Add authentication

[samyk]

John, awesome project! This has been working great so far.

As the project grows, more and more users are going to be running this on public IPs so they can reach their CNC mill at home. The day will come when someone uses shodan.io or similar to find all (publicly accessible) SPJS servers and mass-carves something bad into everyone's waste board! Especially as more people run it on RasPis and port forward so they can access their cam/mill/etc remotely.

Wanted to start considering an authentication feature to prevent this. Some requirements I think would be good:

• on by default (config option to turn it off)
• generates a strong, random password for the user upon first startup and provides it in the console
• passwords are hashed using strong hash+salt (eg bcrypt)
• stores the user/hashed password(s) in a simple text file (config file time?)
• in web interface, remember username/password forever by default so user never needs to log in again (not part of SPJS technically)
• optional mode (NOT on by default) to not require passwords for the same subnet (eg, their LAN, based off of ifconfig/ip settings)
• optional mode (NOT on by default) to not require passwords at all
• option to flush/reset passwords

Thoughts? Happy to possibly implement this myself as well but wanted to work out the requirements and get your ideas.

[chilipeppr]

One core thought has been to not have SPJS handle authentication rather
have it handled at an alternate/higher layer. Memcache works this way with
no password management and it's a hugely popular server. The model is to
let the firewall handle the security.

However, I think authentication would be cool to even have the CP cloud
know that you have SPJS running so that CP can auto connect to your SPJS
rather than having you scan your subnet.

I would just go with Google's authentication and follow suit exactly with
how I did CP's login system.

On Thu, Mar 17, 2016 at 1:32 AM, Samy Kamkar notifications@github.com
wrote:

John, awesome project! This has been working great so far.

As the project grows, more and more users are going to be running this on
public IPs so they can reach their CNC mill at home. The day will come when
someone uses shodan.io or similar to find all (publicly accessible) SPJS
servers and mass-carves something bad into everyone's waste board!
Especially as more people run it on RasPis and port forward so they can
access their cam/mill/etc remotely.

Wanted to start considering an authentication feature to prevent this.
Some requirements I think would be good:

• on by default (config option to turn it off)
• generates a strong, random password for the user upon first startup
  and provides it in the console
• passwords are hashed using strong hash+salt (eg bcrypt)
• stores the user/hashed password(s) in a simple text file (config
  file time?)
• in web interface, remember username/password forever by default so
  user never needs to log in again (not part of SPJS technically)
• optional mode (NOT on by default) to not require passwords for the
  same subnet (eg, their LAN, based off of ifconfig/ip settings)
• optional mode (NOT on by default) to not require passwords at all
• option to flush/reset passwords

Thoughts? Happy to possibly implement this myself as well but wanted to
work out the requirements and get your ideas.

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub
#47

[DanielJoyce]

They can do more than that.

Added exec and execruntime commands. The exec command lets you simply execute any command on the host operating system as if you were logged in at the command line. This is similar to the program command which essentially was executing a command on the command line. However, now you can do any command you want. Make sure your host OS is behind a firewall as this method opens up your device to any command being executed on it. Changes in 1.86

In the reccomended install and init scripts, SPJS runs as root! If it is on a public facing ip, a remote attacker effectively has root access to the box and can do anything they want!

exec rm -rf /for example. Or create a login account with root credentials.

MEMCACHED doesn't let you run arbitrary system commands.

[johnlauer]

Keep in mind most people run this on a Raspi and it is behind a firewall. From: Daniel [mailto:notifications@github.com] Sent: Thursday, February 23, 2017 8:42 AM To: johnlauer/serial-port-json-server <serial-port-json-server@noreply.github.com> Cc: Subscribed <subscribed@noreply.github.com> Subject: Re: [johnlauer/serial-port-json-server] Add authentication (#47) They can do more than that. Added exec and execruntime commands. The exec command lets you simply execute any command on the host operating system as if you were logged in at the command line. This is similar to the program command which essentially was executing a command on the command line. However, now you can do any command you want. Make sure your host OS is behind a firewall as this method opens up your device to any command being executed on it. Changes in 1.86 In the reccomended install and init scripts, SPJS runs as root! If it is on a public facing ip, a remote attacker effectively has root access to the box and can do anything they want! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub<#47 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/AA8jlY2iRt_vhQn0IEniiEpQOLUVjtZQks5rfbbBgaJpZM4HyuPe>.

[DanielJoyce]

I don't think you grasp how incredibly unsafe this is. You're asking every user out there to ensure they have NAT and a firewall set up properly on their home network.

What happens if someone goes to makerfaire or their makerspace with SPJS and their 3D printer and forgets that when they have it running, they effectively are broadcasting root access to their box?

[chilipeppr]

No they're not as it requires a username/password.

…

On Thu, Feb 23, 2017 at 8:46 AM, Daniel ***@***.***> wrote: I don't think you grasp how incredibly unsafe this is. You're asking every user out there to ensure they have NAT and a firewall set up properly on their home network. What happens if someone goes to makerfaire with SPJS and their 3D printer and forgets that when they have it running, they effectively are broadcasting root access to their box? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#47 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHidbezAJpucKRsp63I1z0e4P7sK51lPks5rfbgBgaJpZM4HyuPe> .