Security? Yes please


#1
  • Please add a way to change the credentials from the web ui.
  • Please add support for SSH key authentication
  • Please add support for HTTPS

#2

did you even try ‘ssh-copy-id [email protected]{local,lan}’ ?


#3

@sv_sigint

  • Re; credentials from webui: Agreed, but then again make sure its not exploitable
  • Re; HTTPS: Curious how would you propose they address the issue of the local ip/domain cert?

See here for a workaround:


#4

Sure, but my ssh key didn’t persist after I copied it in.

As to addressing and names, same way as any other device, eg. my NAS and router. I can turn on HTTPS, and it’s up to me to make sure DNS resolves correctly and that I’m getting my certificate from a CA I trust. Maybe that’s a local CA that I run, trusted only by devices I can personally touch. Maybe that’s LetsEncrypt. Maybe that’s a commercial CA. Maybe stick it behind an nginx proxy… but not everyone is going to have one of those.

I haven’t even begun to look for command injection opportunities in the web UI. I’m not planning on exposing my server publicly


#5

@sv_sigint I feel like that is still outside the intended usage scope of the Dreamcatcher, which is to be accessed without internet connectivity.

I could be wrong but I feel the option to connect to existing Wifi is for our convience but outside of the official use case. For them to add HTTPS support is not that trivial and not required at all for the intended use case.

I am not opposed to the idea at all, but if anything it should be assigned low priority.

In the mean time, for your use case, the nginx proxy idea would work with my script, if you know javascript you’ll find the part of my code that does autologin and can remove it, and it should work on a local network.


#6

HTTPS: Let’s Encrypt can generate a serviceable cert but their automation needs to verify the server where the cert is going. that means crypto challenges from a distant online system to your online system. a self-signed cert would be simpler.
SSH: /mnt/conf is where the persistent magic lives :slight_smile: