aptalca Posted June 5, 2017 Share Posted June 5, 2017 Yes. I actually deleted the docker and image (couldn't figure out how to just delete users). Re-installed the docker. Set verification to "local". And then added users and downloaded and installed new ovpn files on the clients. If auto-login is disabled authentication fails with the error posted above. The only way I could connect is enabling auto-login and PAM.I have it set to use local and auto login and it works fine. Users are preserved through updates Quote Link to comment
aptalca Posted June 5, 2017 Share Posted June 5, 2017 Maybe this is something obvious but i can't seem to work it out. Whenever i update my admin password in the docker from ssh i can login fine with the new password. When i shutdown the docker and restart it, the admin password is changed back to password. This worries me since its public facing, i've tried to also change the authentication method's but that doesn't seem to prevent this. How do i make the admin password stick and not change. please help [emoji4]The gui probably shouldn't be public facing Quote Link to comment
Maticks Posted June 5, 2017 Share Posted June 5, 2017 Yes agree the GUI shouldn't be public facing but if someone was to VPN to my server with admin and password they would also get a login to my local network Quote Link to comment
Maticks Posted June 5, 2017 Share Posted June 5, 2017 4 hours ago, aptalca said: The gui probably shouldn't be public facing My own stupid fault didn't set auth to Local User before issuing the docker password commands. Works fine now on reboot Quote Link to comment
wgstarks Posted June 5, 2017 Share Posted June 5, 2017 7 hours ago, aptalca said: I have it set to use local and auto login and it works fine. Users are preserved through updates I'll give it another try. Do I need to do something more than delete the docker and image to remove users? Obviously did something wrong last time. Quote Link to comment
aptalca Posted June 5, 2017 Share Posted June 5, 2017 I'll give it another try. Do I need to do something more than delete the docker and image to remove users? Obviously did something wrong last time.Probably delete the config folder and start over Quote Link to comment
aptalca Posted June 5, 2017 Share Posted June 5, 2017 Yes agree the GUI shouldn't be public facing but if someone was to VPN to my server with admin and password they would also get a login to my local network [emoji20]I don't believe you can vpn in using the admin user and password. That is just for the gui access. Vpn access should only be allowed with a client certificate. And that is why your gui should not be publicly available. Gui is only protected by a simple password which can potentially be brute forced. Client cert for vpn is much much more secure. But if you allow public access to the gui, a hacker no longer needs to hack in through vpn. They can just brute force the gui password and create a vpn user for themselves. Don't introduce a weak attack surface by publishing the gui.If the gui is not publicly available, keeping the admin password default should not be that big of a deal since it can only be accessed on the lan. If someone's already on your lan, they no longer need to hack into your vpn. If someone who is not currently on your lan needs access to vpn, you should create their cert and send it to them. They don't need to access the gui. Quote Link to comment
wgstarks Posted June 5, 2017 Share Posted June 5, 2017 11 minutes ago, aptalca said: And that is why your gui should not be publicly available Watching this discussion I decided to test admin login via vpn connection. I vpn to my local network and can login to webgui docker admin using the admin/passwd I created when setting up the docker. How do I prevent access to this via vpn? Quote Link to comment
Maticks Posted June 5, 2017 Share Posted June 5, 2017 The Admin user can always VPN in, i cannot see a way to disable this. provided you change the admin password they cannot login obviously. but even with the GUI removed they could still brute force the admin password since there is no way to disable that from the UI. Quote Link to comment
Maticks Posted June 5, 2017 Share Posted June 5, 2017 33 minutes ago, wgstarks said: Watching this discussion I decided to test admin login via vpn connection. I vpn to my local network and can login to webgui docker admin using the admin/passwd I created when setting up the docker. How do I prevent access to this via vpn? # docker exec -it openvpn-as deluser admin Removing user `admin' ... Warning: group `admin' has no more members. Done. Problem solved, as long as one of your users are set to admin in the UI. Quote Link to comment
wgstarks Posted June 5, 2017 Share Posted June 5, 2017 37 minutes ago, Maticks said: # docker exec -it openvpn-as deluser admin Removing user `admin' ... Warning: group `admin' has no more members. Done. Problem solved, as long as one of your users are set to admin in the UI. But won't the default admin user be recreated the next time the docker updates? Quote Link to comment
Maticks Posted June 5, 2017 Share Posted June 5, 2017 i don't use auto updates so i'll just delete it when i update the docker. Quote Link to comment
wgstarks Posted June 5, 2017 Share Posted June 5, 2017 2 minutes ago, Maticks said: i don't use auto updates so i'll just delete it when i update the docker. In that case wouldn't it just make sense to use "PAM" rather than "Local" authentication? My understanding is that the reason to use local was that users wouldn't have to be recreated/deleted after updating? This is quite a ways outside my knowledge level so I may be totally wrong. Maybe local is better anyway??? Quote Link to comment
aptalca Posted June 5, 2017 Share Posted June 5, 2017 7 hours ago, Maticks said: The Admin user can always VPN in, i cannot see a way to disable this. provided you change the admin password they cannot login obviously. but even with the GUI removed they could still brute force the admin password since there is no way to disable that from the UI. As far as I know, you can't vpn in without the certs (unless specifically set in server settings). No one can brute force into your vpn (as long as your certs are high enough bits and they do not have a quantum computer). Even if they know the username and the password, they still cannot vpn in without the certs. However, the gui allows for access with just the username and password. No certs needed, thus prone to brute force. That's why you don't expose it to the world. Quote Link to comment
aptalca Posted June 5, 2017 Share Posted June 5, 2017 6 hours ago, wgstarks said: In that case wouldn't it just make sense to use "PAM" rather than "Local" authentication? My understanding is that the reason to use local was that users wouldn't have to be recreated/deleted after updating? This is quite a ways outside my knowledge level so I may be totally wrong. Maybe local is better anyway??? PAM means the users on the host OS are used. Local means openvpn keeps it own local database for the user list. Openvpn's list is stored in the config folder and survives container recreation. PAM/OS stored users are in the image and get wiped when container is deleted. Quote Link to comment
wgstarks Posted June 5, 2017 Share Posted June 5, 2017 17 minutes ago, aptalca said: As far as I know, you can't vpn in without the certs (unless specifically set in server settings) How is this set in the server settings? Just asking so I can insure that I dont. 19 minutes ago, aptalca said: However, the gui allows for access with just the username and password. No certs needed, thus prone to brute force. That's why you don't expose it to the world. Just to be sure I understand, you're saying the proper setup requires vpn connection to the local network and then login to the docker webgui? Or should it be impossible to connect to the webgui via vpn? I did some testing and I can connect to admin if I connect to lan via vpn first. Just want to be sure this is proper setup. I would prefer not to be able to access the gui at all under any circumstances from outside my LAN. Not sure if that's possible though? BTW- thanks for the help. Quote Link to comment
aptalca Posted June 5, 2017 Share Posted June 5, 2017 4 minutes ago, wgstarks said: How is this set in the server settings? Just asking so I can insure that I dont. Just to be sure I understand, you're saying the proper setup requires vpn connection to the local network and then login to the docker webgui? Or should it be impossible to connect to the webgui via vpn? I did some testing and I can connect to admin if I connect to lan via vpn first. Just want to be sure this is proper setup. I would prefer not to be able to access the gui at all under any circumstances from outside my LAN. Not sure if that's possible though? BTW- thanks for the help. You have to manually add "client-cert-not-required" to the server config to disable certs. You should be able to access the gui only when you're on your home lan. No remote access (from the wan or internet) to the gui. However, it's ok to be able to access the gui when you're vpn'ed in, because vpn technically puts you on the home lan (you can set whether vpn clients should have access to the subnet of your unraid server or not). Basically, don't forward a port on your router for the openvpn gui port (default 943 I believe) and you'll be fine. Only forward the tcp and udp ports for vpn access. Quote Link to comment
wgstarks Posted June 5, 2017 Share Posted June 5, 2017 1 hour ago, aptalca said: PAM means the users on the host OS are used. Local means openvpn keeps it own local database for the user list. Openvpn's list is stored in the config folder and survives container recreation. PAM/OS stored users are in the image and get wiped when container is deleted. So, security wise there isn't really any difference between pam and local? Just a different location for storing the credentials? Quote Link to comment
aptalca Posted June 6, 2017 Share Posted June 6, 2017 To my knowledge, that is correct Quote Link to comment
fc0712 Posted June 6, 2017 Share Posted June 6, 2017 Hey Thanks for this container according to the Readme i need to SSH info the server everytime there is a Update to the container ? Is there Anyway to make this setting persist through Update Tslking about the change of default admin password Quote Link to comment
CHBMB Posted June 6, 2017 Share Posted June 6, 2017 14 minutes ago, fc0712 said: Hey Thanks for this container according to the Readme i need to SSH info the server everytime there is a Update to the container ? Is there Anyway to make this setting persist through Update Tslking about the change of default admin password Scroll two posts up.... Quote Link to comment
wgstarks Posted June 6, 2017 Share Posted June 6, 2017 17 minutes ago, fc0712 said: Hey Thanks for this container according to the Readme i need to SSH info the server everytime there is a Update to the container ? Is there Anyway to make this setting persist through Update Tslking about the change of default admin password Looks like best practice would be to disable auto updating and only update when you can also ssh and delete the default admin. Quote Link to comment
CHBMB Posted June 6, 2017 Share Posted June 6, 2017 I use local instead of PAM, create a new user (chbmb) make them admin and delete the default admin. Quote Link to comment
fc0712 Posted June 6, 2017 Share Posted June 6, 2017 (edited) I just found out that I have bonding enabled on my unraid server is there any benefit to that when only having one NIC? Edited June 6, 2017 by fc0712 Quote Link to comment
Jorgen Posted June 6, 2017 Share Posted June 6, 2017 I use local instead of PAM, create a new user (chbmb) make them admin and delete the default admin.I thought the default admin account was recreated on update of the docker though, is that not the case?Sent from my iPhone using Tapatalk Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.