search

FDH2 / UxPlay

AirPlay Unix mirroring server
GNU General Public License v3.0
1.35k stars 72 forks source link

Pin Code Authentication before starting Mirroring. #113

Closed malikAr closed 1 year ago

malikAr commented 1 year ago

Hi @fduncanh, I have one requirement that when a user starts mirroring it must ask for some type of code for authentication. once the user enters a valid code then only mirroring starts.

Code is read by UXPlay from some kind of file or some random code self-generated by UXPlay.

fduncanh commented 1 year ago

This is required by AppleTV but not by UxPlay. But if MDM (Mobile device management) is imposed (e.g. on a corporate iOS device) the iOS client may require it. I think this is for corporate security so company information is not downloaded or streamed to an impostor appleTV.

I'm assuming your issue involves MDM. correct me if I am wrong.

Currently UxPlay responds with an error message when a pin is requested. At raop.c line 213:

    } else if (!strcmp(method, "POST") && !strcmp(url, "/pair-pin-start")) {
       logger_log(conn->raop->logger, LOGGER_ERR,  "*** ERROR: Unsupported client request %s with URL %s", method, url);
       logger_log(conn->raop->logger, LOGGER_INFO, "*** AirPlay client has requested PIN as implemented on AppleTV,");
       logger_log(conn->raop->logger, LOGGER_INFO, "*** but UxPlay does not require a PIN and cannot supply one.");
       logger_log(conn->raop->logger, LOGGER_INFO, "*** This client behavior may have been required by mobile device management (MDM)");
       logger_log(conn->raop->logger, LOGGER_INFO, "*** (such as Apple Configurator or a third-party MDM tool).");

In principle it is known how this pin protocol works, but its too much a minority requirement to justify implementing it (lots of cryptography). see:

(I think only step 1 of what is described below is the pin step: the rest is probably what is already implemented by UxPlay, so it might not be so scary, but I dont have time for it now)

UxPlay does all the required cryptographic pairing each time a client connects, without requiring the PIN. An Apple TV does it one time with the PIN, and remembers the client, so the paring is in place the next time the client connects. Since UxPlay is not a physical device, it cannot remember clients,

https://htmlpreview.github.io/?https://github.com/philippe44/RAOP-Player/blob/master/doc/auth_protocol.html

If a "pull request" from a fork with a working implementation is proposed, I'll consider it.

Apple configurator can be used to modify MDM restrictions on iOS devices. Is MDM the reason you need the PIN feature?

It might be easy or difficult to implement some form of this pin protocol, enough to make a client with MDM happy, I don't know. Like implement a bogus pin 1234, the same each time.

see also historical discussions about AppleTV pairing. https://github.com/postlund/pyatv/issues/79

fduncanh commented 1 year ago

Most of the articles linked to above are from the point of view of a (linux) emulation of an iOS client interacting with with a real AppleTV.

This is part of pyatv

Your case is the opposite. It could be much easier to implement if it really was worth doing. It would still mean a new pin would have to be supplied each time the client connects, because there would be no stored history of earlier client-server pairing

malikAr commented 1 year ago

Thanks, @fduncanh. Let me check mentioned point.

fduncanh commented 1 year ago

this is relevant https://github.com/FDH2/UxPlay/issues/33

fduncanh commented 1 year ago

Solution for you is to remove the Mobile Device Management rule that the iOS client must authenticate with a PIN (see #33).

To add the pair-pin-start feature to UxPlay seems far too involved cryptographically, and rarely useful, though the information on how to do it is probably known by now at https://github.com/postlund/pyatv. If you want to try, post back.

Booth1983 commented 1 year ago

Generally a pin could be a good idea. We're using uxplay in my schoolnetwork and everyone within the network can connect, not only the students in the classroom. This could be prevented by a pin. That the Pin has to be tiped every time is a good thing for my use, as the student shouldn't be able to connect once he left the room.

But to be honest, this is just me whining at a high level. I'm very happy with the Software. ;-)

fduncanh commented 7 months ago

@malikAr @Booth1983

Apple-style Pin pairing is now finally implemented in UxPlay (in what is soon to be released 1.67)

But it's persistent (so long as a file $HOME/.uxplay.pem that maintains UxPlay's private key is not deleted: If that file is deleted, the client will have to pin-authenticate again next time they connect)

Use the uxplay -pin option to activate.

Any comments/suggestions welcomed.

Booth1983 commented 7 months ago

I'll take a look at it as soon as it's released (and I have time to install it on one of my systems). Thank you for your time so far.

Booth1983 commented 6 months ago

Tested it on Ubuntu 20.04 with iPad (iOS 17.1.1).

It works very smoothly and fast. The Method is easy to use.

No pin needed at second connection. So this feature also works. Everything seems fine so far.

Thank you...