@Burningstone
My instalation is not exposed to internet in any way (except of webhooks for some integrations - but those can be disabled).
So even if attacker knows my HA credentials or HA have any security issue - my setup is secure. As there is no remote access.
But if in same time NC will be compromised, remote access can be enabled thru cloud. And this is case i want to mitigate.
FYI: im talking about case when NC is connected yours HA but you dont plan to use Remote UI. Or plan to use Remote UI and enable/disable it on demand from HA.
But only if the nabu casa cloud has been linked to your HA instance and why would you link them if you don’t want remote access? I have a Nabu Casa account as well (for supporting) but it’s not linked to my HA instance, because I use a reverse proxy for remote access.
You can do this already, there’s an input_boolean created in HA when you link it to Nabu Casa, which can turn on/off remote access.
this is probably true. still, it would make sense to be able to react quickly.
An attacker may not have direct access to the home network at this time.
However, this can be done very easily with home assistant, I mean it is an open Linux machine in the network.
NC can be used to multiple things, not only Remote UI. Ex. im using that to have internet available webhooks. But i know that i will implement remote access on my own, without 3rd party cloud/service. So i would like to forbid possibility to enable access from NC.
Regarding turning on/off Remote UI its correct, you can do this locally from HA and this is great!
But in the same time, you can on/off Remote UI from cloud. And i want to block that.
So you can have disabled Remote UI localy, and potential attacker is able to turn in on - without access to yours installation. Just thru NC cloud.
Really? I didn’t know that, have you tested it? If this is true, then you have a valid case for this feature request. The attacker still would need to know your Nabu Casa and HA credentials, but your feature request would decrease the risk a bit.
as I said I have already mentioned this in July… (I see that this was only discussed in the Disrcord, not here in the forum. )
This is among other things the reason why I am not willing to activate Remote Access for HomeAssistant.
If it should be possible to grant access only to a “simple” user I could see over that. But this way you could, at least in theory, compromise my home network.
yes, maybe I am a bit paranoid, but I don’t want anyone to get access to my data/house.
Of course I have technically separated everything V-LAN, but HomeAssistant needs quite a lot of access to some areas in my house… (cameras, front door, garage, location…) It would not be nice if this would be the free ticket for criminals.
Agree that user ACL would be great, but i believe that its not that easy to implement. Especially if software was not designed for that from beggining. And adding just single switch to forbid remote access, its probably 1 day of work.
Probably in free time i will try to add this and push to upstream. But im afraid that without discussion it not be merged.
I see, thanks for the video. I don’t use Nabu Casa at all to be honest, only paying for support. I have other things such as my own nextcloud etc. that I need remote access for, so Nabu Casa woulf anyway not be enough for my needs.
Funny coincidence, yesterday i prepared change - after 1h debuging why i cant connect to NC, i was sure that my endpoint was blocked by cloud because of suspicion of malicious activity. I removed all changes and revert back to vanilla HA.
After that i discover AWS downtime and NC problems Great waste of time
I found this searching for how to disable the remote enabling of remote control which is still there.
Given the recent horrible security hole here in March 2023 this is a must. I will need to unsubscribe Nabucasa if this does not get implemented in near future. If disable remote control then I want it locked down 100 %
Hi, @KennethLavrsen maybe you want to vote for this feature request to give more visibility to this “problem”.
Personally, I don’t need the remote access via Nabucasa, but I am happy to support it to promote the project and Nabucasa’s TSS service. I think it’s a pity that this feature can’t be completely disabled and I would be happy if it would be implemented. Alternatively, it would also be desirable if at least a 2FA auth was available on Nabucasa to increase the security of remote access.
I didn’t even know that this was possible! and agree given the vulnerability that was just patched its insane that this post from 2020 didn’t have more visibility from people and the devs not acting on this.
Same as a few others, I have now disabled connection to NabuCasa from my instance all together until such time that this is isolation is implemented. You should never be able to overwrite your local instance settings from the cloud! I fail to see where this is needed.
I will carry on paying the NabuCasa subscription as i value the project and wish to support.
For now I have upvoted this feature, hope others follow suit to gain more visibility on this topic.