Turris OS packages issueshttps://gitlab.nic.cz/turris/os/packages/-/issues2024-03-12T14:20:58+01:00https://gitlab.nic.cz/turris/os/packages/-/issues/866turris-auth+lighttpd: make sure that turris webapps are not accessible in cas...2024-03-12T14:20:58+01:00Martin Matějekturris-auth+lighttpd: make sure that turris webapps are not accessible in case turris-auth is not runningIn case that turris-auth check & redirection (`https://<router-ip>/login?/`)
```
https://<router-ip>/login?/<target_url> --> https://<router-ip>/<target_url>
```
is not available to lighttpd for some reason - for example [turris-auth c...In case that turris-auth check & redirection (`https://<router-ip>/login?/`)
```
https://<router-ip>/login?/<target_url> --> https://<router-ip>/<target_url>
```
is not available to lighttpd for some reason - for example [turris-auth config for lighttpd](https://gitlab.nic.cz/turris/os/packages/-/blob/master/web/turris-auth/files/lighttpd.conf) cannot be loaded - then turris webapps are directly accessible without authentication.
It would be useful to have failsave config for lighttpd (or some other measure), which would block access to reforis in case that turris-auth is not running, but reforis is running.
---
Please note that in case turris-auth is running, but runtime error occurs, reforis and pakon (and probably other turris webapps that lacks internal authentication) won't be accessible - which is fine, because they are still, although in weird way, protected by turris-auth.
cc: @mhrusecky, @jschlehofer, @shenekRichard MuzikRichard Muzikhttps://gitlab.nic.cz/turris/os/packages/-/issues/689initial-config: Allow hashed passwords to be specified in config2020-10-31T02:57:21+01:00Karel Kociinitial-config: Allow hashed passwords to be specified in configInitial version of initial-config addressed only unsecure but simple configuration. It would be better to allows users to use hashed password even when generating of it is more complicated. It would be an option for advanced users having...Initial version of initial-config addressed only unsecure but simple configuration. It would be better to allows users to use hashed password even when generating of it is more complicated. It would be an option for advanced users having to do configuration without ethernet as well.
The following discussion from !560 should be addressed:
- [ ] @vmyslivec started a [discussion](https://gitlab.nic.cz/turris/turris-os-packages/-/merge_requests/560#note_178336): (+5 comments)
> follow-up from https://gitlab.nic.cz/turris/turris-os-packages/-/merge_requests/560#note_177635
>
> Is it intended to let users generate a config that would be left on some USB flash drive with cleartext (non-hashed) passwords?
>
> I know we can't get rid of Wi-Fi password in clear text but foris and system password can be prepared in their hashed form.
>
> This README can include steps to generate desired hash.