s0t7x
commented
3 months ago Upon viewing this feedback, I've decided to implement a solution that addresses these concerns. Moving forward, during the installation process, the default password for the sunshine server will be randomized.
Furthermore, after the setup process is completed, users will receive the randomized default password. This ensures that users have access to secure credentials for logging into the web UI or making credential changes.
I want to express my gratitude for the feedback provided. By implementing randomized default passwords, we're taking proactive steps to enhance the overall security of the sunshine server within LAN environments which sunshine itself does not.
Additionally, i'll update the installation documentation to reflect these changes and emphasize the importance of noting the randomized password for secure server access.
I'm committed to delivering a secure and reliable experience for all users.
I aim to complete the implementation of this enhancement with v0.3.3.
Once again, thank you for bringing this security concern to my attention!
qsecnet
During the initial setup of the sunshine server, it installs if not already present on the system. For better user experience (UX) i guess default username and password are set, both defaulting to "decky_sunshine". Upon server start, the web UI is served on *:47790. This setup poses a significant security risk as anyone within the LAN could access the web UI using the default credentials and potentially change the server's credentials, granting unauthorized access.
Suggestions:
Impact: