Opened 13 years ago

Closed 12 years ago

#1089 closed bug (Fixed)

authentication

Reported by: martinlindhe Owned by: damoxc
Priority: major Milestone: 1.3
Component: Web UI Version: 1.2.0_rc4
Keywords: Cc: martin@…

Description

Hello. I am a new deluge user so perhaps i am just confused.

I found references in documentation and in other places for a username & password authentication for the deluge daemon.

However in the web ui i only get a "password" prompt (what is the username? - where is the username?)

I only found it possible to configure a password using the gtk ui, yet still the daemon requires a username aswell for RPC (i was messing with flexget deluge module)

I am not sure if this is a bug (entering a username is missing?) or if the username concept has been removed in recent versions of deluge, then the documentation is outdated?

Personally i would like to keep the ability to configure a username & password pair for access.

Change History (7)

comment:1 Changed 13 years ago by damoxc

  • Component changed from other to webui
  • Milestone set to 1.3.0
  • Owner changed from andar to damoxc
  • Status changed from new to accepted

The web ui password and authentication is a completely separate entity to the client/core auth system.

The default password is simply "deluge". Adding the ability to have multiple users with their own username and password is planned, in this release merely the architecture for it was put in place. It will be one of the things added in 1.3.

comment:2 in reply to: ↑ description Changed 13 years ago by Ghent

Replying to martinlindhe:

However in the web ui i only get a "password" prompt (what is the username? - where is the username?)

The default webui password is 'deluge', which I believe is documented somewhere on the site.

I only found it possible to configure a password using the gtk ui, yet still the daemon requires a username aswell for RPC (i was messing with flexget deluge module)

Configure a password for what using the gtkui? In the preferences area of the webui you can configure / change the password for the webui access.

The daemon does not use the same password information as the webui. It is separate and contained in the ~/.config/deluge/auth file by default. The documentation on the site is pretty accurate on how to use this, except in 1.2 you need to append ":10" to each line you add (as you see for the default entry). This is for future features not yet implemented. As for running flexget, you shouldn't need to do any authentication, as it will natively try to use deluge's localhost authentication which should work. However, see Flexget's wiki page on the Deluge plugin if you do need to use authentication as well as Deluge's wiki page on setting up remote authentication for the daemon / clients.

I am not sure if this is a bug (entering a username is missing?) or if the username concept has been removed in recent versions of deluge, then the documentation is outdated?

Personally i would like to keep the ability to configure a username & password pair for access.

Just to state again for clarity: the webui uses a separate password database internal to itself and only uses a password (no username). The daemon uses a username / password pair which is configurable with information from Deluge's wiki (with minor modifications)

comment:3 Changed 13 years ago by martinlindhe

Okay thanks for the clarification. I think i got confused because i assumed the architecture was that the ui's where clients connecting to the deluge server:

deluged <-authentication-> gtk-ui

\--> web-ui

but correct me if i'm wrong, the architecture is now rather

deluged <-authentication-> gtk-ui

\--> deluge-web (daemon too) <-authentication 2-> web-ui

i can see this allows me to setup one web-ui where i can control multiple deluge servers. however it breaks the security model by assuming a setup with multiple username&passwords compromised by only one password to the web ui.

also that ability to control multiple machines running deluge quite a power-user feature. it's quite odd to me to first connect to a server (a web server), then using the web application in order to connect to the server (me and most other users are running the deluged and deluge-web dameons on the same machine).

comment:4 Changed 13 years ago by martinlindhe

sorry but i mentioned broken security in my previous post. it now struck me that it is alot more broken when a known default password exists.

comment:5 Changed 13 years ago by damoxc

Which you should change in the preferences to something unknown...

comment:6 Changed 13 years ago by martinlindhe

Yes of course i changed the password and port before even coming here.

The reason for opening the ticket is because i am confused by the security model. Then i got confused by the server-client model aswell.

if a web-ui is installed on the default port and the user have tested it out (connecting to localhost deluged daemon) and the web ui stores the daemon connection as a bookmark, then all someone needs is a password (no username) to connect to the added server(s) through the web-ui later.

but since both the password and default port have known defaults, it sounds scary to me.

please notice 1.2 will be pushed into popular end-user distros like ubuntu soon and many non-technical people will try this out since it's available.

comment:7 Changed 12 years ago by damoxc

  • Resolution set to fixed
  • Status changed from accepted to closed

I'm closing this as in master it now asks you to change your password upon first login. The situation will further improve post 1.3 when multiple users will be added.

Note: See TracTickets for help on using tickets.