Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-11-22 22:17:31 +03:00
Code Issues Packages Projects Releases Wiki Activity

AMT Manager now configures randomized MPS passwords.

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2020-10-24 23:34:00 -07:00
parent fd62427bec
commit 06cb618b9c
4 changed files with 32 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
amtmanager.js
View File

@ -614,14 +614,15 @@ module.exports.CreateAmtManager = function (parent) {
// Check if anything changes
if (device.intelamt == null) { device.intelamt = {}; }
if (dev.aquired.version && (typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); }
if (dev.aquired.user && (typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); }
if (dev.aquired.pass && (typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); }
if (dev.aquired.host && (typeof dev.aquired.host == 'string') && (dev.aquired.host != device.host)) { change = 1; log = 1; device.host = dev.aquired.host; changes.push('host'); }
if (dev.aquired.realm && (typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); }
if (dev.aquired.hash && (typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); }
if (dev.aquired.tls && (typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); }
if ((dev.aquired.state != null) && (typeof dev.aquired.state == 'number') && (dev.aquired.state != device.intelamt.state)) { change = 1; log = 1; device.intelamt.state = dev.aquired.state; changes.push('AMT state'); }
if ((typeof dev.aquired.version == 'string') && (dev.aquired.version != device.intelamt.ver)) { change = 1; log = 1; device.intelamt.ver = dev.aquired.version; changes.push('AMT version'); }
if ((typeof dev.aquired.user == 'string') && (dev.aquired.user != device.intelamt.user)) { change = 1; log = 1; device.intelamt.user = dev.aquired.user; changes.push('AMT user'); }
if ((typeof dev.aquired.pass == 'string') && (dev.aquired.pass != device.intelamt.pass)) { change = 1; log = 1; device.intelamt.pass = dev.aquired.pass; changes.push('AMT pass'); }
if ((typeof dev.aquired.mpspass == 'string') && (dev.aquired.mpspass != device.intelamt.mpspass)) { change = 1; log = 1; device.intelamt.mpspass = dev.aquired.mpspass; changes.push('AMT MPS pass'); }
if ((typeof dev.aquired.host == 'string') && (dev.aquired.host != device.host)) { change = 1; log = 1; device.host = dev.aquired.host; changes.push('host'); }
if ((typeof dev.aquired.realm == 'string') && (dev.aquired.realm != device.intelamt.realm)) { change = 1; log = 1; device.intelamt.realm = dev.aquired.realm; changes.push('AMT realm'); }
if ((typeof dev.aquired.hash == 'string') && (dev.aquired.hash != device.intelamt.hash)) { change = 1; log = 1; device.intelamt.hash = dev.aquired.hash; changes.push('AMT hash'); }
if ((typeof dev.aquired.tls == 'number') && (dev.aquired.tls != device.intelamt.tls)) { change = 1; log = 1; device.intelamt.tls = dev.aquired.tls; changes.push('AMT TLS'); }
if ((typeof dev.aquired.state == 'number') && (dev.aquired.state != device.intelamt.state)) { change = 1; log = 1; device.intelamt.state = dev.aquired.state; changes.push('AMT state'); }
// Intel AMT Warning Flags: 1 = Unknown credentials, 2 = Realm Mismatch, 4 = TLS Cert Mismatch
if ((typeof dev.aquired.warn == 'number')) { if ((dev.aquired.warn == 0) && (device.intelamt.warn != null)) { delete device.intelamt.warn; change = 1; } else if (dev.aquired.warn != device.intelamt.warn) { device.intelamt.warn = dev.aquired.warn; change = 1; } }
@ -1165,6 +1166,7 @@ module.exports.CreateAmtManager = function (parent) {
var serverNameSplit = dev.cira.mpsName.split('.');
dev.cira.mpsPort = ((parent.args.mpsaliasport != null) ? parent.args.mpsaliasport : parent.args.mpsport);
dev.cira.mpsAddressFormat = 201; // 201 = FQDN, 3 = IPv4
dev.cira.mpsPass = getRandomAmtPassword();
if ((serverNameSplit.length == 4) && (parseInt(serverNameSplit[0]) == serverNameSplit[0]) && (parseInt(serverNameSplit[1]) == serverNameSplit[1]) && (parseInt(serverNameSplit[2]) == serverNameSplit[2]) && (parseInt(serverNameSplit[3]) == serverNameSplit[3])) { dev.cira.mpsAddressFormat = 3; }
// Check if our server is already present
@ -1207,7 +1209,7 @@ module.exports.CreateAmtManager = function (parent) {
function addMpsServer(dev) {
// Add the MPS server if not present
if (dev.cira.mpsPresent == null) {
dev.amtstack.AMT_RemoteAccessService_AddMpServer(dev.cira.mpsName, dev.cira.mpsAddressFormat, dev.cira.mpsPort, 2, null, dev.cira.meshidx, 'P@ssw0rd', dev.cira.mpsName, function (stack, name, response, status) {
dev.amtstack.AMT_RemoteAccessService_AddMpServer(dev.cira.mpsName, dev.cira.mpsAddressFormat, dev.cira.mpsPort, 2, null, dev.cira.meshidx, dev.cira.mpsPass, dev.cira.mpsName, function (stack, name, response, status) {
const dev = stack.dev;
if (isAmtDeviceValid(dev) == false) return; // Device no longer exists, ignore this request.
if (status != 200) { dev.consoleMsg("Failed to create new MPS server (" + status + ")."); removeAmtDevice(dev); return; }
@ -1215,6 +1217,10 @@ module.exports.CreateAmtManager = function (parent) {
dev.cira.mpsPresent = getItem(response.Body.MpServer.ReferenceParameters.SelectorSet.Selector, '@Name', 'Name').Value;
dev.consoleMsg("Created new MPS server.");
addMpsPolicy(dev);
// Update the device with the MPS password
dev.aquired.mpspass = dev.cira.mpsPass;
UpdateDevice(dev);
});
} else {
// MPS server is present, check MPS trigger policy

11
db.js
View File

@ -276,7 +276,7 @@ module.exports.CreateDB = function (parent, func) {
function performTypedRecordEncrypt(data) {
if (obj.dbRecordsEncryptKey == null) return data;
if (data.type == 'user') { return performPartialRecordEncrypt(Clone(data), ['otpkeys', 'otphkeys', 'otpsecret', 'salt', 'hash', 'oldpasswords']); }
else if ((data.type == 'node') && (data.intelamt != null)) { var xdata = Clone(data); xdata.intelamt = performPartialRecordEncrypt(xdata.intelamt, ['user', 'pass']); return xdata; }
else if ((data.type == 'node') && (data.intelamt != null)) { var xdata = Clone(data); xdata.intelamt = performPartialRecordEncrypt(xdata.intelamt, ['user', 'pass', 'mpspass']); return xdata; }
else if ((data.type == 'mesh') && (data.amt != null)) { var xdata = Clone(data); xdata.amt = performPartialRecordEncrypt(xdata.amt, ['password']); return xdata; }
return data;
}
@ -1566,7 +1566,10 @@ module.exports.CreateDB = function (parent, func) {
function dbNodeChange(nodeChange, added) {
common.unEscapeLinksFieldName(nodeChange.fullDocument);
const node = nodeChange.fullDocument;
if (node.intelamt && node.intelamt.pass) { delete node.intelamt.pass; } // Remove the Intel AMT password before eventing this.
if (node.intelamt != null) { // Remove the Intel AMT password and MPS password before eventing this.
if (node.intelamt.pass != null) { node.intelamt.pass = 1; }
if (node.intelamt.mpspass != null) { node.intelamt.mpspass = 1; }
}
parent.DispatchEvent(['*', node.meshid], obj, { etype: 'node', action: (added ? 'addnode' : 'changenode'), node: node, nodeid: node._id, domain: node.domain, nolog: 1 });
}
@ -1587,7 +1590,9 @@ module.exports.CreateDB = function (parent, func) {
mesh.nolog = 1;
delete mesh.type;
delete mesh._id;
if (mesh.amt) { delete mesh.amt.password; } // Remove the Intel AMT password if present
if (mesh.amt != null) {
if (delete mesh.amt.password != null) { mesh.amt.password = 1; } // Remove the Intel AMT password if present
}
parent.DispatchEvent(['*', mesh.meshid], obj, mesh);
}

5
meshuser.js
View File

@ -674,7 +674,10 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
delete docs[i].meshid;
// Remove Intel AMT credential if present
if (docs[i].intelamt != null && docs[i].intelamt.pass != null) { delete docs[i].intelamt.pass; }
if (docs[i].intelamt != null) {
if (docs[i].intelamt.pass != null) { docs[i].intelamt.pass = 1; }
if (docs[i].intelamt.mpspass != null) { docs[i].intelamt.mpspass = 1; }
}
// If GeoLocation not enabled, remove any node location information
if (domain.geolocation != true) {

9
webserver.js
View File

@ -5899,10 +5899,11 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
obj.CloneSafeNode = function (node) {
if (typeof node != 'object') { return node; }
var r = node;
if (r.intelamt && r.intelamt.pass) {
if ((r.intelamt != null) && ((r.intelamt.pass != null) || (r.intelamt.mpspass != null))) {
r = Object.assign({}, r); // Shallow clone
r.intelamt = Object.assign({}, r.intelamt); // Shallow clone
delete r.intelamt.pass; // Remove the Intel AMT password from the node
if (r.intelamt.pass != null) { r.intelamt.pass = 1; }; // Remove the Intel AMT administrator password from the node
if (r.intelamt.mpspass != null) { r.intelamt.mpspass = 1; }; // Remove the Intel AMT MPS password from the node
}
return r;
}
@ -5911,10 +5912,10 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
obj.CloneSafeMesh = function (mesh) {
if (typeof mesh != 'object') { return mesh; }
var r = mesh;
if (r.amt && r.amt.password) {
if ((r.amt != null) && (r.amt.password != null)) {
r = Object.assign({}, r); // Shallow clone
r.amt = Object.assign({}, r.amt); // Shallow clone
delete r.amt.password; // Remove the Intel AMT password from the policy
if (r.amt.password != null) { r.amt.password = 1; } // Remove the Intel AMT password from the policy
}
return r;
}