Open NiceGuyIT opened 11 months ago
DEV NOTES:
maybe a setting in config.json
under domains
to lock the url, something like agentDownloadToken: a1b2c3d4e5
would need to change the agentinvites
download panel
meshinstall.sh
to include token if set
OOO the is already something listed in the code called lockagentdownload
but its not in the config.json scheme!
and its under the normal settings
in config.json
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true)) && (req.session.userid == null)) { res.sendStatus(401); return; }
so if lockagentdownload: true
in config.json AND you arent logged in, then send a 401 not found !?
so if
lockagentdownload: true
in config.json AND you arent logged in, then send a 401 not found !?
Yes! That prevents downloads. Unfortunately, it breaks the script install. Maybe this was an incomplete feature?
./install-script.sh
--2023-11-15 08:56:30-- https://mesh.example.com/meshagents?script=1
Resolving mesh.example.com (mesh.example.com)... 172.30.0.119
Connecting to mesh.example.com (mesh.example.com)|172.30.0.119|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Username/Password Authentication Failed.
--2023-11-15 08:56:30-- https://mesh.example.com/meshagents?script=1
Resolving mesh.example.com (mesh.example.com)... 172.30.0.119
Connecting to mesh.example.com (mesh.example.com)|172.30.0.119|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Username/Password Authentication Failed.
./install-script.sh: line 1: ./meshinstall.sh: Permission denied
4 years ago the line was added if git is right 😆 lets not rush things! ill add it to docs
EDIT: thats also correct, the script wont work because its downloading the agent, which you have blocked! so you would need to download the script, store it somewhere, then change it to download the agent from wherever you store the agent files thats allowed (a side effect sadly)
added lockAgentDownload
to docs/schema for others to see
https://github.com/Ylianst/MeshCentral/commit/fb8883a9d911ea336c7c62021d7fe897f7e1de2d
Would it make sense to put the download behind agentKey
if defined? Since it's already going to be available in the msh file, and required in the request querystring to meshcentral, requiring it in the URL to download may not actually increase exposure, but will reduce the chances of random requests to download the agent being honored.
"agentKey": {
"type": [
"string",
"array"
],
"items": {
"type": "string"
},
"default": null,
"description": "Requires that agents add the value ?key=xxx in the URL in order to connect. This is not automatic and needs to be manually added in the meshagent.msh file."
},
MeshCentral version 1.1.9
Is your feature request related to a problem? Please describe. As a MeshCentral user, I would like the agent download to be protected by a token. Consider the following.
If you add a token to that, the server responds with "Unauthorized".
The "Linux / BSD" script shown in the GUI does not have a token or mesh ID and relies on the
meshagent
that was downloaded to get the settings from the server. The settings from the server DO require auth (AFAICT).Describe the solution you'd like I would like something more like this script that enforces a token to download the agent. Note: The install script uses
meshid
as the "token", which is used in the install script to download the settings. It may be better to usemeshid
instead oftoken
.Describe alternatives you've considered N/A
Additional context See discussion #5551 for more context.