search

ironmansoftware / powershell-universal

Issue tracker for PowerShell Universal
https://powershelluniversal.com
37 stars 4 forks source link

Block /login from external locations #2617

Open ricoroodenburg opened 1 year ago

ricoroodenburg commented 1 year ago

Summary of the new feature / enhancement

By default it is possible to reach the /login page, if you have exposed PowerShell Universal to the web. This is not always desirable. Please make it possible to block access to the /login page from external networks.

Just like Home Assistant, you can enable an option "Can only log in from the local network" on user level. I think for PowerShell Universal, you can better creating a global option like "Can only reach the form login page from the local network".

Proposed technical implementation details (optional)

An option "Can only reach the form login page from the local network".

Omzig commented 1 year ago

There is kiosk mode, but that turns it off completely...

insomniacc commented 1 year ago

I'm also interested in something similar, not the exact same request but the end goal is the same - regarding security. At the moment local admin is force enabled, I've tried disabling it, deleting it, etc but it just comes back. I've modified the form login script but the local admin account bypasses the login script anyway. I have OIDC enabled via environment vars with the admin users defined in my roles. the /form based login is also always force enabled regardless of settings to attempt to disable it. It also has no lockout or imposed delay meaning it's brute forceable. The only thing I've been able to do is set the admin account with a ridiculously long password, but it doesnt stop attempts being made if bots happen to scan the endpoint and I'd rather be able to disable it all together using the OIDC enabled MFA'd accounts instead.

I posted about my use case more here: https://forums.ironmansoftware.com/t/disable-form-based-auth/9573

I too would welcome either a way to restrict this to a local network login only or disable it all together.

@Omzig - What is Kiosk mode? I searched in the documentation and couldnt find anything about that?

adamdriscoll commented 1 year ago

This issue has been mentioned on Ironman Software Forums. There might be relevant details there:

https://forums.ironmansoftware.com/t/disable-form-based-auth/9573/15