Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Put agent download behind (token?) authentication #5554

Open
NiceGuyIT opened this issue Nov 15, 2023 · 6 comments · May be fixed by #5962
Open

Feature Request: Put agent download behind (token?) authentication #5554

NiceGuyIT opened this issue Nov 15, 2023 · 6 comments · May be fixed by #5962
Labels
enhancement

Comments

@NiceGuyIT
Copy link

MeshCentral version 1.1.9

Is your feature request related to a problem? Please describe.
As a MeshCentral user, I would like the agent download to be protected by a token. Consider the following.

$ curl --location --output meshagent.bin 'https://mesh.example.com/meshagents?id=3'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3722k  100 3722k    0     0  25.7M      0 --:--:-- --:--:-- --:--:-- 25.9M
$ ls -la meshagent.bin
-rw-r--r-- 1 root root 3811656 Nov 15 08:28 meshagent.bin

If you add a token to that, the server responds with "Unauthorized".

$ curl --location --output meshagent.bin 'https://mesh.example.com/meshagents?id=3&meshid=0000000000000000000000000000000000000000000000000000000000000000'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    12  100    12    0     0    472      0 --:--:-- --:--:-- --:--:--   480
$ cat meshagent.bin
Unauthorized

The "Linux / BSD" script shown in the GUI does not have a token or mesh ID and relies on the meshagent that was downloaded to get the settings from the server. The settings from the server DO require auth (AFAICT).

(
wget "https://mesh.example.com/meshagents?script=1" -O ./meshinstall.sh ||
wget "https://mesh.example.com/meshagents?script=1" --no-proxy -O ./meshinstall.sh
) &&
chmod 755 ./meshinstall.sh &&
sudo -E ./meshinstall.sh https://mesh.example.com '0000000000000000000000000000000000000000000000000000000000000000' ||
./meshinstall.sh https://mesh.example.com '0000000000000000000000000000000000000000000000000000000000000000'

Describe the solution you'd like
I would like something more like this script that enforces a token to download the agent. Note: The install script uses meshid as the "token", which is used in the install script to download the settings. It may be better to use meshid instead of token.

(
wget "https://mesh.example.com/meshagents?script=1&token=0000000000000000000000000000000000000000000000000000000000000000" -O ./meshinstall.sh ||
wget "https://mesh.example.com/meshagents?script=1&token=0000000000000000000000000000000000000000000000000000000000000000" --no-proxy -O ./meshinstall.sh
) &&
chmod 755 ./meshinstall.sh &&
sudo -E ./meshinstall.sh https://mesh.example.com '0000000000000000000000000000000000000000000000000000000000000000' ||
./meshinstall.sh https://mesh.example.com '0000000000000000000000000000000000000000000000000000000000000000'

Describe alternatives you've considered
N/A

Additional context
See discussion #5551 for more context.
@si458
Copy link
Collaborator

si458 commented Nov 15, 2023
edited

DEV NOTES:
maybe a setting in config.json under domains to lock the url, something like agentDownloadToken: a1b2c3d4e5
would need to change the agentinvites download panel meshinstall.sh to include token if set

@si458
Copy link
Collaborator

si458 commented Nov 15, 2023
edited

OOO the is already something listed in the code called lockagentdownload but its not in the config.json scheme!
and its under the normal settings in config.json

if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true)) && (req.session.userid == null)) { res.sendStatus(401); return; }

so if lockagentdownload: true in config.json AND you arent logged in, then send a 401 not found !?

@NiceGuyIT
Copy link
Author

so if lockagentdownload: true in config.json AND you arent logged in, then send a 401 not found !?

Yes! That prevents downloads. Unfortunately, it breaks the script install. Maybe this was an incomplete feature?

./install-script.sh
--2023-11-15 08:56:30--  https://mesh.example.com/meshagents?script=1
Resolving mesh.example.com (mesh.example.com)... 172.30.0.119
Connecting to mesh.example.com (mesh.example.com)|172.30.0.119|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.
--2023-11-15 08:56:30--  https://mesh.example.com/meshagents?script=1
Resolving mesh.example.com (mesh.example.com)... 172.30.0.119
Connecting to mesh.example.com (mesh.example.com)|172.30.0.119|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized

Username/Password Authentication Failed.
./install-script.sh: line 1: ./meshinstall.sh: Permission denied

@si458
Copy link
Collaborator

si458 commented Nov 15, 2023
edited

4 years ago the line was added if git is right 😆
lets not rush things!
ill add it to docs

EDIT: thats also correct, the script wont work because its downloading the agent, which you have blocked!
so you would need to download the script, store it somewhere, then change it to download the agent from wherever you store the agent files thats allowed (a side effect sadly)

@NiceGuyIT NiceGuyIT mentioned this issue Nov 15, 2023
Open
@si458
Copy link
Collaborator

si458 commented Nov 15, 2023

added lockAgentDownload to docs/schema for others to see
fb8883a

@PrplHaz4
Copy link
Contributor

Would it make sense to put the download behind agentKey if defined? Since it's already going to be available in the msh file, and required in the request querystring to meshcentral, requiring it in the URL to download may not actually increase exposure, but will reduce the chances of random requests to download the agent being honored.

"agentKey": {
            "type": [
              "string",
              "array"
            ],
            "items": {
              "type": "string"
            },
            "default": null,
            "description": "Requires that agents add the value ?key=xxx in the URL in order to connect. This is not automatic and needs to be manually added in the meshagent.msh file."
          },

@si458 si458 linked a pull request Mar 26, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Snyk] Security upgrade express from 4.18.2 to 4.19.2 Ylianst/MeshCentral
3 participants
@si458 @PrplHaz4 @NiceGuyIT