HassOS Console Password

I’ve been an IT systems engineer for a few years now designing, deploying, auditing and maintaining large infrastructure systems across almost every sector. I’m not new to OT infrastructure either but I am new to automating my home and heard good things about home assistant so I thought I’d give their appliance a try in ESXI.

However, seeing this disappointing ongoing discussion from 2021 as the first result for a simple console password is fairly concerning. I appreciate the response from the moderators but honestly it just highlights the HA team’s nonchalant stance on security. My first thought is what other known and easy to resolve security flaws does this software have.

Watching a team fight against best practices, even when their competitors have implemented it, isn’t something I usually see at any enterprise (big or small) as I’m sure they would be replaced quickly.

Guys please do the right thing here and at least admit a console password is an extra layer of security. And no we’re not talking about an SSH password, this is the console password when accessing the console. HA seems like a cool product and I appreciate the work that’s gone into it, but this isn’t the hill to die on.

4 Likes

Hi!

I recently wanted to set up home assistant at my house and discovered this blatant vulnerability and the repeated refusal to follow information security best practices. It’s really disappointing to see this and now I’m wondering if I have to maintain my own fork just to add something as basic as “a password” because of this refusal to consider defense in depth.

I would hope open source projects would be better than this with regards to basic security hygiene.

As for the arguments that it’s a local console and therfore can ignore all security practices, consider that aside from the obvious issue of VM installations, many of us are running this on hardware with SMI interfaces that provide networked KVM console functionality.

E: On some level I am surprised this issue has not been reported and assigned a CVE number - it absolutely falls afoul of this and could quickly become an exploitable vulnerability: CWE - CWE-306: Missing Authentication for Critical Function (4.14)

2 Likes

Seriously, have you put the CVE in yet? Someone should.

2 Likes

The front door to my home is also only accessible through physical access, but I still prefer keeping it there.

Hypervisors such as XCP-ng use a browser based VM orchestration tool - Xen Orchestra, which gives direct access to the Text Console. So no, not even that argument stands, that the console is only accessible through physical access.

I suppose this is just an oversight that hasn’t been pushed for a lot, and we really should be taking care of this. There are absolutely 0 downsides to having a checkbox so users can make their own choice whether to require a password or no.

TrueNAS checkboxes for example:

I can see both arguments here. There whole point of HAOS as I see it is for it to be a simple thing that you can configure when it boots up.

There are ways around the “if you have physical access, you are doomed” tho.
Trusted computer group (TSG ) made an Opal spec about disk encryption. Lots of hardware supports this, example the Nuc 14. Using this and a yubikey with a static password and you have a fairly good setup with transparent encryption and a hardware token you can store away and bring back when you need to boot.

Home-assistant have too many credentials stored on it to be just a sitting duck for theft and people left with access to the device for an extended period (like airbnb residents). Console password is whats needed for the last step.

1 Like

I was looking around thinking about a solution that would please everyone…
Adding a password here doesnt look that trivial after all.

The ui we see is kickstarted from operating-system/buildroot-external/rootfs-overlay/usr/sbin/hassos-cli at e97b1231dc8d48680a9d5b5a8145f30a536d8327 · home-assistant/operating-system · GitHub . It starts a container that runs cli.sh.

cli.sh is located at plugin-cli/rootfs/usr/bin/cli.sh at d7822d8def96ad3f755dcebdd2de85e9712c662e · home-assistant/plugin-cli · GitHub . Here is where the banner is from and a simple wrapper (rlwrap) that is the prompt. You are in a loop here, not a “shell”.

To be honest, I don’t think I even need to be logging into the console at all.

What we introduced a simple check in cli.sh around line 4 that checks if a file exists (example /homeassistant/.no-tty-prompt), and does nothing.

Or it can be done at top of hassos-cli.

What do others think? For me, it’s about protecting it from curious airbnb types of people and feeling a little more safe leaving the box out of sight. Would be very nice to have a file I can make to lock it down.

1 Like

Making the physical TTY non-responsive would be a fine solution IMO as long as it’s something that we could enable / disable via the UI which is behind the admin only settings.

I made a temporary solution if you want this now. As many noted above, this only really make sense to do if the disk is encrypted so you can’t just reboot it.

This is something that works

docker exec -it hassio_cli bash
vi /usr/bin/cli.sh
  • Put this at the top of the script
cat /proc/cmdline | grep -q "systemd.unit=recovery.target"
if [ $? -ne 0 ]; then
  clear
  echo "..."
  sleep infinity
  exit 143
fi

exit and commit the image locally

hassio docker commit hassio_cli ghcr.io/home-assistant/amd64-hassio-cli:2024.07.0

You can now boot it normally, without anyone having access to a console. Or boot it using recovery (then hit ^d to continue when prompted) and get access to the shell.

This would be a fairly good solution if there was a way for the hassio_cli container to query homeassistant for a config parameter to check if “no_interactive_tty=true” is set (or something).

The hassio_cli has access to the supervisor api, but I didnt find a good place to put a configuration parameter like that in it.

Anyone interested in this feature, please vote in the WTH WTH: Why is there no console password in HAOS? - Month of “What the heck?!” - Home Assistant Community