Security? Yes please

sv_sigint · 2019-04-13T23:18:15.950Z

Please add a way to change the credentials from the web ui.
Please add support for SSH key authentication
Please add support for HTTPS

kb3cs · 2019-04-14T11:55:30.989Z

did you even try ‘ssh-copy-id othernet@othernet.{local,lan}’ ?

zefie · 2019-04-14T21:19:46.062Z

@sv_sigint

Re; credentials from webui: Agreed, but then again make sure its not exploitable
Re; HTTPS: Curious how would you propose they address the issue of the local ip/domain cert?

See here for a workaround:

"Othernet-Online" test service General Othernet Discussions

Here you go, I really didn’t write it up to “publishing standards” but if you can make sense of it have fun with it (for a lil extra security, if your firewall/router offers the option to whitelist addresses in the port forward, only allow your webserver’s IP to access your port forward)

sv_sigint · 2019-04-14T21:35:59.238Z

Sure, but my ssh key didn’t persist after I copied it in.

As to addressing and names, same way as any other device, eg. my NAS and router. I can turn on HTTPS, and it’s up to me to make sure DNS resolves correctly and that I’m getting my certificate from a CA I trust. Maybe that’s a local CA that I run, trusted only by devices I can personally touch. Maybe that’s LetsEncrypt. Maybe that’s a commercial CA. Maybe stick it behind an nginx proxy… but not everyone is going to have one of those.

I haven’t even begun to look for command injection opportunities in the web UI. I’m not planning on exposing my server publicly

zefie · 2019-04-14T23:14:46.564Z

@sv_sigint I feel like that is still outside the intended usage scope of the Dreamcatcher, which is to be accessed without internet connectivity.

I could be wrong but I feel the option to connect to existing Wifi is for our convience but outside of the official use case. For them to add HTTPS support is not that trivial and not required at all for the intended use case.

I am not opposed to the idea at all, but if anything it should be assigned low priority.

In the mean time, for your use case, the nginx proxy idea would work with my script, if you know javascript you’ll find the part of my code that does autologin and can remove it, and it should work on a local network.

kb3cs · 2019-04-15T09:37:42.116Z

HTTPS: Let’s Encrypt can generate a serviceable cert but their automation needs to verify the server where the cert is going. that means crypto challenges from a distant online system to your online system. a self-signed cert would be simpler.
SSH: /mnt/conf is where the persistent magic lives