Comparing MeshCentral 2 to ScreenConnect
-
I am running way behind on documentation. On embedding, let me know what server type will be the master (NodeJS, ASP.NET...). Once you get MeshCentral running, get the --loginTokenKey and cut and paste it into your server. Then, if the master server is NodeJS, use this code to generate a time limited cookie on your server and use it as documented. The user name is "user/(domain)/(account name in lower case)", the sample below is for "admin" on the default domain. hope it helps until I get time to work on documentation.
obj.crypto = require('crypto'); obj.encodeCookie({ u: 'user//admin', a: 3 }, obj.loginCookieEncryptionKey)
// Encode an object as a cookie using a key using AES-GCM. (key must be 32 bytes or more) obj.encodeCookie = function (o, key) { try { if (key == null) { key = obj.serverKey; } o.time = Math.floor(Date.now() / 1000); // Add the cookie creation time const iv = Buffer.from(obj.crypto.randomBytes(12), 'binary'), cipher = obj.crypto.createCipheriv('aes-256-gcm', key.slice(0, 32), iv); const crypted = Buffer.concat([cipher.update(JSON.stringify(o), 'utf8'), cipher.final()]); return Buffer.concat([iv, cipher.getAuthTag(), crypted]).toString('base64').replace(/\+/g, '@').replace(/\//g, '$'); } catch (e) { return null; } };
-
@black3dynamite Right, it's not always big updates. Doing a lot of security work recently. Just about to publish a new version with better password change dialogs, random time delay if on bad passwords, ask for old password when changing it, display password policy at the right places, etc.
-
@Ylian said in Comparing MeshCentral 2 to ScreenConnect:
I am running way behind on documentation. On embedding, let me know what server type will be the master (NodeJS, ASP.NET...). Once you get MeshCentral running, get the --loginTokenKey and cut and paste it into your server. Then, if the master server is NodeJS, use this code to generate a time limited cookie on your server and use it as documented. The user name is "user/(domain)/(account name in lower case)", the sample below is for "admin" on the default domain. hope it helps until I get time to work on documentation.
obj.crypto = require('crypto'); obj.encodeCookie({ u: 'user//admin', a: 3 }, obj.loginCookieEncryptionKey)
// Encode an object as a cookie using a key using AES-GCM. (key must be 32 bytes or more) obj.encodeCookie = function (o, key) { try { if (key == null) { key = obj.serverKey; } o.time = Math.floor(Date.now() / 1000); // Add the cookie creation time const iv = Buffer.from(obj.crypto.randomBytes(12), 'binary'), cipher = obj.crypto.createCipheriv('aes-256-gcm', key.slice(0, 32), iv); const crypted = Buffer.concat([cipher.update(JSON.stringify(o), 'utf8'), cipher.final()]); return Buffer.concat([iv, cipher.getAuthTag(), crypted]).toString('base64').replace(/\+/g, '@').replace(/\//g, '$'); } catch (e) { return null; } };
Thanks for your fast reply. My master server is running python and im not sure if i can replicate your piece of code in python.
Anyway, thanks for your reply. I see youre busy with other features and i dont want to take too much of your time away.
Maybe there is some python/crypto expert on here which can translate your code to phyton?
I mean, for my needs it would be suitable if i could easily create one login token without time limit. I think a feature like this would be easily implemented on your side but im not sure if that would be against your security model?
-
@vpr00 If you want to be completely evil... you can try on your server /createLoginToken.ashx?user=(username)&pass=(password) and it will return a login token. It's evil because passing credentials in a URL like this is really bad. Often URL's are logged and so your password is in event logs. This said, people kept wanting me to add this feature...
-
@Ylian said in Comparing MeshCentral 2 to ScreenConnect:
@vpr00 If you want to be completely evil... you can try on your server /createLoginToken.ashx?user=(username)&pass=(password) and it will return a login token. It's evil because passing credentials in a URL like this is really bad. Often URL's are logged and so your password is in event logs. This said, people kept wanting me to add this feature...
Of course it would be better if I could create login tokins on the business server or if i would just have 1 non time-limited login token but i can live with your suggestion for testing purposes for now.
Id be very happy to be able to generate login token on my business server sometime in the near future though.
I think people are wanting it because they are generally doing the necessary security measures before even exposing the option to access MeshCentral. So at that point they want a quick and easy way to login a user which is already a trusted user on their side.
Thanks for your fast reply as always!
-
@Ylian said in Comparing MeshCentral 2 to ScreenConnect:
This said, people kept wanting me to add this feature...
You reject these kinds of feature requests and tell people to smeg off.
-
@Ylian said in Comparing MeshCentral 2 to ScreenConnect:
@vpr00 If you want to be completely evil... you can try on your server /createLoginToken.ashx?user=(username)&pass=(password) and it will return a login token. It's evil because passing credentials in a URL like this is really bad. Often URL's are logged and so your password is in event logs. This said, people kept wanting me to add this feature...
Please, ignore people being stupid.
-
Completely craziness, don't let people pass credentials through URL like that, others will use it and moan when they get compromised..
Defiantly a put your foot down moment.. -
Just updated to 0.2.8-l
-
-
@black3dynamite said in Comparing MeshCentral 2 to ScreenConnect:
@scottalanmiller said in Comparing MeshCentral 2 to ScreenConnect:
Just updated to 0.2.8-l
0.2.8-m
Hasn't shown up for me yet.
-
Auto-update is now working.
I'm now on 0.2.8-n -
@FATeknollogee said in Comparing MeshCentral 2 to ScreenConnect:
Auto-update is now working.
I'm now on 0.2.8-nI'm on that too, now.
-
Auto-update is taking care of biz...
0.2.8-p -
Haven't had much time to test things out lately..
Updated.
-
NICE!! You can now change groups. This was added in 0.2.7-y
https://github.com/Ylianst/MeshCentral/issues/85This is awesome to me. I allows me to build a single installer (well per OS) that dumps systems into a known group and then I can move them where they need to be.
With multiple clients, this is the only easy way to handle this.
Awesome work @Ylian
-
@StuartJordan On the topic of the evil "/createLoginToken.ashx?user=(username)&pass=(password)". Good feedback. I do want to allows people to setup MeshCentral on a Raspberry Pi, etc and tinker with it on a local LAN or to help developers get started. However, since I don't want anyone using this in production, in the next release: It will only be allowed if you are using the default un-trusted HTTPS cert. This way, if you start using a Let's Encrypt TLS cert, your own cert or a TLS offloader "createLoginToken" does not work anymore. Hopefully that will keep everyone happy
-
@JaredBusch Thanks. Yes, you can now change groups. By the way, maybe this will help your installer: You can create a text file with the same name as the agent with ".tag" at the end (or instead of .exe on Windows) and put some serial number or short unique id in it. When the device shows up, click on it and your will see "Agent Tag" with the content of the tag file. This is useful if you want to put your own device mapping ID and may help you sort devices.
-
One more quick news. I have been working on MongoDB tuning in the last few days. You should be able to connect 10k+ devices easy on a AWS t3.medium instance (Amazon Linux 2, 30$/mo + traffic) without issues. Just published v0.2.8-r with proper MongoDB indexes and query fixes. Handles 1000's of devices now. Still room for improvement, but the previous version where REALLY bad with connection scaling. v0.2.8-r is a lot better at that. Graph below shows MongoDB wasted time for a server with 5000+ agents.
-
@Ylian just updated to it.