Comparing MeshCentral 2 to ScreenConnect
-
It has been a busy day, just updated to 0.2.8-b
That is SIX releases since yesterday!
-
@scottalanmiller said in Comparing MeshCentral 2 to ScreenConnect:
It has been a busy day, just updated to 0.2.8-b
That is SIX releases since yesterday!
Some of those were quick fix releases.
-
Anyone tried embedding MC yet?
Ive got it working but im not sure about how to automatically generate login tokens.
As per the manual (http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide-0.2.1.pdf) i generated a "LoginTokenKey" but i cant understand how i can generate login tokens out of that key. Anybody has experience with this?As far as i understand the business server can be used to generate those, but how? My business server is running on phyton if that matters.
@Ylian: Is the user guide missing some information on how to generate a login token from a login token key or am i missing something here?
-
@vpr00 said in Comparing MeshCentral 2 to ScreenConnect:
Anyone tried embedding MC yet?
No, but we are super interested in that.
-
@scottalanmiller Ive got everthing working besides the issue i described. works pretty good otherwise.
-
I am running way behind on documentation. On embedding, let me know what server type will be the master (NodeJS, ASP.NET...). Once you get MeshCentral running, get the --loginTokenKey and cut and paste it into your server. Then, if the master server is NodeJS, use this code to generate a time limited cookie on your server and use it as documented. The user name is "user/(domain)/(account name in lower case)", the sample below is for "admin" on the default domain. hope it helps until I get time to work on documentation.
obj.crypto = require('crypto'); obj.encodeCookie({ u: 'user//admin', a: 3 }, obj.loginCookieEncryptionKey)// Encode an object as a cookie using a key using AES-GCM. (key must be 32 bytes or more) obj.encodeCookie = function (o, key) { try { if (key == null) { key = obj.serverKey; } o.time = Math.floor(Date.now() / 1000); // Add the cookie creation time const iv = Buffer.from(obj.crypto.randomBytes(12), 'binary'), cipher = obj.crypto.createCipheriv('aes-256-gcm', key.slice(0, 32), iv); const crypted = Buffer.concat([cipher.update(JSON.stringify(o), 'utf8'), cipher.final()]); return Buffer.concat([iv, cipher.getAuthTag(), crypted]).toString('base64').replace(/\+/g, '@').replace(/\//g, '$'); } catch (e) { return null; } }; -
@black3dynamite Right, it's not always big updates. Doing a lot of security work recently. Just about to publish a new version with better password change dialogs, random time delay if on bad passwords, ask for old password when changing it, display password policy at the right places, etc.
-
@Ylian said in Comparing MeshCentral 2 to ScreenConnect:
I am running way behind on documentation. On embedding, let me know what server type will be the master (NodeJS, ASP.NET...). Once you get MeshCentral running, get the --loginTokenKey and cut and paste it into your server. Then, if the master server is NodeJS, use this code to generate a time limited cookie on your server and use it as documented. The user name is "user/(domain)/(account name in lower case)", the sample below is for "admin" on the default domain. hope it helps until I get time to work on documentation.
obj.crypto = require('crypto'); obj.encodeCookie({ u: 'user//admin', a: 3 }, obj.loginCookieEncryptionKey)// Encode an object as a cookie using a key using AES-GCM. (key must be 32 bytes or more) obj.encodeCookie = function (o, key) { try { if (key == null) { key = obj.serverKey; } o.time = Math.floor(Date.now() / 1000); // Add the cookie creation time const iv = Buffer.from(obj.crypto.randomBytes(12), 'binary'), cipher = obj.crypto.createCipheriv('aes-256-gcm', key.slice(0, 32), iv); const crypted = Buffer.concat([cipher.update(JSON.stringify(o), 'utf8'), cipher.final()]); return Buffer.concat([iv, cipher.getAuthTag(), crypted]).toString('base64').replace(/\+/g, '@').replace(/\//g, '$'); } catch (e) { return null; } };Thanks for your fast reply. My master server is running python and im not sure if i can replicate your piece of code in python.
Anyway, thanks for your reply. I see youre busy with other features and i dont want to take too much of your time away.
Maybe there is some python/crypto expert on here which can translate your code to phyton?
I mean, for my needs it would be suitable if i could easily create one login token without time limit. I think a feature like this would be easily implemented on your side but im not sure if that would be against your security model?
-
@vpr00 If you want to be completely evil... you can try on your server /createLoginToken.ashx?user=(username)&pass=(password) and it will return a login token. It's evil because passing credentials in a URL like this is really bad. Often URL's are logged and so your password is in event logs. This said, people kept wanting me to add this feature...
-
@Ylian said in Comparing MeshCentral 2 to ScreenConnect:
@vpr00 If you want to be completely evil... you can try on your server /createLoginToken.ashx?user=(username)&pass=(password) and it will return a login token. It's evil because passing credentials in a URL like this is really bad. Often URL's are logged and so your password is in event logs. This said, people kept wanting me to add this feature...
Of course it would be better if I could create login tokins on the business server or if i would just have 1 non time-limited login token but i can live with your suggestion for testing purposes for now.
Id be very happy to be able to generate login token on my business server sometime in the near future though.
I think people are wanting it because they are generally doing the necessary security measures before even exposing the option to access MeshCentral. So at that point they want a quick and easy way to login a user which is already a trusted user on their side.
Thanks for your fast reply as always!
-
@Ylian said in Comparing MeshCentral 2 to ScreenConnect:
This said, people kept wanting me to add this feature...
You reject these kinds of feature requests and tell people to smeg off.
-
@Ylian said in Comparing MeshCentral 2 to ScreenConnect:
@vpr00 If you want to be completely evil... you can try on your server /createLoginToken.ashx?user=(username)&pass=(password) and it will return a login token. It's evil because passing credentials in a URL like this is really bad. Often URL's are logged and so your password is in event logs. This said, people kept wanting me to add this feature...
Please, ignore people being stupid.
-
Completely craziness, don't let people pass credentials through URL like that, others will use it and moan when they get compromised..
Defiantly a put your foot down moment.. -
Just updated to 0.2.8-l
-
-
@black3dynamite said in Comparing MeshCentral 2 to ScreenConnect:
@scottalanmiller said in Comparing MeshCentral 2 to ScreenConnect:
Just updated to 0.2.8-l
0.2.8-m
Hasn't shown up for me yet.
-
Auto-update is now working.
I'm now on 0.2.8-n -
@FATeknollogee said in Comparing MeshCentral 2 to ScreenConnect:
Auto-update is now working.
I'm now on 0.2.8-nI'm on that too, now.
-
Auto-update is taking care of biz...
0.2.8-p -
Haven't had much time to test things out lately..
Updated.
