mpvader - Per the latest Venus OS beta versions...
Making SignalK server work with externally set password?
Per the latest Venus OS beta versions, we’ve added a network security profile setting; which allows securing all local access with a single password.
So thats remote console, gui-v2, mqtt (if enabled/needed), and Node-RED is and/or was secured with the same password as well.
How could we go about using the same for Signal-K? Are there config options for that already? I checked, but couldn’t find any.
And we might have discussed this earlier @Scott Bender / @Teppo Kurki , but then I forgot the outcome 🙈
51 Replies
Main reason to want this is to making onboarding for new users easier.
@Ilker showed me some stats the other day, that for his saillogger app the use of cerbos versus raspberrypis is quite significant. A surprise, nice one!
What might make this a bit extra complex is that er have an “unsecured” option in Venus OS, which means no password at all.
So to harmonise that, signalk would also need to have such option.
Are talking single sign on?
Possibly, but not necessarily
But its an option maybe; we do have that for the other services. A simple 365 days stored cookie; and nginx checking it
What I meant was more to do something so that the user doesn’t have to set a password up in signalk, since he has one already
The security stuff in the server is essentially "pluggable", so, in theory, with some work, we should be able to do anything we want
Also, Signal K comes with passwordless in the initial configuration. The problem with that though is some functions (like restarting the server) is not available when password is not set. So it requires rebooting the host platform (Venus OS or RPi, etc) when that happens which is pretty frictionful.
The security stuff in the server is essentially "pluggable", so, in theory, with some work, we should be able to do anything we want@Scott Bender to understand this more, let's say I want to set a password or change it from a plugin or a daemon, how do I do it? A similar question I have is around basic server settings, name/MMSI etc, I can write them on the json directly I guess but is there a way to do it differently?
You could use the same http endpoints that the admin ui uses.
Requires authentication of course
How do you get authenticated the first time to set the password if there is no password set?
That first time does not require authentication
Relatedly is there a way to restart Signal K programmatically when there is no password set?
There’s no interface for it, but all it really does is exit the process.
And then the os starts it back up
I think we’ve discussed removing that limitation, I don’t remember where that ended up…
Venus OS can restart it
The restarting of it is not a problem
Getting off topic I think
@Ilker please start another thread if you want to talk about this more…
Keeping the password inside signalk server in sync with the venus os pwd, using https or other method, seems error prone
Agreed
Yes agree