AutoLogin via link or hash ?

Forum for questions and support relating to the 1.26.x releases only.
Locked
biboun
Posts: 9
Joined: Sat Jan 04, 2014 3:45 pm

AutoLogin via link or hash ?

Post by biboun »

Hi, I was wondering if there is a way to embed authentication in a zoneminder http link, like
user:pass@zmip/zm/?view=event&mode=stream&mid=7&eid=1841
or any other option
I have setup my zm so it notifies me near real time via emails or alerts, the emails contains attached most significatant image and links to event stream and highest score image.
On my iphone clicking the links always ends to the login page.
I have to autheticate (log and pass are saved in the iphone's safari browser), then I need to click the link again.
I'd like to provide a link that works directly, obviously from outside the network, so disable authentication is not an option.

Thanks
biboun
Posts: 9
Joined: Sat Jan 04, 2014 3:45 pm

Re: AutoLogin via link or hash ?

Post by biboun »

No one knows , not possible ? :lol:

cheers
jonathancnewcomb
Posts: 38
Joined: Tue Sep 18, 2012 2:00 pm

Re: AutoLogin via link or hash ?

Post by jonathancnewcomb »

I would give this a try, (not going to promise anything because I have not tested and I do not have a sandbox zoneminder box) But.....create a user with read only access to events first, something complex as it will be embeded in the URL. Then change the following in the "Options"

Under System:
change AUTH_TYPE from "builtin" to "remote"

Then you can pass the authentication to the web browser itself using a link : http://[username]:[password]@[ip/dns]/zm/.....

If that doesnt work, try changing AUTH_RELAY from "hased" to "plain" and rinse and repeat

[edit]

Please post if this solves your issue, someone else may find this helpful
biboun
Posts: 9
Joined: Sat Jan 04, 2014 3:45 pm

Re: AutoLogin via link or hash ?

Post by biboun »

Thanks a lot for the advices, it is only half a victory but i'll need to take more time to fully check.

After doing the steps you've described, using http://login/pass@ip/zm won't work.

After checking a bit of the php code, it sounds like http://ip/zm/index.php?username=###&password=#### is kinda working.

Kinda, because it seems to depend on the browser you'll use, don't seem to work with chrome ( only user is autofilled ) while it looks ok on firefox.

I'll need to check further, especially with iphone safari browser (and play with the password save options), the goal is to have a path that can be browsed in a click, in the notification emails of detection.

I'll keep you in touch when i'll get something working.

Does anyone know how to generate hashed password ?
jonathancnewcomb
Posts: 38
Joined: Tue Sep 18, 2012 2:00 pm

Re: AutoLogin via link or hash ?

Post by jonathancnewcomb »

Sorry for the delay, I did manage to get this working as requested in a VM on CentOS (Apache config should be OS independent). Here is how I was able to do it:

1. Disable authentication with zoneminder UI completely
2. Edit your apache configuration for zoneminder, CentOS path is /etc/httpd/conf.d/zoneminder.conf
- You should have 2 directory statements, the first should be for the zoneminder web root and the second for the cgi-bin folder
- Add the following directives in the first directory statement:

AuthType Basic
AuthName '[SOME NAME]'
AuthUserFile '/usr/share/zoneminder/www/.htaccess'
Require valid-user

Remove the Order and Allow from statements from that directive only, leave cgi-bin unchanged. Here is my configuration:

# The Zoneminder web interface has been disabled by default due to a small
# security issue in the default install.
#
# When using Zoneminder's own authentication, recorded CCTV images are
# accessible from the web directly without passing the authentication. This
# means any attacker could see your CCTV images without a password. In order
# to avoid this you can disable Zoneminder's authentication and configure
# standard Apache authentication (see the Apache documentation for details on
# this).
#
# If you still wish to use Zoneminder's own authentication, or have an
# internal site which needs no authentication, you need to delete the line
# marked below and restart Apache.

Alias /zm "/usr/share/zoneminder/www"
<Directory "/usr/share/zoneminder/www">
Options -Indexes MultiViews FollowSymLinks
AuthType Basic
AuthName 'Test DVR'
AuthUserFile '/usr/share/zoneminder/www/.htaccess'
Require valid-user
# The code unfortunately uses short tags in many places
php_value short_open_tag 1
</Directory>

ScriptAlias /cgi-bin/zm "/usr/libexec/zoneminder/cgi-bin"
<Directory "/usr/libexec/zoneminder/cgi-bin">
AllowOverride All
Options +ExecCGI FollowSymLinks
AddHandler cgi-script .pl .cgi
Order allow,deny
Allow from all
</Directory>

Make sure you save the configuration and exit the editor DO NOT RESTART APACHE YET!!!

Run the command as root: htpasswd -c /usr/share/zoneminder/www/.htaccess admin
You will be prompted to enter a password, this command will create the inital user 'admin'

For every user you would like to append, omit the -c switch. For example, if I wanted to add user 'test' I would run the following:

htpasswd /usr/share/zoneminder/www/.htaccess test

Then enter that users password. To then remove user 'test' run the command:

htpasswd -D /usr/share/zoneminder/www/.htaccess test


Once complete make sure you 'service httpd restart' on CentOS or 'service apache2 restart' on Debian. This method will also allow you to evaluate login failed attempts from the apache logs to user fail2ban to block unwanted source IPs if needed. Hope this helps
biboun
Posts: 9
Joined: Sat Jan 04, 2014 3:45 pm

Re: AutoLogin via link or hash ?

Post by biboun »

thanks i'll try that, does that remove the ability to give different right access to different users?
jonathancnewcomb
Posts: 38
Joined: Tue Sep 18, 2012 2:00 pm

Re: AutoLogin via link or hash ?

Post by jonathancnewcomb »

Well, in that is the rub. Zoneminder specifically says it can receive passed authentication tokens from http basic auth, however, it does not appear to be the case. Still digging into that one to be honest. I will let you know what I find out, but at this point it will not have the ability to handle permissions, it will be a full or nothing type of access
biboun
Posts: 9
Joined: Sat Jan 04, 2014 3:45 pm

Re: AutoLogin via link or hash ?

Post by biboun »

hey thanks, i've finally had a bit of time to try this, and it works quite as expected, even if ios takes links with login:pass @ ip for fishing it is right better than having to enter the pass manually.

i can also confirm that when using htacess system, the access levels are not respected anymor, so any granted access is admin, not a big problem for a simple home usage ( need to educate your wife not to go in options menu :) )
CeruleanShine
Posts: 2
Joined: Mon Jun 22, 2020 5:08 am

Re: AutoLogin via link or hash ?

Post by CeruleanShine »

Here is a PHP script to login to ZoneMinder https://github.com/DarrellDuane/zm-logi ... ts-example
Locked