon first startup and provides it in the console
  • passwords are hashed using strong hash+salt (eg bcrypt)
  • stores the user/hashed password(s) in a simple text file (config file time?)
  • in web interface, remember username/password forever by default so user never needs to log in again (not part of SPJS technically)
  • optional mode (NOT on by default) to not require passwords for the same subnet (eg, their LAN, based off of ifconfig/ip settings)
  • optional mode (NOT on by default) to not require passwords at all
  • option to flush/reset passwords

Thoughts? Happy to possibly implement this myself as well but wanted to work out the requirements and get your ideas.

— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/johnlauer/serial-port-json-server/issues/47

chilipeppr avatar Mar 17 '16 13:03 chilipeppr

They can do more than that.

Added exec and execruntime commands. The exec command lets you simply execute any command on the host operating system as if you were logged in at the command line. This is similar to the program command which essentially was executing a command on the command line. However, now you can do any command you want. Make sure your host OS is behind a firewall as this method opens up your device to any command being executed on it. Changes in 1.86

In the reccomended install and init scripts, SPJS runs as root! If it is on a public facing ip, a remote attacker effectively has root access to the box and can do anything they want!

exec rm -rf /for example. Or create a login account with root credentials.

MEMCACHED doesn't let you run arbitrary system commands.

DanielJoyce avatar Feb 23 '17 16:02 DanielJoyce

Keep in mind most people run this on a Raspi and it is behind a firewall.

From: Daniel [mailto:[email protected]] Sent: Thursday, February 23, 2017 8:42 AM To: johnlauer/serial-port-json-server [email protected] Cc: Subscribed [email protected] Subject: Re: [johnlauer/serial-port-json-server] Add authentication (#47)

They can do more than that.

Added exec and execruntime commands. The exec command lets you simply execute any command on the host operating system as if you were logged in at the command line. This is similar to the program command which essentially was executing a command on the command line. However, now you can do any command you want. Make sure your host OS is behind a firewall as this method opens up your device to any command being executed on it. Changes in 1.86

In the reccomended install and init scripts, SPJS runs as root! If it is on a public facing ip, a remote attacker effectively has root access to the box and can do anything they want!

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/johnlauer/serial-port-json-server/issues/47#issuecomment-282047525, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AA8jlY2iRt_vhQn0IEniiEpQOLUVjtZQks5rfbbBgaJpZM4HyuPe.

johnlauer avatar Feb 23 '17 16:02 johnlauer

I don't think you grasp how incredibly unsafe this is. You're asking every user out there to ensure they have NAT and a firewall set up properly on their home network.

What happens if someone goes to makerfaire or their makerspace with SPJS and their 3D printer and forgets that when they have it running, they effectively are broadcasting root access to their box?

DanielJoyce avatar Feb 23 '17 16:02 DanielJoyce

No they're not as it requires a username/password.

On Thu, Feb 23, 2017 at 8:46 AM, Daniel [email protected] wrote:

I don't think you grasp how incredibly unsafe this is. You're asking every user out there to ensure they have NAT and a firewall set up properly on their home network.

What happens if someone goes to makerfaire with SPJS and their 3D printer and forgets that when they have it running, they effectively are broadcasting root access to their box?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/johnlauer/serial-port-json-server/issues/47#issuecomment-282049124, or mute the thread https://github.com/notifications/unsubscribe-auth/AHidbezAJpucKRsp63I1z0e4P7sK51lPks5rfbgBgaJpZM4HyuPe .

chilipeppr avatar Feb 23 '17 16:02 chilipeppr