Opened 15 years ago
Closed 15 years ago
#1089 closed bug (Fixed)
authentication
Reported by: | martinlindhe | Owned by: | Damien Churchill |
---|---|---|---|
Priority: | major | Milestone: | 1.3 |
Component: | Web UI | Version: | 1.2.0_rc4 |
Keywords: | Cc: | martin@startwars.org |
Description
Hello. I am a new deluge user so perhaps i am just confused.
I found references in documentation and in other places for a username & password authentication for the deluge daemon.
However in the web ui i only get a "password" prompt (what is the username? - where is the username?)
I only found it possible to configure a password using the gtk ui, yet still the daemon requires a username aswell for RPC (i was messing with flexget deluge module)
I am not sure if this is a bug (entering a username is missing?) or if the username concept has been removed in recent versions of deluge, then the documentation is outdated?
Personally i would like to keep the ability to configure a username & password pair for access.
Change History (7)
comment:1 by , 15 years ago
Component: | other → webui |
---|---|
Milestone: | → 1.3.0 |
Owner: | changed from | to
Status: | new → accepted |
comment:2 by , 15 years ago
Replying to martinlindhe:
However in the web ui i only get a "password" prompt (what is the username? - where is the username?)
The default webui password is 'deluge', which I believe is documented somewhere on the site.
I only found it possible to configure a password using the gtk ui, yet still the daemon requires a username aswell for RPC (i was messing with flexget deluge module)
Configure a password for what using the gtkui? In the preferences area of the webui you can configure / change the password for the webui access.
The daemon does not use the same password information as the webui. It is separate and contained in the ~/.config/deluge/auth file by default. The documentation on the site is pretty accurate on how to use this, except in 1.2 you need to append ":10" to each line you add (as you see for the default entry). This is for future features not yet implemented. As for running flexget, you shouldn't need to do any authentication, as it will natively try to use deluge's localhost authentication which should work. However, see Flexget's wiki page on the Deluge plugin if you do need to use authentication as well as Deluge's wiki page on setting up remote authentication for the daemon / clients.
I am not sure if this is a bug (entering a username is missing?) or if the username concept has been removed in recent versions of deluge, then the documentation is outdated?
Personally i would like to keep the ability to configure a username & password pair for access.
Just to state again for clarity: the webui uses a separate password database internal to itself and only uses a password (no username). The daemon uses a username / password pair which is configurable with information from Deluge's wiki (with minor modifications)
comment:3 by , 15 years ago
Okay thanks for the clarification. I think i got confused because i assumed the architecture was that the ui's where clients connecting to the deluge server:
deluged <-authentication-> gtk-ui
\--> web-ui
but correct me if i'm wrong, the architecture is now rather
deluged <-authentication-> gtk-ui
\--> deluge-web (daemon too) <-authentication 2-> web-ui
i can see this allows me to setup one web-ui where i can control multiple deluge servers. however it breaks the security model by assuming a setup with multiple username&passwords compromised by only one password to the web ui.
also that ability to control multiple machines running deluge quite a power-user feature. it's quite odd to me to first connect to a server (a web server), then using the web application in order to connect to the server (me and most other users are running the deluged and deluge-web dameons on the same machine).
comment:4 by , 15 years ago
sorry but i mentioned broken security in my previous post. it now struck me that it is alot more broken when a known default password exists.
comment:6 by , 15 years ago
Yes of course i changed the password and port before even coming here.
The reason for opening the ticket is because i am confused by the security model. Then i got confused by the server-client model aswell.
if a web-ui is installed on the default port and the user have tested it out (connecting to localhost deluged daemon) and the web ui stores the daemon connection as a bookmark, then all someone needs is a password (no username) to connect to the added server(s) through the web-ui later.
but since both the password and default port have known defaults, it sounds scary to me.
please notice 1.2 will be pushed into popular end-user distros like ubuntu soon and many non-technical people will try this out since it's available.
comment:7 by , 15 years ago
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
I'm closing this as in master it now asks you to change your password upon first login. The situation will further improve post 1.3 when multiple users will be added.
The web ui password and authentication is a completely separate entity to the client/core auth system.
The default password is simply "deluge". Adding the ability to have multiple users with their own username and password is planned, in this release merely the architecture for it was put in place. It will be one of the things added in 1.3.