Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update configPage.html - Provider description #177

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

v3DJG6GL
Copy link

@v3DJG6GL v3DJG6GL commented Apr 9, 2024

I just accidentally discovered that the recommended default provider setting can cause a serious security issue:
If Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider is used, every newly created user has no password by default. Therefore, passwordless login is possible for all these users. I think it would be wise to at least mention this as it is not really mentioned at all.

In addition, I think it would be good to mention Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin as another option that might be more suitable for most use cases.

@9p4
Copy link
Owner

9p4 commented Apr 10, 2024

Huh, the newly created user should have a random password:

user.Password = _cryptoProvider.CreatePasswordHash(Convert.ToBase64String(RandomNumberGenerator.GetBytes(64))).ToString();

@djsime1
Copy link

djsime1 commented Apr 11, 2024

I just checked on my instance and confirmed SSO users have no password, this is a serious security issue. JF 10.8.13, SSO 3.4.0.0

@9p4
Copy link
Owner

9p4 commented Apr 11, 2024

Your plugin seems a few years out of date. Can you please update to 3.5.2.3?

@djsime1
Copy link

djsime1 commented Apr 11, 2024

So much for the plugin updater task, my bad.

@9p4
Copy link
Owner

9p4 commented Apr 11, 2024

Please let me know if new users continue to not have a password.

@v3DJG6GL
Copy link
Author

v3DJG6GL commented Apr 11, 2024

Could it be that an older version from around the middle of last year had a bug where no random password was generated?
I've done some further analysis and it seems that accounts created between mid-2023 (where I had my Jellyfin instance set up) and towards the end of the year have no passwords.

Another account created two months ago does not seem to be affected by this issue.

Also, all these older Jellyfin accounts do not seem to generate a random password even now if the provider is set to Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider - even though the current version of the SSO plugin is used.

Only when the provider is changed to Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin and these users log in again, they get a random password set.

@9p4
Copy link
Owner

9p4 commented Apr 11, 2024

The version released Aug 5, 2023 (3.5.0.0) fixed the issue.

Sorry for the previous response, I just got your reply right before I hit send.

Also, all these older Jellyfin accounts do not seem to generate a random password even now if the provider is set to Jellyfin.Server.Implementations.Users.DefaultAuthenticationProvider - even though the current version of the SSO plugin is used.

The password is only set when new users are being created. Since the users are already existing, the plugin does not touch their passwords.

Only when the provider is changed to Jellyfin.Plugin.LDAP_Auth.LdapAuthenticationProviderPlugin and these users log in again, they get a random password set.

That is weird. I wonder why that happens.

Maybe this PR can be updated to mention the LDAP provider string instead of the security warning?

@v3DJG6GL
Copy link
Author

v3DJG6GL commented Apr 11, 2024

Sorry for the previous response, I just got your reply right before I hit send.

No worries, thanks for your fast replies :)

The version released Aug 5, 2023 (3.5.0.0) fixed the issue.

hmmm... I wonder how many users were created while using with SSO plugin versions affected by this bug and didn't realize it until today that their accounts are accessible without password...

The password is only set when new users are being created. Since the users are already existing, the plugin does not touch their passwords.

That is weird. I wonder why that happens.

I don't know it either. But how about implementing a similar mechanism for the default provider to set a random password at least once with the next update? EDIT: If no password is set at all
I'm a bit worried about how many Jellyfin users might not be aware of this issue....

Maybe this PR can be updated to mention the LDAP provider string instead of the security warning?

Yes, for sure! I'll update the PR since this doesn't seem to affect recent plugin versions.

@9p4
Copy link
Owner

9p4 commented Apr 11, 2024

I don't know it either. But how about implementing a similar mechanism for the default provider to set a random password at least once with the next update?

I think that this is a good idea.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants