VNC webpage (and the VMs it connects to) is not behind web-ui authentication?

ctag

ctag

Patron
Joined
Jun 16, 2017
Messages
225
With the most recent Scale Bluefin upgrade VNC sessions are no longer on randomized ports, but are instead accessible by a path. I love this feature, it is very handy.. But I've noticed that I can open the path to VNC without being logged in, which means anyone who can guess or brute force the two-digit random number in the path can access my VMs too.

Since I'm not confident in that arrangement, is there a way to disable VNC for the time being? Or put some sort of authentication in front of it that doesn't depend on the VM?

Possibly related:
The VM VNC/SPICE console should have a default password
TrueNAS Scale VNC/SPICE virtual console should be using encryption
VNC Security concerns?
 
Last edited:
A

AMiGAmann

Contributor
Joined
Jun 4, 2015
Messages
106
On Angelfish it is possible to edit the display device of a VM and to configure a VNC password to be used. Does that help you to increase your security needs?
 
ctag

ctag

Patron
Joined
Jun 16, 2017
Messages
225
AMiGAmann said:
On Angelfish it is possible to edit the display device of a VM and to configure a VNC password to be used. Does that help you to increase your security needs?
Click to expand...
I appreciate the advice, but unless I'm mistaken this doesn't actually do anything.

In Bluefin I can set a password:
1677291068294.png


And when I try to open VNC from within Truenas, it dutifully prompts me for a password before redirecting to the VNC page:
1677291118671.png


But the VNC webpage itself is still available in the clear, no password required. Here I've loaded the URL directly in Tor, so there shouldn't be any cookies or session data set that would otherwise authenticate me:
1677290947225.png
 
A

AMiGAmann

Contributor
Joined
Jun 4, 2015
Messages
106
Oh I am sorry, I did not try it as you did. I tried to connect with an external vnc viewer and had to input a password so I thought it was secure.

I can reproduce the behaviour you described. Even if a password is set, the vnc viewer can directly be opened in a browser without a password being entered.

For me this looks like unwanted behaviour/bug, doesn't it?
 
ctag

ctag

Patron
Joined
Jun 16, 2017
Messages
225

Jerry-rigged workaround using Traefik and basicAuth​

I recently came across this webpage about using basicAuth middleware with Traefik/ingress. I have my truenas web-ui exposed via Traefik and external-service so I decided to give basicAuth a try.

I edited Traefik's settings and added a basicAuth middleware, and then copied the name to add to the truenas external-service app's middleware section as well. Immediately afterward the URL for my Truenas UI started showing 404 responses, and didn't come back. I wound up loading the UI via the local IP and alternate port (81, if you follow the guide above) to click "start" again on the external-service app. Once it had re-loaded the web-ui began working again, so head's up I guess.

Traefik edit menu:
1690472728487.png


external-service for Truenas UI edit menu:
1690472792210.png


With basicAuth set up, the VNC pages are now locked behind it and not exposed-by-default like they were before.

1690472664950.png
 
You must log in or register to reply here.

Similar threads

V
lost ability to use VNC from the web ui for VMs
Replies
0
Views
1K
Vertigo 7
V
B
TrueNAS SCALE VMs not launching
Replies
4
Views
4K
Basserra
Basserra
Martim Schnack
  • Locked
What is the best way to setup our storage architecture? Need help thinking it...
Replies
7
Views
3K
depasseg
depasseg
Y
  • Locked
MOD - DO NOT USE THIS GUIDE - How to Set Up TrueNAS From Beginning to End - including secure remote access to files and Web GUI
2
Replies
29
Views
54K
Noodle42089
Noodle42089
n3IVI0
The Layman's Guide to RancherOS or How I Learned to Stop Worrying and Switch to Docker
Replies
6
Views
16K
Ahmed Badr
Ahmed Badr
Top