Opened 7 years ago

Closed 7 years ago

#652 closed enhancement (fixed)

Console authentication improvements

Reported by: Quix0r Owned by: zzz
Priority: minor Milestone: 0.9.4
Component: apps/console Version: 0.9
Keywords: Cc:
Parent Tickets:

Description

Please try to add a feature that allows protection of the router by e.g. HTTP sessions which could prevent third persons (e.g. running the i2p router at a remote server means that the local administrator can access it) or even your family-mates from accessing it.

Subtickets

Change History (8)

comment:1 Changed 7 years ago by echelon

  • Resolution set to fixed
  • Status changed from new to closed

Moin

Look into the FAQ, it is present since a few years.
http://www.i2p2.i2p/faq#remote_webconsole

echelon

comment:2 Changed 7 years ago by zzz

  • Component changed from router/general to apps/console

Although it would be nice to get this added to /configui so you don't need advanced config ... good noobie project

comment:3 Changed 7 years ago by Quix0r

The password is stored in clear text in ~/.i2p/router.config, which means no better security. The local admin/family/room mates (="attacker") can read that file. :( Okay, the attacker may shutdown the computer manually, remove the hard drive, plug it into another computer and mount it (e.g. to /mnt/) then he can read the password from the said file.

comment:4 Changed 7 years ago by Quix0r

Or use an external boot medium like CD/USB stick and mount the hard drive as root. ...

comment:5 Changed 7 years ago by echelon

  • Component changed from apps/console to other
  • Resolution fixed deleted
  • Status changed from closed to reopened
  • Summary changed from Protect i2p router (http://localhost:7657) by login to Encrypt all saved data on harddrive

Hi

I2P is not a tool to protect data on your data on your harddrive against people with physical access to your system.
With physcial access everyone can access your data on your system also, which tells you: they can read your data in I2P folder, too. In this case a encrypted, saved password for console is useless, too.
Nevertheless a encryption for saved data could be useful. But not really on a high importance.
Use e.g. TrueCrypt? or different tools for file encryption on your harddrive in between.

echelon

comment:6 Changed 7 years ago by zzz

  • Milestone changed from 0.9.1 to 0.9.3

I don't know about encrypting everything, but it's a fair suggestion that we at least salt and hash the passwords in the config file.

Right now we do, at least, set almost all saved files to mode 600.

comment:7 Changed 7 years ago by zzz

  • Component changed from other to apps/console
  • Milestone changed from 0.9.3 to 0.9.4
  • Owner set to zzz
  • Status changed from reopened to accepted

As described in #731 I'm going to try to implement password salting and hashing in 0.9.4.

comment:8 Changed 7 years ago by zzz

  • Resolution set to fixed
  • Status changed from accepted to closed
  • Summary changed from Encrypt all saved data on harddrive to Console authentication improvements

In 0.9.3-1:

  • Console auth changed from basic to digest
  • No longer saved as plain text in router.config
  • HTTP proxy auth changed from basic to digest
  • No longer saved as plain text in i2ptunnel.config
  • New console password form on /configui.jsp
Note: See TracTickets for help on using tickets.