Authentication in OH2

Is OH2 really going to come out of beta without any authentication and require a reverse proxy???

I doubt it, its something that being looked into I think. I’ve put up the instructions for nginx because its a great way to get authentication running now. When/if authentication does come out directly, I still feel a reverse proxy and its alternative solution to auth/security will still be useful.

No, this is why I try to keep pushing https://github.com/eclipse/smarthome/issues/579.

https://www.terramultimedia.de/cms/en/smarthome/openhab/121-securing-openhab

I’d definitely recommend these instructions instead:

http://docs.openhab.org/configuration/nginx.html

There are a couple of typos/settings in the website you suggested that will prevent openHAB from working properly. X-Forwarded-Scheme isn’t a valid setting, proxy_buffering is still on etc…

I am just wondering how the discussion and proposed PR in https://github.com/eclipse/smarthome/issues/579 will impact the usage of the iOS openHAB app

As far as I understand things, opting for a nginx+certbot+basic http authentication effectively means that only the Basic, Classic or other web-based GUI can be used, right?

Also, for me the only reason to use nginx is to facilitate the automatic certbot-driven certificate renewals, which is not that friendly/easy when directly integrating certbot generated certificates in the jetty config of openHAB (Securing Openhab with free ssl Let’s Encrypt Certificates and https://gist.github.com/jpmens/8029383, and SSL with OpenHAB2). Since certbot is a good initiative that we/anyone should support, we should maybe introduce a new servlet in openHAB to accommodate the automatic renewals. This sounds a lot like the OH1 “webapps” stuff which we not use anymore in OH2 (well, static html can be put in conf/html but is not served through the hidden url / well-known)

There’s no reason why a reverse proxy can’t facilitate non-web based GUIs. It’s working well for me using HABDroid and the iOS app.

And also the only important reason for me. (Being able to connect using a sub-domain on my server without forwarding another port is a minor luxury).

Am I right in thinking from one of those links that if the key is part of a bundle then we’ll also have to repack the letsencrypt key into a java keystore everytime openHAB updates?

With the basic authentication enabled on nginx? Never tried it with the iOS app, but then I wonder how you input the userid/password ? (or is the iOS app that smart that i can leverage the user/pwd setting to use for the login on the nginx?)

I admit I do not fully understand why jetty.xml does not need to be updated, but in my update script I copy and then restore the keystone file every time the whole runtime is updated.

There’s a place for it in the settings, which was originally used for http authentication on openHAB 1.x, nginx uses http authentication too so the app shouldn’t be unaware of any difference.

Ok - that does confirm it. I actually never used it that way, was rather unaware that even the old OH1 used Basic Authentication - I thought the userid/pwd was something that was done out of band.

Hey guys.

Just sorta of confirming/asking if this is still in development. If I open up port 8080 to my server at home. Could anyone pointing to the correct web address access my info? Or if security has been implemented to create a user/password but not looking in the correct place for it?

To see the current status regarding authentication, watch https://github.com/eclipse/smarthome/pull/2359.

Don’t open your installation to be world-accessible!!! There is no built-in auhentication as of now, AFAIK.

I understand I’d rather should help than complain (sorry, my job already takes 11h of each day), but that (lack of security) likely is a major obstacle for many, as accessing your home remotely is one of the biggest perks of IoT. Setting up a reverse proxy is nothing that uncle Joe is able to do; even I feel like “yuck, the effort to learn it, the time to set it up, the things that could go wrong”.

Suggestion: Provide something simple and working now, and something more elaborate later.

Don’t get me wrong: OpenHab is a great piece of work, and I hope and think it will be the base of many home automatization projects, a de-facto standard.

http://www.myopenhab.org/ is a good solution for many.

A good solution without the meed to open any port.

Yes, I am also using myopenhab.org to access things remotely. The only ‘downfall’ is that you are depending on the 3rd party service being up and running. I haven’t had any issues with down time, but it is something you need to consider.

Thanks for the pointer! I prefer to not distribute private information though, hence cloud solutions (for anything) are not an option for me, especially “in these times”.

Understood! You could set up your own instance of openHAB Cloud, though, instead of using others’.

Of course, this is also difficult for Uncle Joe to do, like setting up nginx as a reverse proxy.

Thanks for you tips, and your persistence :slight_smile: Appreciated.

To provide some background: While I am not Uncle Joe (I am an IT professional), I find it pretty hard sometimes to find the time and muster the effort to deal with bread and butter things like auth when I feel that “just should be part of the package”. I am enjoying tinkering with hard- and software, but I am having enough fun with misbehaving Arduinos and ESP8266 chips :wink: Probably the same is true for the good people building OpenHab…

2 Likes