mirror of
https://github.com/Ylianst/MeshCentral.git
synced 2025-01-11 15:03:20 -05:00
AMT Manager now configures randomized MPS passwords.
This commit is contained in:
parent
2a93955f47
commit
6fb8beb164
@ -614,14 +614,15 @@ module.exports.CreateAmtManager = function (parent) {
|
||||
|
||||
// Check if anything changes
|
||||
if (device.intelamt == null) { device.intelamt = {}; }
|
||||
if (dev.aquired.version && (typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); }
|
||||
if (dev.aquired.user && (typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); }
|
||||
if (dev.aquired.pass && (typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); }
|
||||
if (dev.aquired.host && (typeof dev.aquired.host == 'string') && (dev.aquired.host != device.host)) { change = 1; log = 1; device.host = dev.aquired.host; changes.push('host'); }
|
||||
if (dev.aquired.realm && (typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); }
|
||||
if (dev.aquired.hash && (typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); }
|
||||
if (dev.aquired.tls && (typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); }
|
||||
if ((dev.aquired.state != null) && (typeof dev.aquired.state == 'number') && (dev.aquired.state != device.intelamt.state)) { change = 1; log = 1; device.intelamt.state = dev.aquired.state; changes.push('AMT state'); }
|
||||
if ((typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); }
|
||||
if ((typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); }
|
||||
if ((typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); }
|
||||
if ((typeof dev.aquired.mpspass == 'string') && (dev.aquired.mpspass != device.intelamt.mpspass)) { change = 1; log = 1; device.intelamt.mpspass = dev.aquired.mpspass; changes.push('AMT MPS pass'); }
|
||||
if ((typeof dev.aquired.host == 'string') && (dev.aquired.host != device.host)) { change = 1; log = 1; device.host = dev.aquired.host; changes.push('host'); }
|
||||
if ((typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); }
|
||||
if ((typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); }
|
||||
if ((typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); }
|
||||
if ((typeof dev.aquired.state == 'number') && (dev.aquired.state != device.intelamt.state)) { change = 1; log = 1; device.intelamt.state = dev.aquired.state; changes.push('AMT state'); }
|
||||
|
||||
// Intel AMT Warning Flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch
|
||||
if ((typeof dev.aquired.warn == 'number')) { if ((dev.aquired.warn == 0) && (device.intelamt.warn != null)) { delete device.intelamt.warn; change = 1; } else if (dev.aquired.warn != device.intelamt.warn) { device.intelamt.warn = dev.aquired.warn; change = 1; } }
|
||||
@ -1165,6 +1166,7 @@ module.exports.CreateAmtManager = function (parent) {
|
||||
var serverNameSplit = dev.cira.mpsName.split('.');
|
||||
dev.cira.mpsPort = ((parent.args.mpsaliasport != null) ? parent.args.mpsaliasport : parent.args.mpsport);
|
||||
dev.cira.mpsAddressFormat = 201; // 201 = FQDN, 3 = IPv4
|
||||
dev.cira.mpsPass = getRandomAmtPassword();
|
||||
if ((serverNameSplit.length == 4) && (parseInt(serverNameSplit[0]) == serverNameSplit[0]) && (parseInt(serverNameSplit[1]) == serverNameSplit[1]) && (parseInt(serverNameSplit[2]) == serverNameSplit[2]) && (parseInt(serverNameSplit[3]) == serverNameSplit[3])) { dev.cira.mpsAddressFormat = 3; }
|
||||
|
||||
// Check if our server is already present
|
||||
@ -1207,7 +1209,7 @@ module.exports.CreateAmtManager = function (parent) {
|
||||
function addMpsServer(dev) {
|
||||
// Add the MPS server if not present
|
||||
if (dev.cira.mpsPresent == null) {
|
||||
dev.amtstack.AMT_RemoteAccessService_AddMpServer(dev.cira.mpsName, dev.cira.mpsAddressFormat, dev.cira.mpsPort, 2, null, dev.cira.meshidx, 'P@ssw0rd', dev.cira.mpsName, function (stack, name, response, status) {
|
||||
dev.amtstack.AMT_RemoteAccessService_AddMpServer(dev.cira.mpsName, dev.cira.mpsAddressFormat, dev.cira.mpsPort, 2, null, dev.cira.meshidx, dev.cira.mpsPass, dev.cira.mpsName, function (stack, name, response, status) {
|
||||
const dev = stack.dev;
|
||||
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
|
||||
if (status != 200) { dev.consoleMsg("Failed to create new MPS server (" + status + ")."); removeAmtDevice(dev); return; }
|
||||
@ -1215,6 +1217,10 @@ module.exports.CreateAmtManager = function (parent) {
|
||||
dev.cira.mpsPresent = getItem(response.Body.MpServer.ReferenceParameters.SelectorSet.Selector, '@Name', 'Name').Value;
|
||||
dev.consoleMsg("Created new MPS server.");
|
||||
addMpsPolicy(dev);
|
||||
|
||||
// Update the device with the MPS password
|
||||
dev.aquired.mpspass = dev.cira.mpsPass;
|
||||
UpdateDevice(dev);
|
||||
});
|
||||
} else {
|
||||
// MPS server is present, check MPS trigger policy
|
||||
|
11
db.js
11
db.js
@ -276,7 +276,7 @@ module.exports.CreateDB = function (parent, func) {
|
||||
function performTypedRecordEncrypt(data) {
|
||||
if (obj.dbRecordsEncryptKey == null) return data;
|
||||
if (data.type == 'user') { return performPartialRecordEncrypt(Clone(data), ['otpkeys', 'otphkeys', 'otpsecret', 'salt', 'hash', 'oldpasswords']); }
|
||||
else if ((data.type == 'node') && (data.intelamt != null)) { var xdata = Clone(data); xdata.intelamt = performPartialRecordEncrypt(xdata.intelamt, ['user', 'pass']); return xdata; }
|
||||
else if ((data.type == 'node') && (data.intelamt != null)) { var xdata = Clone(data); xdata.intelamt = performPartialRecordEncrypt(xdata.intelamt, ['user', 'pass', 'mpspass']); return xdata; }
|
||||
else if ((data.type == 'mesh') && (data.amt != null)) { var xdata = Clone(data); xdata.amt = performPartialRecordEncrypt(xdata.amt, ['password']); return xdata; }
|
||||
return data;
|
||||
}
|
||||
@ -1566,7 +1566,10 @@ module.exports.CreateDB = function (parent, func) {
|
||||
function dbNodeChange(nodeChange, added) {
|
||||
common.unEscapeLinksFieldName(nodeChange.fullDocument);
|
||||
const node = nodeChange.fullDocument;
|
||||
if (node.intelamt && node.intelamt.pass) { delete node.intelamt.pass; } // Remove the Intel AMT password before eventing this.
|
||||
if (node.intelamt != null) { // Remove the Intel AMT password and MPS password before eventing this.
|
||||
if (node.intelamt.pass != null) { node.intelamt.pass = 1; }
|
||||
if (node.intelamt.mpspass != null) { node.intelamt.mpspass = 1; }
|
||||
}
|
||||
parent.DispatchEvent(['*', node.meshid], obj, { etype: 'node', action: (added ? 'addnode' : 'changenode'), node: node, nodeid: node._id, domain: node.domain, nolog: 1 });
|
||||
}
|
||||
|
||||
@ -1587,7 +1590,9 @@ module.exports.CreateDB = function (parent, func) {
|
||||
mesh.nolog = 1;
|
||||
delete mesh.type;
|
||||
delete mesh._id;
|
||||
if (mesh.amt) { delete mesh.amt.password; } // Remove the Intel AMT password if present
|
||||
if (mesh.amt != null) {
|
||||
if (delete mesh.amt.password != null) { mesh.amt.password = 1; } // Remove the Intel AMT password if present
|
||||
}
|
||||
parent.DispatchEvent(['*', mesh.meshid], obj, mesh);
|
||||
}
|
||||
|
||||
|
@ -674,7 +674,10 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
|
||||
delete docs[i].meshid;
|
||||
|
||||
// Remove Intel AMT credential if present
|
||||
if (docs[i].intelamt != null && docs[i].intelamt.pass != null) { delete docs[i].intelamt.pass; }
|
||||
if (docs[i].intelamt != null) {
|
||||
if (docs[i].intelamt.pass != null) { docs[i].intelamt.pass = 1; }
|
||||
if (docs[i].intelamt.mpspass != null) { docs[i].intelamt.mpspass = 1; }
|
||||
}
|
||||
|
||||
// If GeoLocation not enabled, remove any node location information
|
||||
if (domain.geolocation != true) {
|
||||
|
@ -5899,10 +5899,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
obj.CloneSafeNode = function (node) {
|
||||
if (typeof node != 'object') { return node; }
|
||||
var r = node;
|
||||
if (r.intelamt && r.intelamt.pass) {
|
||||
if ((r.intelamt != null) && ((r.intelamt.pass != null) || (r.intelamt.mpspass != null))) {
|
||||
r = Object.assign({}, r); // Shallow clone
|
||||
r.intelamt = Object.assign({}, r.intelamt); // Shallow clone
|
||||
delete r.intelamt.pass; // Remove the Intel AMT password from the node
|
||||
if (r.intelamt.pass != null) { r.intelamt.pass = 1; }; // Remove the Intel AMT administrator password from the node
|
||||
if (r.intelamt.mpspass != null) { r.intelamt.mpspass = 1; }; // Remove the Intel AMT MPS password from the node
|
||||
}
|
||||
return r;
|
||||
}
|
||||
@ -5911,10 +5912,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
|
||||
obj.CloneSafeMesh = function (mesh) {
|
||||
if (typeof mesh != 'object') { return mesh; }
|
||||
var r = mesh;
|
||||
if (r.amt && r.amt.password) {
|
||||
if ((r.amt != null) && (r.amt.password != null)) {
|
||||
r = Object.assign({}, r); // Shallow clone
|
||||
r.amt = Object.assign({}, r.amt); // Shallow clone
|
||||
delete r.amt.password; // Remove the Intel AMT password from the policy
|
||||
if (r.amt.password != null) { r.amt.password = 1; } // Remove the Intel AMT password from the policy
|
||||
}
|
||||
return r;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user