New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security question #122

Closed
hart323 opened this Issue Jul 8, 2014 · 5 comments

Comments

Projects
None yet
2 participants
@hart323
Contributor

hart323 commented Jul 8, 2014

Correct me if I'm wrong.

  1. The only thing that protect unuthorized machine to build/read configuration is server SERIAL NUMBER?
  2. Unuthorized machine can create unlimited bogus servers on fmdns server by spoofing SERIALS.
  3. What is AUTHKEY, how to use it?

Thanks! Great product by the way!

@WillyXJ WillyXJ added core labels Jul 8, 2014

@WillyXJ

This comment has been minimized.

Owner

WillyXJ commented Jul 8, 2014

  1. SERIALNO and AUTHKEY
  2. They would also have to change hostnames as the client installer will check if a server entry is already present for the php_uname() server.
  3. AUTHKEY is a part of a future implementation where facileManager will be able to support multiple accounts and under each account you will have users, servers, etc. So, right now there's no way of "using" it.

Good questions - thanks. I'm always open to suggestions.

@hart323

This comment has been minimized.

Contributor

hart323 commented Jul 8, 2014

  1. I can use perl script and not official client to create bogus servers ;-) so now the only option is to use firewall and block http/s ports from particular IPs.
  2. AUTHKEY would be great if implement something like salted password authentication.
    server has KEY , client has KEY
    client generate url that contains ServerID, random Salt, Hashed password obtained from AUTHKEY and Salt.

how to protect from 2) ? You can create option something like "initial setup" on server, when enabled, it allows dynamic addition of clients, but when you disable it, no clients can be added dynamicly.

@WillyXJ

This comment has been minimized.

Owner

WillyXJ commented Jul 8, 2014

  1. Servers are also added in a 'disabled' state, so even though bogus servers could be created, they cannot receive any configuration updates without manually being 'enabled' first.
  2. Thanks for the suggestion. That may be implemented with 2.0 (or whenever the accounts management is implemented).
@hart323

This comment has been minimized.

Contributor

hart323 commented Jul 9, 2014

  1. That is part of solution. Need protection from malicious addition of clients.

@WillyXJ WillyXJ added this to the 2.0 release milestone Jan 15, 2015

@WillyXJ

This comment has been minimized.

Owner

WillyXJ commented Jan 15, 2015

A global setting is now available to allow/disallow automatic client registrations. This will be available in 2.0-beta1 and later.

@WillyXJ WillyXJ closed this Jan 15, 2015

WillyXJ added a commit that referenced this issue Jan 20, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment