Open NiceGuyIT opened 11 months ago
si458
commented
11 months ago DEV NOTES:
maybe a setting in config.json under domains to lock the url, something like agentDownloadToken: a1b2c3d4e5
would need to change the agentinvites download panel meshinstall.sh to include token if set
si458
commented
11 months ago OOO the is already something listed in the code called lockagentdownload but its not in the config.json scheme!
and its under the normal settings in config.json
if ((obj.parent.config.settings != null) && ((obj.parent.config.settings.lockagentdownload == true) || (domain.lockagentdownload == true)) && (req.session.userid == null)) { res.sendStatus(401); return; }so if lockagentdownload: true in config.json AND you arent logged in, then send a 401 not found !?
NiceGuyIT
commented
11 months ago so if
lockagentdownload: truein config.json AND you arent logged in, then send a 401 not found !?
Yes! That prevents downloads. Unfortunately, it breaks the script install. Maybe this was an incomplete feature?
./install-script.sh
--2023-11-15 08:56:30-- https://mesh.example.com/meshagents?script=1
Resolving mesh.example.com (mesh.example.com)... 172.30.0.119
Connecting to mesh.example.com (mesh.example.com)|172.30.0.119|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Username/Password Authentication Failed.
--2023-11-15 08:56:30-- https://mesh.example.com/meshagents?script=1
Resolving mesh.example.com (mesh.example.com)... 172.30.0.119
Connecting to mesh.example.com (mesh.example.com)|172.30.0.119|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Username/Password Authentication Failed.
./install-script.sh: line 1: ./meshinstall.sh: Permission denied4 years ago the line was added if git is right 😆 lets not rush things! ill add it to docs
EDIT: thats also correct, the script wont work because its downloading the agent, which you have blocked! so you would need to download the script, store it somewhere, then change it to download the agent from wherever you store the agent files thats allowed (a side effect sadly)
si458
commented
11 months ago added lockAgentDownload to docs/schema for others to see
https://github.com/Ylianst/MeshCentral/commit/fb8883a9d911ea336c7c62021d7fe897f7e1de2d
PrplHaz4
commented
11 months ago Would it make sense to put the download behind agentKey if defined? Since it's already going to be available in the msh file, and required in the request querystring to meshcentral, requiring it in the URL to download may not actually increase exposure, but will reduce the chances of random requests to download the agent being honored.
"agentKey": {
"type": [
"string",
"array"
],
"items": {
"type": "string"
},
"default": null,
"description": "Requires that agents add the value ?key=xxx in the URL in order to connect. This is not automatic and needs to be manually added in the meshagent.msh file."
},
MeshCentral version 1.1.9
Is your feature request related to a problem? Please describe. As a MeshCentral user, I would like the agent download to be protected by a token. Consider the following.
If you add a token to that, the server responds with "Unauthorized".
The "Linux / BSD" script shown in the GUI does not have a token or mesh ID and relies on the
meshagentthat was downloaded to get the settings from the server. The settings from the server DO require auth (AFAICT).Describe the solution you'd like I would like something more like this script that enforces a token to download the agent. Note: The install script uses
meshidas the "token", which is used in the install script to download the settings. It may be better to usemeshidinstead oftoken.Describe alternatives you've considered N/A
Additional context See discussion #5551 for more context.