since todays version there is a new loginscreen. Is it possible to disable this new look? (as I don’t want to display the users)
Hi everyone,
I’m facing a similar challenge with the new login screen in Home Assistant. My setup involves Home Assistant behind a Caddy ingress controller, acting as a reverse proxy to another machine. This configuration leads Home Assistant to treat all traffic as internal, thus always displaying the new user-select login screen.
For enhanced security, I considered configuring Caddy to use the client IP using proxyProtocol. However, this would require changing my home network to BGP mode instead of the simpler layer 2 mode. I’m looking for a straightforward solution that keeps my home network setup simple. Has anyone found a way to disable this new login screen and revert to the traditional login method?
Appreciate any insights!
So I’ve solved my problem, It was my loadbalancer.
I’m running a kubernetes cluster with MetalLB and Caddy as ingress controller. Caddy works fine, but MetalLB has an externalTrafficPolicy
that is set to Cluster and removes the external IP. I had to set mine to Local
Hi All, I would also like to disable the new login screen.
I am running the Nginx reverse proxy and facing the same issue where I can see user names even from outside of my network.
Is there any way to disable new login page or modify my proxy configuration to avoid this issue.
Thanks
I have added
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
to my Nginx Proxy configuration, which solved the issue.
Looks like users are disclosed as well simply if the client is on any private address range and HA is on any other private address range.
Even when passing the X-Forwarded-For
header to HA behind a proxy (which Caddy does by default) the users are listed.
If I navigate to the HA webpage without any cookies from a class C private subnet on my LAN to the other class C private subnet where HA is, the users are listed. I don’t have any trusted networks set.
There’s a Github issue already to manually disable this new feature.
Well the Github issue was closed since it’s “not an issue”, not really true in this case imo.
This is a serious security flaw that should not even be considered to be auto opt-in, let alone to not have a way to disable it.
I for sure was not waiting for this “feature”
Can’t believe that such a clear security problem is being dismissed. Imagine an attacker navigating to your HA instance and getting a nice listing of all the users.
I have opened a feature request: Login method: select from legacy or new
Please upvote so we can get this done ASAP.
This is not a feature request. This is a MAJOR security issue. That this flagrant flaw in security is “only” in the internal network is not up for debate. Internal network security issues are well-known to be the most exploited and underestimated issues. UNBELIEVABLE we have to put up with this mandatory security reduction. And even more blatant is the fact that this is packaged as a “beautiful new login page”.
The login page should be even more anonymized that the fact that it is a home-assistant page is not even visible.
I cant belive this, just discovered this issue on my setup. Its concerning security practice.
This change need to be reverted asap, in worst case it should have been opt-in
By the way, here’s the branch that introduced the new login screen. It was merged on 11/24. Unfortunately there’s no discussion on the security implications.
Extend auth/providers endpoint and add /api/person/list endpoint for local ip requests #103906
The github issue is marked as too heated because the home assistant team having a lack of arguments
Yeap, saw that coming. Users’ arguments are technically indisputable, but Nabu Casa chooses to shut them down instead of addressing them.
Can’t believe that they don’t a see a problem with HA considering the whole IPv4 and IPv6 private address space (2^64 addresses) “trusted”.
What else can I said that hasn’t been said? To summarize the other threads:
The issue:
- Internal user ids, display name and profile pics are leaked without having to login.
- Removing the requirement to enter the username weakens the login security. Insecure Design in the OWASP Top 10. Heightened in this case since the software deals with IoT.
- This is a textbook information disclosure vulnerability.
Nabu Casa’s response:
- Insist that it’s working as designed.
- Suppress issue discussion on GitHub.
- Keep silence on the request to make the feature optional.
Mitigations:
- Place Home Assistant in a dedicated subnet and arrange some technical means (ie, reverse proxy or NAT) to make it think all requests come from a public IP.
- If the above is not possible, ensure that only trusted parties (in IoT about nothing is trusted) can reach the web GUI endpoint (port 8123 by default).
“exposing ALL home-assistant instance users globally”
Where are you getting this from?
Is it technically so hard to give the option to be able to choose one of two login methods?
It could be implemented in a relatively short time. But we haven’t been told whether they are considering it.
You can understand that whoever updates to this latest release-202312 automatically have all their users exposed in their LAN and you can assume that most (if not all) people use a proxy, they automatically get all their users exposed to the outside world.
It seems that something might have been done about this here yesterday: Add option for exposing users on local networks by edenhaus · Pull Request #105545 · home-assistant/core · GitHub
But then again they made this option to default TRUE (which should logically from a security standpoint be defaulted to FALSE). Ridiculous.