Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Looking forward to the next drop (6.x?)
#71
(07-08-2020, 08:45 AM)Dean Roddey Wrote:
(07-08-2020, 04:38 AM)gReatAutomation Wrote: I guess I am not following as there are already logins in place in CQC when opening the IV as well as when opening the admin console. IMHO these are more than enough.

In "pro" installs, the server running CQC will itself be locked down so customers cannot access it.

The issue is secondary servers, which I think are often, at least in the home, maybe not locked down but are machines of other family members who would be local admins of those machines, possibly I guess. Some servers need to do things on their own, which means they have to be logged in. So we need some way to get them valid credentials without exposing that info basically.

As mentioned, I see this as an extreme corner case. Even with secondary computers, most tech people using CQC are not going to install CQC under the same user name as their kids or family members. Not to mention the fact that we do not allow our kids - or anyone else for that matter - to be local admins, which is an extremely poor cyber hygiene practice.

Just my $0.02. If it were me, I would address it in the release notes and let the end user secure their installation as they see fit.

This is not the only software where special security measures and configurations are needed based on limitations of the software.
Reply
#72
I've gotten rid of one issue with the XML GW by updating it to support secure sockets if you want to have secure connections. That wasn't available when it was first created. I'll have to update the installer to get the extra port and cert info as with the web server. But that provides a clean way to do unique session key exchange for that server. It's an unusual one because it could be likely to be used from outside the network, so it needs to be able to support encrypted connections.
Dean Roddey
Explorans limites defectum
Reply
#73
OK, so the path I've decided on is that the installer (on the MS) will generate a random user name/password and put it into the Windows registry. The installer on non-MS machines will ask the MS for that info and put into the registry on those machines. The installer will require you to log in as a CQC admin so that it can ask the MS for that info.

If a machine running background servers isn't fully locked down, then you need to make sure that the Windows account that the CQC App Shell service is running in has access to the CQC section of the Registry, and deny it to everyone else (except your local admin account on that machine.) Presumably you will run the installer in your local admin account so he'll have access to it.

If the machine is physically secure then no need to do anything special, both installer and background servers will have access to to those values since access to them won't be restricted, though you could still do it if you want to be extra safe.

Every time you upgrade the MS to a new version, the installer will generate a new name/password, replacing the previous one. You have to upgrade all other machines in that case to keep them in sync, so they will get the new info as well.
Dean Roddey
Explorans limites defectum
Reply
#74
I've been banging away and am making slow but steady progress. I went down a couple of wrong roads for a bit there until I figured out I was thinking backwards.

There will be one more release before the open source move. Anyone wanting to to move to subsequent versions will need to go to this next drop first. That will let me drop/update/rearrange things, then I can remove any code that's no longer needed before the open source drop.
Dean Roddey
Explorans limites defectum
Reply
#75
Dean,

Do you have any interest in adding a "Fan" and "Shade" semantic type to the Lutron RadioRA2 and Caseta drivers?

Bryan
Reply
#76
Semantic types are system wide, not driver specific. Do you mean add fan/shade support to the driver or add actually add semantic types for fan and shade? I'm not sure the latter would be hugely useful but they could be I guess.

Either way, anything that would be done would have to be after getting the open source stuff transition completed.
Dean Roddey
Explorans limites defectum
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Text to Speech changes in 5.0.9 and forward Dean Roddey 0 2,523 01-12-2017, 06:18 PM
Last Post: Dean Roddey
  Audio Drop Out simon 3 3,072 07-28-2007, 12:24 PM
Last Post: simon
  Next drop date simon 1 2,551 04-22-2007, 11:21 AM
Last Post: Dean Roddey

Forum Jump:


Users browsing this thread: 1 Guest(s)