Disabling Authentication

I did some searching and there weren’t too many threads on the topic - The ‘Your topic is similar to’ ‘helper’ only brought up two threads - one related and one not.

Let me start by saying that adding the authentication as a default really is a GOOD thing. I’m sure that there are plenty of people that have set up HASS, and/or other things, that ‘know enough to be dangerous’ and really don’t give thought to security and put their device with no authentication or default authentication right out there on the internet to get hacked. That being said… not being given a way to totally disable it if one wants (such as browse to the HASS machine and you’re in like with older versions vs either having to enter a user and password or select trusted network, then select a user and then log in) is quite poor, and the attitude I’ve read regarding it (Essentially, if you don’t like it, tough - code it yourself) is REALLY poor. The options available now in 0.77 and up, as someone else put it, don’t pass the ‘wife acceptance test’, or to add to that, the ‘mother acceptance test’.

I really don’t know what’s so hard about it - Plex, by default, at least now (I don’t think it always did), requires authentication (There’s one aspect of it that I LOATHE. which I’ll get to in a second), but if you add networks to the ‘Trusted Networks’, you go straight into the interface, as it should be. You don’t get prompted for anything as long as you’re connecting from a trusted network. The part I LOATHE about it is it is ‘cloud connected’ in some fashion no matter what you do - If you aren’t using trusted networks or connect from somewhere that’s not trusted, it redirects you to one of their URLs in ‘the cloud’ to authenticate - That’s no bueno as far as I’m concerned. All of my stuff is behind an enterprise grade firewall, and devices with known potential security issues and ‘call homes’, such as security cameras, are isolated and not allowed to get anywhere other than their own little VLANs. My stuff, behind my firewall, is far more secure, with no ports open to any of it, than a device that is open to the internet with authentication enabled, because once you open a device to the world, regardless of authentication, there is an attack surface to exploit. All you need is one flaw - from weak credentials to a flaw in the code that can be remotely exploited and it’s owned. If you can’t get to it, you can’t try to exploit it. As far as I’m concerned, the fact that Plex, in any way, reaches out to the cloud for anything other than grabbing movie data from IMDB or other similar sources creates a vulnerability. I SERIOUSLY hope HASS NEVER goes the route of being ‘cloud connected’ like that - or at least if it needs to end up a ‘feature’ for those that are all gaga over it (‘the cloud’), it is never enabled unless it is explicitly and deliberately enabled. Maybe make it a module or addon that you must manually add for the functionality to even exist.

I know this will probably be largely ignored, I’ll probably be told this is the way it is - like it, code it yourself (REALLY wish I could code it myself, but I couldn’t code my way out of a wet paper bag) or pound sand, but I figured I’d throw my voice out there as I’m about to toss 0.77.2 that’s on my mothers HASS and drop it down to an older version that lacks this ‘feature’. Like I said, if adding a network to ‘Trusted_Networks’ functioned the same way Plex does where you are taken straight into the interface without having to pause or click on anything, that would be absolutely fine.

1 Like

Does this not work as expected?

trusted_networks

(string | list)(Optional)List of trusted networks, consisting of IP addresses or networks, that are allowed to bypass password protection when accessing Home Assistant.

Trusted Networks works fine for me. My initial complaints for release 0.77 and 0.77.1 were because the trusted networks option did not work, and there was no way to avoid using a password. But I haven’t had to enter a password since the initial set up.

It will require a major change in philosophy for HA to take the nightmare approach of cloud based authentication. I think there would be enough people objecting to be able to fork the project and maintain a separate secure version of HA.

Nope - at least in 0.77.2, even connecting from a trusted network, I get a login page, where I then have to select ‘Trusted Network’, and then have to select a user. I’ve read it said that you ‘should’ only ‘have’ to do it once, but the idea that if you’re connecting from a trusted network, you shouldn’t have to do any of that at all, I have to do it every time, from any browser I’ve used and any machine.

If what you are saying is true then I would agreee it would be nice if there was a way to default to a user when accessing from a trusted network. It sounds like a very unpopular feature request. Maybe you can modify the trusted network auth provider to do what you’re trying to accomplish?

Trusted network do not even work for me. I also want to disable it alltogether as my instance is not exposed to the internet. I have been very satisfied with HA since the very beginning (I started 2 or 3 years ago), it’s the only feature that I really hate. I can’t stand it and it has been really bugging me since the very first day it was implemented. I do not get why it is not possible to simply remove auth. I had to do a HADashboard pannel only so that my wife could still use it easily. That’s nonsense.

Hi, were you able to disable authentication ?

I am trying to setup a demo site (with my own custom devices and entities) and don’t want users to go through the login process. I already tried trusted_networks to 0.0.0.0 (ie everyone) with no luck.

I just want to show users a demo but in Spanish and also based on demo components and some real ones specific to our location.

Just want the experience to be as trouble free as possible

Thanks
Claudio

Yup!! By ‘downgrading’ (Read: upgrading) to 0.76.2.

FYI, if this is still an issue for you in current versions, you should file an issue on github about it if you have not already. Developers do not necessarily look on the forums for issues to solve; the github issue tracker is the only “proper” place to file issues about HA.

When I have a few minutes, I’ll deploy HA to a test Pi and see what happens with the Authentication.