Ylianst/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2024-09-11 08:55:32 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/Ylianst/MeshCentral

Browse Source
This commit is contained in:
Ylian Saint-Hilaire 2022-07-19 15:46:34 -07:00
commit 2894b362ac
17 changed files with 575 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

489
.vscode/settings.json vendored Normal file
View File

@ -0,0 +1,489 @@
{
"cSpell.words": [
"abcdf",
"accountid",
"actiontype",
"adddevicegroup",
"adddeviceuser",
"adddomain",
"addmeshuser",
"addtousergroup",
"adduser",
"addusergroup",
"addusertodevice",
"addusertodevicegroup",
"addusertousergroup",
"adminaccount",
"adminname",
"agentallowedip",
"agentblockedip",
"agentconfig",
"agentconsole",
"agentcustomization",
"agentdownload",
"agenterrorlogs",
"agentidletimeout",
"agentkey",
"agentnoproxy",
"agenttype",
"agentupdateblocksize",
"agentupdatetest",
"agentwscompression",
"aliasport",
"allevents",
"allowaccountreset",
"alreadyinstalled",
"amtacmactivation",
"amtmanager",
"amtoff",
"amton",
"amtonly",
"amtreset",
"amtscanner",
"apikey",
"appmetrics",
"ashx",
"atag",
"authcookie",
"authenticode",
"authlog",
"authlogfile",
"Authn",
"autofido",
"awsrds",
"backgroundonly",
"backupcode",
"backuppath",
"callbackurl",
"ccmp",
"certfiles",
"certpfx",
"certpfxpass",
"certurl",
"cfile",
"changedevice",
"changenode",
"chatnotify",
"CIRA",
"ciralocalfqdn",
"ckey",
"clearpower",
"clientid",
"clientsecret",
"cmds",
"companyname",
"configfile",
"configfiles",
"configkey",
"connectionstring",
"cookieipcheck",
"cookiesamesite",
"coolofftime",
"coredumps",
"createaccount",
"createmesh",
"createusergroup",
"crowdsec",
"crypted",
"cscli",
"cuser",
"datapath",
"datastr",
"dbconfig",
"dbencryptkey",
"dbexport",
"dbexportmin",
"dbimport",
"dblistconfigfiles",
"dbmerge",
"dbpullconfigfiles",
"dbpulldatafiles",
"dbpushconfigfiles",
"dbshowconfigfile",
"defaultuserwebstate",
"deletedefaultdomain",
"deletedomain",
"deletemesh",
"deleteuser",
"deleteusergroup",
"desktopnotify",
"desktopprivacybar",
"desktopprompt",
"desktopviewonly",
"deviceid",
"deviceinfo",
"deviceinfocount",
"devicemessage",
"deviceopenurl",
"devicepower",
"devicesharing",
"devicetoast",
"devid",
"displayname",
"dnssuffix",
"domaindefaults",
"domainid",
"dont",
"dumpcores",
"editdevice",
"editdevicegroup",
"editgroup",
"editmesh",
"edituser",
"emailexists",
"emailverified",
"entityid",
"errlogpath",
"esversion",
"etype",
"eventlogger",
"exactport",
"exactports",
"extractall",
"extralinks",
"fastcert",
"fileaccess",
"filenotify",
"fileprompt",
"filespath",
"filteredusers",
"filterid",
"firebaserelay",
"forceduserwebstate",
"fullrights",
"fullscreen",
"gatewaymac",
"generateinvitelink",
"getnetworkinfo",
"getsysinfo",
"getwspass",
"groupid",
"guestname",
"hashpass",
"hashpasssplit",
"hashpassword",
"Hilaire",
"httpheaders",
"idexists",
"idhex",
"idpurl",
"iframe",
"ignoreagenthashcheck",
"indexagenterrorlog",
"indexmcrec",
"installtext",
"intelamt",
"interactiveonly",
"interuser",
"invitecodes",
"ipkvm",
"iplayer",
"ipranges",
"Jitsi",
"jumpcloud",
"keyfile",
"lanonly",
"LAPI",
"lastaddr",
"lastconnect",
"ldapauth",
"ldapoptions",
"ldapuserbinarykey",
"ldapuseremail",
"ldapusername",
"ldapusers",
"leok",
"letsencrypt",
"limiteddesktop",
"limitedevents",
"Linaro",
"listdevicegroups",
"listdevices",
"listdomains",
"listevents",
"listusergroups",
"listuserids",
"listusers",
"listusersessions",
"listusersofdevicegroup",
"loadconfigfromdb",
"localfile",
"localpath",
"localurl",
"lockagentdownload",
"locksettings",
"logindomain",
"loginfooter",
"loginkey",
"loginkeyfile",
"loginpass",
"logintoken",
"logintokengen",
"logintokenkey",
"logintokens",
"loginuser",
"logouturl",
"mailserver",
"mailtokengen",
"maintenancemode",
"managedevices",
"manageusers",
"maxfidokeys",
"maxlen",
"mcpath",
"mcrdesktop",
"mcrec",
"mcrfiles",
"Mebx",
"meshadmin",
"meshagent",
"meshagents",
"meshauth",
"meshcentral",
"meshcmd",
"meshcore",
"meshctrl",
"mesherrors",
"meshid",
"meshidname",
"meshmail",
"meshname",
"meshquota",
"meshrelay",
"meshrights",
"meshscanner",
"meshtype",
"Messagebox",
"Messenging",
"minfo",
"minifyall",
"minifycore",
"mongodbcol",
"moutput",
"movetodevicegroup",
"mpsaliasport",
"mpscert",
"mpsdebug",
"mpsport",
"mpsserver",
"mqttbroker",
"MSCHA",
"mstsc",
"multiresponse",
"myaccountname",
"mypassword",
"nameexists",
"nedbtodb",
"netif",
"newaccountemaildomains",
"newaccountname",
"newaccounts",
"newaccountspass",
"newaccountsrights",
"newgroupname",
"newobj",
"newpassword",
"noagentupdate",
"noamt",
"noauth",
"noav",
"nodeconnect",
"nodecount",
"nodeid",
"nodeids",
"nodeinfo",
"nodepath",
"nodewindows",
"nofiles",
"nofirewall",
"nonalpha",
"nonewgroups",
"noterminal",
"notools",
"nousers",
"novnc",
"npmpath",
"npmproxy",
"npmtag",
"ODELAY",
"offloader",
"oidc",
"openurl",
"orphanagentuser",
"osdesc",
"osinfo",
"otphkeys",
"otpkeys",
"otpsecret",
"parentpath",
"passwordrequirements",
"PKCK",
"plivo",
"plusplus",
"poweraction",
"powerevents",
"publicid",
"randompass",
"rauth",
"rawdata",
"rcookie",
"realname",
"recordpath",
"redir",
"rediraliasport",
"redirections",
"redirport",
"redirserver",
"relaydns",
"relayport",
"remotecontrol",
"remotefile",
"remotepath",
"removeallusersfromusergroup",
"removedevicegroup",
"removedomain",
"removefromdomain",
"removefromusergroup",
"removemeshuser",
"removesubdomain",
"removetestagents",
"removeuser",
"removeuserfromdevice",
"removeuserfromdevicegroup",
"removeuserfromusergroup",
"removeusergroup",
"resetaccount",
"resetpass",
"responseid",
"rightsstr",
"rname",
"rnamel",
"runasuser",
"runasuseronly",
"runcommand",
"runcommands",
"runmode",
"runonservererror",
"runonserverupdated",
"selfupdate",
"senderid",
"sendgrid",
"sendinviteemail",
"serverfiles",
"serverid",
"serverinfo",
"serverkey",
"serverupdate",
"servicename",
"servicepath",
"sessionkey",
"sessionrecording",
"sessiontime",
"settodomain",
"shareid",
"showall",
"showallmeshes",
"showevents",
"showiplocations",
"showitem",
"showmeshes",
"shownodes",
"showpower",
"showsmbios",
"showusergroups",
"showusers",
"siteadmin",
"sitestyle",
"smsserver",
"specificupdate",
"splitip",
"srights",
"ssid",
"sspi",
"startack",
"statsevents",
"Strs",
"subdir",
"swarmallowedip",
"swarmport",
"swarmserver",
"sysinfo",
"syslogauth",
"syslogjson",
"syslogtcp",
"telnyx",
"tenantid",
"terminalnotify",
"terminalprompt",
"termsize",
"titlepicture",
"tkip",
"tlscertcheck",
"tlsoffload",
"tlsrootcert",
"tlsstrict",
"tokenrequired",
"translateall",
"translationpath",
"trustedcert",
"trustedproxy",
"TTLS",
"tunnelws",
"tunnelwsstate",
"tzoffset",
"ugroup",
"ugroups",
"ugrp",
"ugrpid",
"uicustomevent",
"unadmin",
"unsealkey",
"uploadack",
"uploaderror",
"uploadstart",
"useid",
"userallowedip",
"userblockedip",
"userbroadcast",
"userconsentflags",
"usercount",
"usergroups",
"userid",
"userids",
"usernameisemail",
"userquota",
"Usersessionidletimeout",
"vaultpullconfigfiles",
"vaultpushconfigfiles",
"verifyemail",
"viewonly",
"wakedevices",
"wanonly",
"webemailspath",
"webpublicpath",
"webpush",
"webrelayserver",
"webrtc",
"webrtconfig",
"webviewspath",
"welcomepicture",
"welcometext",
"winservice",
"wscompression",
"wssessioncount",
"wssessions",
"xdomains",
"xenv",
"xinstall",
"xjslint",
"xmeshes",
"xpad",
"xrestart",
"xuninstall",
"xxprocess",
"xxurl",
"xxxprocess",
"Ylian",
"yubikey"
]
}

2
common.js
View File

@ -106,7 +106,7 @@ module.exports.random = function (max) {
return r;
};
// Split a comma seperated string, ignoring commas in quotes.
// Split a comma separated string, ignoring commas in quotes.
module.exports.quoteSplit = function (str) {
var tmp = '', quote = 0, result = [];
for (var i in str) { if (str[i] == '"') { quote = (quote + 1) % 2; } if ((str[i] == ',') && (quote == 0)) { tmp = tmp.trim(); result.push(tmp); tmp = ''; } else { tmp += str[i]; } }

15
docs/docs/meshcentral/config.md
View File

@ -113,7 +113,7 @@ See description for information about each item.
"agentSignLock": { "type": "boolean", "default": false, "description": "When code signing an agent using authenticode, lock the agent to only allow connection to this server. (This is in testing, the default value will change to true in the future)." },
"agentTimeStampServer": { "type": [ "boolean", "string" ], "default": "http://timestamp.comodoca.com/authenticode", "description": "The time stamping server to use when code signing Windows executables. When set to false, the executables are not time stamped." },
"agentTimeStampProxy": { "type": [ "boolean", "string" ], "description": "The HTTP proxy to use when contacting the time stamping server, if false, no proxy is used. By default, the npmproxy value is used." },
"ignoreAgentHashCheck": { "type": [ "boolean", "string" ], "default": false, "description": "When true, the agent no longer checked the TLS certificate of the server. This should be used for debugging only. You can also set this to a comma seperated list of IP addresses to ignore, for example: \"192.168.2.100,192.168.1.0/24\"." },
"ignoreAgentHashCheck": { "type": [ "boolean", "string" ], "default": false, "description": "When true, the agent no longer checked the TLS certificate of the server. This should be used for debugging only. You can also set this to a comma separated list of IP addresses to ignore, for example: \"192.168.2.100,192.168.1.0/24\"." },
"exactPorts": { "type": "boolean", "default": false, "description": "When set to true, MeshCentral will only grab the required TCP listening ports or fail. It will not try to use the next available port of it's busy." },
"allowLoginToken": { "type": "boolean", "default": false },
"StrictTransportSecurity": { "type": ["boolean", "string"], "default": null, "description": "Controls the Strict-Transport-Security header, default is 1 year. Set to false to remove, true to force enable, or string to set a custom value. If set to null, MeshCentral will enable if a trusted certificate is set." },
@ -206,7 +206,7 @@ See description for information about each item.
"type": "object",
"properties": {
"mongoDumpPath": { "type": "string" },
"mysqlDumpPath": { "type": "string"},
"mysqlDumpPath": { "type": "string" },
"backupIntervalHours": { "type": "integer" },
"keepLastDaysBackup": { "type": "integer" },
"zipPassword": { "type": "string" },
@ -257,6 +257,7 @@ See description for information about each item.
}
}
},
"rootCertCommonName" : { "type": "string", "default": "MeshCentralRoot-XXXXXX", "description": "The common name of the MeshCentral server root certificate. By default it's 'MeshCentralRoot-' followed by the first 6 HEX digits of the public key fingerprint. For this setting to take effect, all generated certificates need to be deleted and reset. Existing agents will not be able to connect anymore." },
"redirects": { "type": "object" },
"maxInvalidLogin": {
"type": "object",
@ -622,10 +623,18 @@ See description for information about each item.
"MaxSingleUserSessions": { "type": "integer", "default": null, "description": "Maximum number of sessions a single user can have. Each time a user opens a new browser tab or opens a new browser on a different computer, a new user session is created." }
}
},
"files": {
"type": "object",
"description": "Values that affect the files feature",
"properties": {
"sftpConnect" : { "type": "boolean", "default": true, "description": "When false, removes the 'SFTP Connect' button from the files tab unless this is the only possible option." }
}
},
"terminal": {
"type": "object",
"description": "Values that affect the terminal feature",
"properties": {
"sshConnect" : { "type": "boolean", "default": true, "description": "When false, removes the 'SSH Connect' button from the terminal tab unless this is the only possible option." },
"linuxShell": {
"type": "string",
"enum": [ "any", "root", "user", "login" ],
@ -643,7 +652,7 @@ See description for information about each item.
},
"desktop": {
"type": "object",
"description": "Values that affect the remote desktop feature",
"description": "Values that affect the desktop feature",
"properties": {
"viewonly": {
"type": "boolean",

50
docs/docs/meshcentral/debugging.md
View File

@ -21,6 +21,12 @@ Make sure you understand how MeshCentral works with your browser using chrome de
"AgentWsCompression": false,
```
### Port Troubleshooting on server
If you're getting a `port 4433 is not available` error, this is because someone else is using this port, very likely another instance of MeshCentral. If your MeshCentral server is bound to ports 81/444 MeshCentral could not get port 80/443 and got the next available ones.
In general the problem is that you are running two MeshCentral instances at the same time. Probably one as a background Windows Service and one in the command line. Which ever instance can grab port 4433 will have a running MPS and CIRA should work, but the second instance will not have port 4433 and CIRA will not work.
### Enabling trace in your browser Dev Tools
`Trace=1` as a parameter in chrome dev tools for debugging
@ -215,3 +221,47 @@ Then open your browser to http://localhost:9999 or whatever port you used.
!!!note
If you pause the debugger, and happen to forget about it, the agent will automatically kill itself and restart because it will think that a thread is stuck. Default debugger timeout is 10 minutes, you may find a log entry saved to disk saying "Microstack Thread STUCK", or something similar.
### Troubleshooting Agent connectivity
If an agent keeps disconnecting and reconnecting, add this line to the "settings" section of the config.json:
```
"agentping": 30
```
This will cause MeshCentral to "ping" the agent every 30 seconds and the agent to respond with a "pong" each time. That usually solves the issue however, it does generate more traffic. If that works, you can remove the line and try this line instead:
```
"agentpong": 30
```
This will cause MeshCentral to "pong" the agent every 30 seconds, the agent will not respond. This usually fixes the issue, but you have half the traffic. I would also increase the time like:
```
"agentpong": 90
```
This is the best, you have one way traffic to all agents every 90 seconds. The larger the number you can get away with the better.
If you ever get the same problem but on the browser side, you can also use one of these:
```
"browserping": 30
"browserpong": 30
```
Same idea, browser side instead of agent side.
## Intel AMT
To debug issues, confirm that Intel AMT is active and there MeshCentral is not showing any red errors on the "Intel AMT" line:
![](images/amt_troubleshoot1.png)
Next, you can go in the "My Server / Trace" tab and enable tracing on the "Intel AMT Manager" like this:
![](images/amt_troubleshoot2.png)
You can then open another tab and select to power off or power on Intel AMT, you should see "performPowerAction" with 2 or 8 depending on power on/off.
![](images/amt_troubleshoot3.png)

BIN
docs/docs/meshcentral/images/amt_troubleshoot1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 149 KiB

BIN
docs/docs/meshcentral/images/amt_troubleshoot2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
docs/docs/meshcentral/images/amt_troubleshoot3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 86 KiB

BIN
docs/powerpoints/MeshCentral - 0078 - Web Relay.pptx Normal file
View File

Binary file not shown.

BIN
docs/powerpoints/MeshCentral - 0079 - Intel AMT Activation.pptx Normal file
View File

Binary file not shown.

BIN
docs/powerpoints/MeshCentral - 0080 - Web Relay with DNS.pptx Normal file
View File

Binary file not shown.

BIN
docs/powerpoints/MeshCentral - 0081 - CrowdSec.pptx Normal file
View File

Binary file not shown.

BIN
docs/powerpoints/MeshCentral - 0082 - New Account CAPTCHA.pptx Normal file
View File

Binary file not shown.

BIN
docs/powerpoints/MeshCentral - 0083 - Yubikey OTP.pptx Normal file
View File

Binary file not shown.

26
meshcentral-config-schema.json
View File

@ -89,15 +89,15 @@
"port": { "type": "integer", "minimum": 1, "maximum": 65535, "default": 443, "description": "Ths port of the main HTTPS server." },
"portBind": { "type": "string", "description": "When set, bind the HTTPS main port to a specific network address." },
"aliasPort": { "type": "integer", "minimum": 1, "maximum": 65535, "default": null, "description": "The actual main port as seen externally on the Internet, this setting is often used when a reverse-proxy is used." },
"redirPort": { "type": "integer", "minimum": 0, "maximum": 65535, "default": 80, "description": "This is a HTTP web server port that mostly redirects users to the HTTPS port but does provide some other servces, 0 will turn this port off." },
"redirPort": { "type": "integer", "minimum": 0, "maximum": 65535, "default": 80, "description": "This is a HTTP web server port that mostly redirects users to the HTTPS port but does provide some other services, 0 will turn this port off." },
"redirPortBind": { "type": "string", "description": "When set, bind the HTTP redirection port to a specific network address." },
"redirAliasPort": { "type": "integer", "minimum": 1, "maximum": 65535, "description": "The actual redirection port as seen externally on the Internet, this setting is often used when a reverse-proxy is used." },
"relayPort": { "type": "integer", "minimum": 0, "maximum": 65535, "default": 0, "description": "When set, a web relay web server is bound to this port and will allow user access to remote web sites." },
"relayAliasPort": { "type": "integer", "minimum": 1, "maximum": 65535, "default": null, "description": "The actual relay port as seen externally on the Internet, this setting is often used when a reverse-proxy is used." },
"relayDNS": { "type": "string", "default": null, "description": "When set, relayPort valie is ignored. Set this to a DNS name the points to this server. When the server is accessed using the DNS name, the main web server port is used as a web relay port." },
"relayDNS": { "type": "string", "default": null, "description": "When set, relayPort value is ignored. Set this to a DNS name the points to this server. When the server is accessed using the DNS name, the main web server port is used as a web relay port." },
"agentPort": { "type": "integer", "minimum": 1, "maximum": 65535, "description": "When set, enabled a new HTTPS server port that only accepts agent connections." },
"agentPortBind": { "type": "string", "description": "When set, binds the agent port to a specific network interface." },
"agentAliasPort": { "type": "integer", "minimum": 1, "maximum": 65535, "description": "When set, indicates the actual publically visible agent-only port. If not set, the AgentPort value is used." },
"agentAliasPort": { "type": "integer", "minimum": 1, "maximum": 65535, "description": "When set, indicates the actual publicly visible agent-only port. If not set, the AgentPort value is used." },
"agentAliasDNS": { "type": "string", "format": "hostname", "description": "When set, specified the DNS name used by agents to connect to the agent-only port." },
"agentPortTls": { "type": "boolean", "default": true, "description": "Indicates if the agent-only port must perform TLS, this should be set to false if TLS is performed in front of this server." },
"agentLogDump": { "type": "boolean", "default": false, "description": "Automatically downloads all agent error logs into meshcentral-data/agenterrorlogs.txt." },
@ -106,7 +106,7 @@
"agentSignLock": { "type": "boolean", "default": false, "description": "When code signing an agent using authenticode, lock the agent to only allow connection to this server. (This is in testing, the default value will change to true in the future)." },
"agentTimeStampServer": { "type": [ "boolean", "string" ], "default": "http://timestamp.comodoca.com/authenticode", "description": "The time stamping server to use when code signing Windows executables. When set to false, the executables are not time stamped." },
"agentTimeStampProxy": { "type": [ "boolean", "string" ], "description": "The HTTP proxy to use when contacting the time stamping server, if false, no proxy is used. By default, the npmproxy value is used." },
"ignoreAgentHashCheck": { "type": [ "boolean", "string" ], "default": false, "description": "When true, the agent no longer checked the TLS certificate of the server. This should be used for debugging only. You can also set this to a comma seperated list of IP addresses to ignore, for example: \"192.168.2.100,192.168.1.0/24\"." },
"ignoreAgentHashCheck": { "type": [ "boolean", "string" ], "default": false, "description": "When true, the agent no longer checked the TLS certificate of the server. This should be used for debugging only. You can also set this to a comma separated list of IP addresses to ignore, for example: \"192.168.2.100,192.168.1.0/24\"." },
"exactPorts": { "type": "boolean", "default": false, "description": "When set to true, MeshCentral will only grab the required TCP listening ports or fail. It will not try to use the next available port of it's busy." },
"allowLoginToken": { "type": "boolean", "default": false },
"StrictTransportSecurity": { "type": ["boolean", "string"], "default": null, "description": "Controls the Strict-Transport-Security header, default is 1 year. Set to false to remove, true to force enable, or string to set a custom value. If set to null, MeshCentral will enable if a trusted certificate is set." },
@ -116,7 +116,7 @@
"webRTC": { "type": "boolean", "default": false, "description": "When enabled, allows use of WebRTC to allow direct network traffic between the agent and browser." },
"nice404": { "type": "boolean", "default": true, "description": "By default, a nice looking 404 error page is displayed when needed. Set this to false to disable it." },
"selfUpdate": { "type": "boolean", "default": false, "description": "When true, this server will attempt to self-update everyday after midnight." },
"cleanNpmCacheOnUpdate": { "type": "boolean", "default": false, "description": "When true, run \"npm cache clean --force\" to reclame disk space." },
"cleanNpmCacheOnUpdate": { "type": "boolean", "default": false, "description": "When true, run \"npm cache clean --force\" to reclaim disk space." },
"browserPing": { "type": "integer", "minimum": 1, "description": "When specified, sends data to the browser at x seconds interval and expects a response from the browser." },
"browserPong": { "type": "integer", "minimum": 1, "description": "When specified, sends data to the browser at x seconds interval." },
"agentsInRam": { "type": "boolean", "default": false, "description": "Loads all agent binaries in RAM for faster agent updates." },
@ -159,7 +159,7 @@
"agentBlockedIP": { "type": [ "string", "array" ], "default": null, "description": "When set, agents from these denied IP address ranges will not be able to connect to the server. Example: \"192.168.2.100,192.168.1.0/24\"" },
"authLog": { "type": "string", "default": null, "description": "File path and name of the authentication log to be created. This log can be parsed by Fail2ban." },
"InterUserMessaging": { "type": "array", "uniqueItems": true, "items": { "type": "string" }, "description": "Users in this list are allowed to send and receive inter-user messages. This can be used to implement bots or other software where MeshCentral is used as data transport. See \"interuser\" websocket command in the code." },
"manageAllDeviceGroups": { "type": "array", "uniqueItems": true, "items": { "type": " string" }, "description": "Users in this list are allowed to see and manage all device groups within their domain." },
"manageAllDeviceGroups": { "type": "array", "uniqueItems": true, "items": { "type": "string" }, "description": "Users in this list are allowed to see and manage all device groups within their domain." },
"manageCrossDomain": { "type": "array", "uniqueItems": true, "items": { "type": "string" }, "description": "Users in this list are allowed to manage all users in all domains." },
"localDiscovery": {
"type": "object",
@ -371,7 +371,7 @@
"agentSelfGuestSharing": {
"type": [ "boolean", "object" ],
"default": false,
"description": "When set to true, MeshCentral Asssitant can create it's own guest sharing links.",
"description": "When set to true, MeshCentral Assistant can create it's own guest sharing links.",
"properties": {
"expire": { "type": "number", "description": "When set, limits the self-created guest sharing link to this number of minutes." }
}
@ -403,7 +403,7 @@
"name": { "type": "string", "description": "Name of the alternative messaging service, for example: \"Jitsi\" " },
"url": { "type": "string", "description": "URL to the alternative messaging services, for example: \"https://meet.jit.si/myserver-{0}\", for a device {0}, {1}, {2}, {3} is the device id. For a user, {0} is the userid, {1} is full userid with dashes, {2} is real name with no spaces, {3} is real name with dash instead of spaces." },
"localurl": { "type": "string", "description": "If specified, this is the URL that is used on the administrator side, for example: \"https://meet.jit.si/myserver-{0}\", for a device {0}, {1}, {2}, {3} is the device id. For a user, {0} is the userid, {1} is full userid with dashes, {2} is real name with no spaces, {3} is real name with dash instead of spaces." },
"type": { "type": "string", "enum": [null, "user", "device"], "default": null, "description": "Indicate if this button should be shown in the user or device type. If obmitted, it will be displayed in both." }
"type": { "type": "string", "enum": [null, "user", "device"], "default": null, "description": "Indicate if this button should be shown in the user or device type. If omitted, it will be displayed in both." }
},
"required": [ "name", "url" ]
}
@ -463,8 +463,8 @@
"type": [ "object", "boolean" ],
"additionalProperties": false,
"properties": {
"Backup": { "type": "boolean", "default": true, "description": "Allows administrators to backup the server from the My Server tab. This option can only enabled when the NeDB databse is in use. For other databases, this option disabled and the setting is ignored." },
"Restore": { "type": "boolean", "default": true, "description": "Allows administrators to restore the server from the My Server tab. This option can only enabled when the NeDB databse is in use. For other databases, this option disabled and the setting is ignored." },
"Backup": { "type": "boolean", "default": true, "description": "Allows administrators to backup the server from the My Server tab. This option can only enabled when the NeDB database is in use. For other databases, this option disabled and the setting is ignored." },
"Restore": { "type": "boolean", "default": true, "description": "Allows administrators to restore the server from the My Server tab. This option can only enabled when the NeDB database is in use. For other databases, this option disabled and the setting is ignored." },
"Upgrade": { "type": "boolean", "default": true, "description": "Allows administrators to update the server from the My Server tab." },
"ErrorLog": { "type": "boolean", "default": true, "description": "Allows administrators to see the server crash log the server from the My Server tab." },
"Console": { "type": "boolean", "default": true, "description": "Allows administrators to access the server console from the My Server tab." },
@ -683,7 +683,7 @@
"additionalProperties": false,
"description": "Information passed to the AMT manager module that impacts all Intel AMT device managed within this domain.",
"properties": {
"TlsConnections": { "type": "boolean", "default": true, "description": "When set to false, MeshCentral will use TLS to connect to Intel AMT, this is not recommanded." },
"TlsConnections": { "type": "boolean", "default": true, "description": "When set to false, MeshCentral will use TLS to connect to Intel AMT, this is not recommended." },
"TlsAcmActivation": { "type": "boolean", "default": false, "description": "When set to false, MeshCentral will not attempt a TLS ACM activation on Intel AMT v14+" },
"AdminAccounts": {
"description": "List of username and passwords to try when connecting to Intel AMT.",
@ -1020,7 +1020,7 @@
"properties": {
"clientId": { "type": "string" },
"clientSecret": { "type": "string" },
"refreshTfoken": { "type": "string" }
"refreshToken": { "type": "string" }
},
"required": [ "clientId", "clientSecret", "refreshToken" ]
},
@ -1167,7 +1167,7 @@
"email": { "type": "string", "format": "email", "description": "Email address of the administrator of this server. Make sure this is a valid email address otherwise the certificate request will fail." },
"names": { "type": "string" },
"skipChallengeVerification": { "type": "boolean", "default": false, "description": "By default, MeshCentral will perform a self-test to make sure HTTP port 80 can respond correctly before making a request to Let's Encrypt. In some cases, this self-test can't work and must be skipped." },
"production": { "type": "boolean", "default": false, "description": "By default a test certificate will be obtained from Let's Encrypt. Always start by getting a test certificate and make sure that works before setting this to true and obtaining a production certificaite. Making too many bad requests for a production certificate will get you banned for a long period of time." }
"production": { "type": "boolean", "default": false, "description": "By default a test certificate will be obtained from Let's Encrypt. Always start by getting a test certificate and make sure that works before setting this to true and obtaining a production certificate. Making too many bad requests for a production certificate will get you banned for a long period of time." }
},
"required": [ "email", "names" ]
},

6
meshcentral.js
View File

@ -201,7 +201,7 @@ function CreateMeshCentralServer(config, args) {
// Check if translate.json is in the "meshcentral-data" folder, if so use that and translate default pages.
var translationFile = null, customTranslation = false;
if (require('fs').existsSync(obj.path.join(obj.datapath, 'translate.json'))) { translationFile = obj.path.join(obj.datapath, 'translate.json'); console.log("Using translate.json in meshentral-data."); customTranslation = true; }
if (require('fs').existsSync(obj.path.join(obj.datapath, 'translate.json'))) { translationFile = obj.path.join(obj.datapath, 'translate.json'); console.log("Using translate.json in meshcentral-data."); customTranslation = true; }
if (translationFile == null) { if (require('fs').existsSync(obj.path.join(__dirname, 'translate', 'translate.json'))) { translationFile = obj.path.join(__dirname, 'translate', 'translate.json'); console.log("Using default translate.json."); } }
if (translationFile == null) { console.log("Unable to find translate.json."); process.exit(); return; }
@ -369,7 +369,7 @@ function CreateMeshCentralServer(config, args) {
// Check if we need to install, start, stop, remove ourself as a background service
if (((obj.args.xinstall == true) || (obj.args.xuninstall == true) || (obj.args.start == true) || (obj.args.stop == true) || (obj.args.restart == true))) {
var env = [], xenv = ['user', 'port', 'aliasport', 'mpsport', 'mpsaliasport', 'redirport', 'exactport', 'rediraliasport', 'debug'];
for (i in xenv) { if (obj.args[xenv[i]] != null) { env.push({ name: 'mesh' + xenv[i], value: obj.args[xenv[i]] }); } } // Set some args as service environement variables.
for (i in xenv) { if (obj.args[xenv[i]] != null) { env.push({ name: 'mesh' + xenv[i], value: obj.args[xenv[i]] }); } } // Set some args as service environment variables.
var serviceFilePath = null;
if (obj.fs.existsSync(obj.path.join(servicepath, 'winservice.js'))) { serviceFilePath = obj.path.join(servicepath, 'winservice.js'); }
@ -757,7 +757,7 @@ function CreateMeshCentralServer(config, args) {
obj.syslogtcp.log("MeshCentral v" + getCurrentVersion() + " Server Start", obj.syslogtcp.LOG_INFO);
}
// Check top level configuration for any unreconized values
// Check top level configuration for any unrecognized values
if (config) { for (var i in config) { if ((typeof i == 'string') && (i.length > 0) && (i[0] != '_') && (['settings', 'domaindefaults', 'domains', 'configfiles', 'smtp', 'letsencrypt', 'peers', 'sms', 'sendgrid', 'sendmail', 'firebase', 'firebaserelay', '$schema'].indexOf(i) == -1)) { addServerWarning('Unrecognized configuration option \"' + i + '\".', 3, [ i ]); } } }
// Read IP lists from files if applicable

12
meshctrl.js
View File

@ -318,7 +318,7 @@ if (args['_'].length == 0) {
console.log(" --id '[groupid]' - Device group identifier (or --group).");
}
console.log(" --group [groupname] - Device group name (or --id).");
console.log(" --hours [hours] - Validity period in hours or 0 for infinit.");
console.log(" --hours [hours] - Validity period in hours or 0 for infinite.");
console.log("\r\nOptional arguments:\r\n");
console.log(" --flags [mode] - Mode flag for link type (0 = both, 1 = interactive only, 2 = background only)");
break;
@ -398,7 +398,7 @@ if (args['_'].length == 0) {
console.log(" --group [groupname] - Filter by group name (or --id).");
console.log(" --count - Only return the device count.");
console.log(" --json - Show result as JSON.");
console.log(" --csv - Show result as comma seperated values.");
console.log(" --csv - Show result as comma separated values.");
console.log(" --filter \"[filter]\" - Filter devices using a filter string.");
console.log(" \"x\" - Devices with \"x\" in the name.");
console.log(" \"user:x or u:x\" - Devices with \"x\" in the name of currently logged in user.");
@ -469,7 +469,7 @@ if (args['_'].length == 0) {
console.log(" --resetpass - Request password reset on next login.");
console.log(" --realname [name] - Set the real name for this account.");
console.log(" --phone [number] - Set the account phone number.");
console.log(" --rights [none|full|a,b,c] - Comma seperated list of server permissions. Possible values:");
console.log(" --rights [none|full|a,b,c] - Comma separated list of server permissions. Possible values:");
console.log(" manageusers,backup,restore,update,fileaccess,locked,nonewgroups,notools,usergroups,recordings,locksettings,allevents");
break;
}
@ -486,7 +486,7 @@ if (args['_'].length == 0) {
console.log(" --resetpass - Request password reset on next login.");
console.log(" --realname [name] - Set the real name for this account.");
console.log(" --phone [number] - Set the account phone number.");
console.log(" --rights [none|full|a,b,c] - Comma seperated list of server permissions. Possible values:");
console.log(" --rights [none|full|a,b,c] - Comma separated list of server permissions. Possible values:");
console.log(" manageusers,backup,restore,update,fileaccess,locked,nonewgroups,notools,usergroups,recordings,locksettings,allevents");
break;
}
@ -627,7 +627,7 @@ if (args['_'].length == 0) {
console.log(" 16 = Terminal prompt for user consent.");
console.log(" 32 = Files prompt for user consent.");
console.log(" 64 = Desktop show connection toolbar.");
console.log(" --invitecodes [aa,bb] - Comma seperated list of invite codes, blank to clear.");
console.log(" --invitecodes [aa,bb] - Comma separated list of invite codes, blank to clear.");
console.log(" --backgroundonly - When used with invitecodes, set agent to only install in background.");
console.log(" --interactiveonly - When used with invitecodes, set agent to only run on demand.");
break;
@ -745,7 +745,7 @@ if (args['_'].length == 0) {
console.log("\r\nRequired arguments:\r\n");
console.log(" --msg [message] - Message to display.");
console.log("\r\nOptional arguments:\r\n");
console.log(" --user [userid] - Send the message to the speficied user.");
console.log(" --user [userid] - Send the message to the specified user.");
break;
}
case 'deviceinfo': {

2
public/commander.htm
View File

@ -1061,7 +1061,7 @@ v={name:"extKeyUsage"};Q("d11_cu4").checked&&(v.serverAuth=!0);Q("d11_cu5").chec
function GenerateKeyPairResponse4(b,c,a,d){200!=d?messagebox("Issue Certificate","Failed to generate key pair. Status: "+d):PullCertificates()}function certificateAdded(b,c,a,d){200!=d||0!=a.Body.ReturnValue?messagebox("Add Certificate","Unable to add certificate, error "+(200!=d?d:a.Body.ReturnValueStr)):PullCertificates()}function certificateRemoved(b,c,a,d){200!=d?messagebox("Remove Certificate","Unable to remove certificate, error "+d):PullCertificates()}
function getInputElement(b){var c=document.getElementsByTagName("input");for(t=0;t<c.length;t++)if(c[t].id==b)return c[t]}function getSelectElement(b){var c=document.getElementsByTagName("select");for(t=0;t<c.length;t++)if(c[t].id==b)return c[t]}
function showSetTlsSecurityDlg(b){if(!xxdialogMode){b="<div style=height:26px;margin-top:4px><select onchange=showSetTlsSecurityDlgUpdate() id=tlscert style=float:right;width:260px><option value=-1>No Certificate, TLS Disabled</option>";for(var c in xxCertificates)0==xxCertificates[c].TrustedRootCertficate&&xxCertificates[c].XPrivateKey&&(b+="<option value="+c+">"+xxCertificates[c].XSubject.CN+"</option>");b+="</select><div style=padding-top:4px>Certificate</div></div><div style=height:26px;margin-top:4px><select id=tlsremote style=float:right;width:260px onchange=showSetTlsSecurityDlgUpdate()><option value=0>Server-auth TLS only</option><option value=1>Server-auth, non-TLS allowed</option>";
b+="<option value=2>Mutual-auth TLS only</option><option value=3>Mutual-auth, non-TLS allowed</option>";b+='</select><div style=padding-top:4px>Security</div></div><div style=height:26px id=d11rcn title="Comma seperated list of certificate common names that will be allowed to connect remotely."><input id=d11_rcn style=float:right;width:260px onkeyup=showSetTlsSecurityDlgUpdate() placeholder="name1, name2"><div style=padding-top:4px>Remote CN\'s</div></div>';setDialogMode(11,"TLS Settings",3,showSetTlsSecurityDlgOk,
b+="<option value=2>Mutual-auth TLS only</option><option value=3>Mutual-auth, non-TLS allowed</option>";b+='</select><div style=padding-top:4px>Security</div></div><div style=height:26px id=d11rcn title="Comma separated list of certificate common names that will be allowed to connect remotely."><input id=d11_rcn style=float:right;width:260px onkeyup=showSetTlsSecurityDlgUpdate() placeholder="name1, name2"><div style=padding-top:4px>Remote CN\'s</div></div>';setDialogMode(11,"TLS Settings",3,showSetTlsSecurityDlgOk,
b);if(0==xxTLSCredentialContext.length||0==xxTlsSettings[0].Enabled||0==xxTlsSettings[1].Enabled)getSelectElement("tlscert").value=-1;else for(c in b=xxTLSCredentialContext[0].ElementInContext.ReferenceParameters.SelectorSet.Selector.Value,xxCertificates)xxCertificates[c].InstanceID==b&&(getSelectElement("tlscert").value=c);c=1-("Intel(r) AMT LMS TLS Settings"==xxTlsSettings[0].InstanceID?0:1);getSelectElement("tlsremote").value=(1==xxTlsSettings[c].MutualAuthentication?2:0)+(1==xxTlsSettings[c].AcceptNonSecureConnections?
1:0);xxTlsSettings[c].TrustedCN&&(Q("d11_rcn").value=MakeToArray(xxTlsSettings[c].TrustedCN).join(", "));showSetTlsSecurityDlgUpdate()}}function showSetTlsSecurityDlgUpdate(){var b=getSelectElement("tlscert").value;QE("tlsremote",-1!=b);QV("d11rcn",-1!=b&&1<getSelectElement("tlsremote").value);b=!0;1<getSelectElement("tlsremote").value&&!splitDomains(Q("d11_rcn").value)&&(b=!1);QE("c106",b)}var setTlsSecurityPendingCalls,setTlsSecurityDeleteCredentialContext;
function showSetTlsSecurityDlgOk(){var b=getSelectElement("tlscert").value,c=getSelectElement("tlsremote").value,a=Clone(xxTlsSettings);setTlsSecurityPendingCalls=0;setTlsSecurityDeleteCredentialContext=null;if(-1!=b){if(0<xxTLSCredentialContext.length){var d=Clone(xxTLSCredentialContext[0]);d.ElementInContext.ReferenceParameters.SelectorSet.Selector.Value=xxCertificates[b].InstanceID;amtstack.Put("AMT_TLSCredentialContext",d,setTlsSecurityResponse,0,1)}else amtstack.Create("AMT_TLSCredentialContext",