Closed mssalvatore closed 3 years ago
VakarisZ
commented
3 years ago This is useful for us and for test environments, where the island machine is protected via other means. Unless the main goal of this effort is to reduce complexity, I'd suggest a prompt that explains what this option means. This would be cheaper and would make sure that users understand the consequences. Also, we wouldn't need to constantly log in while developing.
mssalvatore
commented
3 years ago Reducing complexity is definitely a motivating factor for this, especially since any complexity in the authentication system can potentially hide security issues. Ideally we should use an off-the-shelf authentication solution, but that's a bigger problem for a different day.
I think we need to look at why our tokens expire so frequently while we're using the system, rather than renewing themselves so the user/developer isn't constantly being kicked out.
During development, we may be able to find a way to disable the authentication that's cleaner than the current mechanism.
Infection Monkey stores very sensitive information (passwords, NTLM hashes, SSH keys, etc.) that could give someone access to large portions of the network. Further more, Infection Monkey allows you to configure it to run arbitrary scripts or executables on any system it can breach. This means Infection Monkey is a very dangerous tool for someone malicious to be able to access. For this reason, we should not allow users to configure unsecured Monkey Islands.
The "I want anyone to access the island" option should be removed.
Tasks
setNoAuth()). (0d) - @shreyamalviya