Skip to content
This repository has been archived by the owner on Jan 21, 2021. It is now read-only.

Latest commit

 

History

History
62 lines (43 loc) · 2.91 KB

SECURITY.md

File metadata and controls

62 lines (43 loc) · 2.91 KB
Raw

Securing your Artemis Server

Overview

This version enables very fine grained security down to the individual key level but it is not production ready yet. There are complex aspects of signalk security still developing, which will be incorporated in due course.

This default install uses https with self-signed certificates.

Browsers will complain the connection is untrusted, you can safely continue for non-critical installations. You can also disable https in the configuration.

NOTE: the tcp/udp signalk streams are NOT encrypted (yet).

If security is important, you need to get a real signed certificate (see https://letsencrypt.org)

By default the security is set up as follows:

  • One default user admin with the stupid password of admin. You need to change this. See below.
  • If messages contain a token, the user is derived from the token, and appropriate permissions applied.
  • If they have no token:
    • AIS messages over serial or n2k are assigned the ais user.
    • AIS messages over internal_ip are assigned the tcp_internal user.
    • NMEA0183 messages received on serial connections (or serial over USB) are assigned the serial user. Usually this is NMEA0183 gps data etc.
    • NMEA0183 messages received on internal_ip are assigned the tcp_internal user.
    • NMEA0183 messages received on external_ip are assigned the tcp_external user.
    • N2K messages from N2K (canboat) are assigned the n2k user.
    • N2K messages on the internal network are assigned the tcp_internal user.
    • JSON_DELTA and JSON_FULL messages over serial are assigned the serial user.
    • All other messages get the public user

The User 'Roles' allow the permissions for these default users to be controlled. Full RBAC rules based filtering is in the pipeline. Obviously a secure installation needs to secure those N2K, AIS, SERIAL and TCP sources to prevent bad actors.

Manage Users and Roles

  • Start you server and point your browser at https://[your server]:8080
  • Use the LOGIN button to login, use the admin user
  • Select the 'Manage Server' tab
  • Select 'Users'

At the top of the screen you will see the user list (somewhat ugly, help gratefully accepted!)

  • Reset the admin password by entering in the password field. It will need at least 8 chars.

The password will later be converted to a hash, so you wont see it again. If you need to fix a forgotton password open the ./conf/security-conf.json delete the hash, and the comma before it

Note the user is assigned one or more 'Roles'. They are defined at the bottom of the page.

You will see the 'Official' role is allowed to read some data, including environment, so the can get weather data etc But that also allows them data from inside the boat which we dont want, so we deny environment.inside