Replace admin password server claim with something more secure

[airikka]

When claiming a server, the server admin password is used on deck.hexos.com
This is quite bad design from a security perspective. An ed25519 pub key would be much better to use.

[joshdev]

Hey, can you explain a bit more what the problem is?
I do not quite see it as HexOS is made for home users and claiming a server happens in private networks so there is not risk of anyone unknown claiming the server in the first place.

Given this is a product for home users and not professionals a password is a good balance of security and usability in my opinion.

[hdd]

Perhaps a middle ground, the use of a 'claim code' in combination with the current connection from the same IP? Though I acknowledge its all extra steps, keeping the separation seems like a nice way about it and it could always be pre-filled via a url parameter making it even simpler.

[airikka]

The problem is not that someone else might claim the server. The problem is that someone could fake (or MITM) the deck site, which is on the internet, and that way steal the admin password.
Furthermore, after the claim is done, the communication (configuration and such) between the server and deck should be end to end verified. You don't know where TLS is terminated in the cloud services.
A suggestion would be to include, in the iso file, a pub key for signed communication from the deck to the server. And at install time, generate a key-pair on the server and provide the pub key as a QR code. Using deck on a mobile device, scan the QR code and now the deck has the server's pub key. Now both server and deck can sign communication both ways. Also if shared secrets needs to be communicated, then these can be encrypted.

[hdd]

MITM is always an issue, but the same could be said of going to download the iso in the first place without a md5. I still think I agree with you in terms of the local credentials however I wonder if this is (in effect) you giving the deck the password to authenticate (since the server presumably reaches out to announce itself, perhaps with its public key) the returning response and credential/token/whatever means is used wold then be established. Given there is a commitment to a local ui by the company here, that might address things for an enhanced threat profile. I'm thinking the modal might be more similar to Unifi controller experience and the deck excels at muti deployment or remote management ease of use.

Yes, manual verification would be great however I think once you are asking users to start scanning to verify fingerprints your going to be adding a significant amount of friction. I would look into webauth and how at then end of the day server validation is handed by TSL (thought I would acknowledge that its not the secret that gets transmitted).

[airikka]

I agree that it's always about finding a balance between security and usability. In this case, by using local admin password to claim a server, it is clearly not in balance.
I don't agree that it would add that much of friction though. We need to remember that the target group is expected to know how to image a USB flash device with an ISO. To scan a QR code, or something similar, isn't that hard.

It is another step in the installation process. But having the possibility to end to end sign and encrypt data might even make it easier to implement future features where integrity and/or confidentiality is needed.

[jonp]

On 12/4/2024 at 3:13 PM, airikka said:

When claiming a server, the server admin password is used on deck.hexos.com
This is quite bad design from a security perspective. An ed25519 pub key would be much better to use.

While I can't get into details just yet, there are multiple security-specific features planned for the future to improve our posture.  This is simply the only way to functionally provide this right now with the current TrueNAS SCALE API.

That being said, I greatly appreciate having those that are security conscious here on the forum and thank you for suggesting a solution with your post.