Comparing MeshCentral 2 to ScreenConnect

Ylian

@FATeknollogee (Auto-update broken) There was a few versions a month back where auto-update was broken. Otherwise, MeshCentral has to be running in a way that allows it to write it's own files. This said, it auto-update should generally work - If it does not consistently and it should, file a issue on GitHub.

Ylian

Just published MeshCentral v0.2.7-p with improved support for hardware keys. Now supports U2F (need browser support) and OTP (USB key acts as a keyboard). Much better than yesterday's version. New blog here.

smartkid808

I upgraded my install, now I cant login. I can create new accounts OK, but not sure, was I supposed to disabled 2 factor auth (google) before upgrading to new version?

Ylian

@smartkid808 Oh dear... On a safe network, you can run "node meshcentral --user [username]", quickly clean things up and start the server again.

To clarify, when you say "You can't login" - You try to login and are stuck at the "Login token" screen? You only have Google Authenticator setup before? Any more details appreciated.

Ylian

Someone just posted the login problem on GitHub and I posted a fix for it. MeshCentral v0.2.7-r is now live. This fix should solve exactly the problem you got.

scottalanmiller

@Ylian said in Comparing MeshCentral 2 to ScreenConnect:

Someone just posted the login problem on GitHub and I posted a fix for it. MeshCentral v0.2.7-r is now live. This fix should solve exactly the problem you got.

We are on 0.2.7-s

smartkid808

@Ylian said in Comparing MeshCentral 2 to ScreenConnect:

@smartkid808 Oh dear... On a safe network, you can run "node meshcentral --user [username]", quickly clean things up and start the server again.
To clarify, when you say "You can't login" - You try to login and are stuck at the "Login token" screen? You only have Google Authenticator setup before? Any more details appreciated.

Hi Yilan, I am non-production.. I am just playing with it, so I have no issues starting from scratch.

I can do the first login, then i can get to the 2nd factor login screen.

I will try to install the new version you posted, and report back.

Thanks for the quick response

smartkid808

@Ylian said in Comparing MeshCentral 2 to ScreenConnect:

Someone just posted the login problem on GitHub and I posted a fix for it. MeshCentral v0.2.7-r is now live. This fix should solve exactly the problem you got.

Worked like a charm thanks

scottalanmiller

It has been a busy day, just updated to 0.2.8-b

That is SIX releases since yesterday!

black3dynamite

@scottalanmiller said in Comparing MeshCentral 2 to ScreenConnect:

It has been a busy day, just updated to 0.2.8-b

That is SIX releases since yesterday!

Some of those were quick fix releases.

vpr00

Anyone tried embedding MC yet?
Ive got it working but im not sure about how to automatically generate login tokens.
As per the manual (http://info.meshcentral.com/downloads/MeshCentral2/MeshCentral2UserGuide-0.2.1.pdf) i generated a "LoginTokenKey" but i cant understand how i can generate login tokens out of that key. Anybody has experience with this?

As far as i understand the business server can be used to generate those, but how? My business server is running on phyton if that matters.

@Ylian: Is the user guide missing some information on how to generate a login token from a login token key or am i missing something here?

scottalanmiller

@vpr00 said in Comparing MeshCentral 2 to ScreenConnect:

Anyone tried embedding MC yet?

No, but we are super interested in that.

vpr00

@scottalanmiller Ive got everthing working besides the issue i described. works pretty good otherwise.

Ylian

I am running way behind on documentation. On embedding, let me know what server type will be the master (NodeJS, ASP.NET...). Once you get MeshCentral running, get the --loginTokenKey and cut and paste it into your server. Then, if the master server is NodeJS, use this code to generate a time limited cookie on your server and use it as documented. The user name is "user/(domain)/(account name in lower case)", the sample below is for "admin" on the default domain. hope it helps until I get time to work on documentation.

obj.crypto = require('crypto');
obj.encodeCookie({ u: 'user//admin', a: 3 }, obj.loginCookieEncryptionKey)

// Encode an object as a cookie using a key using AES-GCM. (key must be 32 bytes or more)
obj.encodeCookie = function (o, key) {
    try {
        if (key == null) { key = obj.serverKey; }
        o.time = Math.floor(Date.now() / 1000); // Add the cookie creation time
        const iv = Buffer.from(obj.crypto.randomBytes(12), 'binary'), cipher = obj.crypto.createCipheriv('aes-256-gcm', key.slice(0, 32), iv);
        const crypted = Buffer.concat([cipher.update(JSON.stringify(o), 'utf8'), cipher.final()]);
        return Buffer.concat([iv, cipher.getAuthTag(), crypted]).toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
    } catch (e) { return null; }
};

Ylian

@black3dynamite Right, it's not always big updates. Doing a lot of security work recently. Just about to publish a new version with better password change dialogs, random time delay if on bad passwords, ask for old password when changing it, display password policy at the right places, etc.

vpr00

@Ylian said in Comparing MeshCentral 2 to ScreenConnect:

I am running way behind on documentation. On embedding, let me know what server type will be the master (NodeJS, ASP.NET...). Once you get MeshCentral running, get the --loginTokenKey and cut and paste it into your server. Then, if the master server is NodeJS, use this code to generate a time limited cookie on your server and use it as documented. The user name is "user/(domain)/(account name in lower case)", the sample below is for "admin" on the default domain. hope it helps until I get time to work on documentation.

obj.crypto = require('crypto');
obj.encodeCookie({ u: 'user//admin', a: 3 }, obj.loginCookieEncryptionKey)

// Encode an object as a cookie using a key using AES-GCM. (key must be 32 bytes or more)
obj.encodeCookie = function (o, key) {
    try {
        if (key == null) { key = obj.serverKey; }
        o.time = Math.floor(Date.now() / 1000); // Add the cookie creation time
        const iv = Buffer.from(obj.crypto.randomBytes(12), 'binary'), cipher = obj.crypto.createCipheriv('aes-256-gcm', key.slice(0, 32), iv);
        const crypted = Buffer.concat([cipher.update(JSON.stringify(o), 'utf8'), cipher.final()]);
        return Buffer.concat([iv, cipher.getAuthTag(), crypted]).toString('base64').replace(/\+/g, '@').replace(/\//g, '$');
    } catch (e) { return null; }
};

Thanks for your fast reply. My master server is running python and im not sure if i can replicate your piece of code in python.

Anyway, thanks for your reply. I see youre busy with other features and i dont want to take too much of your time away.

Maybe there is some python/crypto expert on here which can translate your code to phyton?

I mean, for my needs it would be suitable if i could easily create one login token without time limit. I think a feature like this would be easily implemented on your side but im not sure if that would be against your security model?

Ylian

@vpr00 If you want to be completely evil... you can try on your server /createLoginToken.ashx?user=(username)&pass=(password) and it will return a login token. It's evil because passing credentials in a URL like this is really bad. Often URL's are logged and so your password is in event logs. This said, people kept wanting me to add this feature...

vpr00

@Ylian said in Comparing MeshCentral 2 to ScreenConnect:

@vpr00 If you want to be completely evil... you can try on your server /createLoginToken.ashx?user=(username)&pass=(password) and it will return a login token. It's evil because passing credentials in a URL like this is really bad. Often URL's are logged and so your password is in event logs. This said, people kept wanting me to add this feature...

Of course it would be better if I could create login tokins on the business server or if i would just have 1 non time-limited login token but i can live with your suggestion for testing purposes for now.

Id be very happy to be able to generate login token on my business server sometime in the near future though.

I think people are wanting it because they are generally doing the necessary security measures before even exposing the option to access MeshCentral. So at that point they want a quick and easy way to login a user which is already a trusted user on their side.

Thanks for your fast reply as always!

JaredBusch

@Ylian said in Comparing MeshCentral 2 to ScreenConnect:

This said, people kept wanting me to add this feature...

You reject these kinds of feature requests and tell people to smeg off.

travisdh1

@Ylian said in Comparing MeshCentral 2 to ScreenConnect:

@vpr00 If you want to be completely evil... you can try on your server /createLoginToken.ashx?user=(username)&pass=(password) and it will return a login token. It's evil because passing credentials in a URL like this is really bad. Often URL's are logged and so your password is in event logs. This said, people kept wanting me to add this feature...

Please, ignore people being stupid.