The password/security settings article mentioned on the page

#1

Not wanting to seem difficult, but......

This example configuration defines a single user called admin who has permission to do everything within the editor and has a password of password . Note that the password is securely hashed using the bcrypt algorithm.

Ok, that's for user admin - as stated.

It then goes on:

To generate a suitable password hash, you can use the node-red-admin command-line tool:

node-red-admin hash-pw

The tool will prompt you for the password you wish to use and then print out the hash that can be copied into the settings file.

Alternative, you can run the following command from within the Node-RED install directory:

node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" your-password-here

Yeah, ok.

But where is the username?

Sorry if the answer is obvious, but I'm not seeing it.

Maybe the layout of how it is explained be changed?

0 Likes

Should I be worried? (Message noticed while editing a flow)
#2

That command is for generating a hashed password. You copy its output into the password field in your adminAuth setting, to go alongside the username you want to use.

The commands do not need to know what username you want to use with the password in order to hash it - so you don't have to provide it to them.

0 Likes

#3

Sorry, it was how I was reading it.

(Not wanting to be difficult....)

Alternative, you can run the following command from within the Node-RED install directory:

Yeah, ok that saves the "cut/paste" but reading the command (and trying to understand what it is going) I can't figure out how that command (not included here) knows where to put the hash.
Granted it is academic HOW it does it - at my level - but I'm trying to understand.

And I'm (now) taking it that I have to had made a new username entry in the settings.js file.

0 Likes

#4

The alternative doesn't do the cut/paste for you, or edit any file. Its just an alternative way to create the hash.

0 Likes

#5

OK.........

In the mean time, I tried the second option. This is what I got back:
(password replaced by *'s)

node -e "console.log(require('bcryptjs').hashSync(process.argv[1], 8));" ********
module.js:550
    throw err;
    ^

Error: Cannot find module 'bcryptjs'
    at Function.Module._resolveFilename (module.js:548:15)
    at Function.Module._load (module.js:475:25)
    at Module.require (module.js:597:17)
    at require (internal/module.js:11:18)
    at [eval]:1:13
    at ContextifyScript.Script.runInThisContext (vm.js:50:33)
    at Object.runInThisContext (vm.js:139:38)
    at Object.<anonymous> ([eval]-wrapper:6:22)
    at Module._compile (module.js:653:30)
    at evalScript (bootstrap_node.js:479:27)

And I also tried the first one:

Got this:

pi@TimePi:~/.node-red $ node-red-admin hash-pw
-bash: node-red-admin: command not found
pi@TimePi:~/.node-red $ 

(node-red 19.04)

0 Likes

#6

Did you follow the link to node-red-admin - that tells you how to install it.

https://nodered.org/docs/node-red-admin

For the alternative, did you do what it says?

Alternative, you can run the following command from within the Node-RED install directory:

0 Likes

#7

W-e-l-l.....

This is what I read:

You must also ensure you properly secure Node-RED. At a bare minimum, you should enable adminAuth as described in the documentation.

That took me to the link (you know where).

There was no mention of https://nodered.org/docs/node-red-admin.

Sorry, but if that needs to be done FIRST, it should me declared/mentioned.

Shall go there now and see what happens.

Just mentioning how I read it, what I understood and what happened.

0 Likes

#8

This is what happens/d when I do that.

pi@TimePi:~/.node-red $ npm install -g node-red-admin
npm WARN deprecated bcrypt@0.8.7: bcrypt < v2.0.0 is susceptible to bcrypt wrap-around bug. Upgrade to bcrypt >= v2.0.0 for improved support for newer bcrypt hashes
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated hoek@2.16.3: The major version is no longer supported. Please update to 4.x or newer
npm WARN checkPermissions Missing write access to /usr/lib/node_modules
npm ERR! path /usr/lib/node_modules
npm ERR! code EACCES
npm ERR! errno -13
npm ERR! syscall access
npm ERR! Error: EACCES: permission denied, access '/usr/lib/node_modules'
npm ERR!  { Error: EACCES: permission denied, access '/usr/lib/node_modules'
npm ERR!   stack: 'Error: EACCES: permission denied, access \'/usr/lib/node_modules\'',
npm ERR!   errno: -13,
npm ERR!   code: 'EACCES',
npm ERR!   syscall: 'access',
npm ERR!   path: '/usr/lib/node_modules' }
npm ERR! 
npm ERR! The operation was rejected by your operating system.
npm ERR! It is likely you do not have the permissions to access this file as the current user
npm ERR! 
npm ERR! If you believe this might be a permissions issue, please double-check the
npm ERR! permissions of the file and its containing directories, or try running
npm ERR! the command again as root/Administrator (though this is not recommended).

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/pi/.npm/_logs/2018-10-05T07_21_19_429Z-debug.log
pi@TimePi:~/.node-red $ 

Shall post the log soon.

(in new post)

0 Likes

#9

You are right - it needs to be made more obvious. In the current text, node-red-admin is actually a link to the relevant page. Unfortunately the styling of the word hides that fact, so I can quite understand why you'd have missed it.

As for the error you hit when trying to install it...

So use sudo npm install -g node-red-admin

0 Likes

#10

Yeah, ok.

Indulge me.

Yes it does say that (as shown by the arrows) but it doesn't say the command is not installed and therefore needs to be installed first.

Then.... It shows the command and in a note it then adds that it needs to be run as sudo.

It begs the question - by me - that if it needs to be run as sudo, it should be stated when the command is shown.

So rather than:

node-red-admin hash-pw

It should read:

sudo node-red-admin hash-pw

To me that makes a lot easier reading for people who are at the bottom of the learning curve.

I've looked at the log mentioned at the bottom of the error.

It is not small. It is BIG! And it is ONLY for today as far as I can get.
(I deleted the older log a while ago to address this error.... )

0 Likes

#11

You need sudo to install it using the npm install command.

Once installed, you do not not need sudo to run it. Which is why the security page doesn't tell you to use sudo but the install page does.

0 Likes

#12

Ok.

Mia Culpa.

I got a few things messed up.

Installed now, and moving on.

(Just mentioning.........)

I like it now after doing the command:

pi@TimePi:~/.node-red $ sudo npm install -g node-red-admin
npm WARN deprecated bcrypt@0.8.7: bcrypt < v2.0.0 is susceptible to bcrypt wrap-around bug. Upgrade to bcrypt >= v2.0.0 for improved support for newer bcrypt hashes
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated hoek@2.16.3: The major version is no longer supported. Please update to 4.x or newer
/usr/bin/node-red-admin -> /usr/lib/node_modules/node-red-admin/node-red-admin.js

> bcrypt@0.8.7 install /usr/lib/node_modules/node-red-admin/node_modules/bcrypt
> node-gyp rebuild

gyp WARN EACCES user "root" does not have permission to access the dev dir "/root/.node-gyp/8.12.0"
gyp WARN EACCES attempting to reinstall using temporary dev dir "/tmp/.node-gyp"
gyp ERR! configure error 
gyp ERR! stack Error: EACCES: permission denied, mkdir '/usr/lib/node_modules/node-red-admin/node_modules/bcrypt/build'
gyp ERR! System Linux 4.9.52+
gyp ERR! command "/usr/bin/node" "/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /usr/lib/node_modules/node-red-admin/node_modules/bcrypt
gyp ERR! node -v v8.12.0
gyp ERR! node-gyp -v v3.8.0
gyp ERR! not ok 
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: bcrypt@0.8.7 (node_modules/node-red-admin/node_modules/bcrypt):
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: bcrypt@0.8.7 install: `node-gyp rebuild`
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: Exit status 1

+ node-red-admin@0.1.3
added 83 packages from 82 contributors in 356.874s
pi@TimePi:~/.node-red $ 

Especially the lines like:

gyp WARN EACCES user "root" does not have permission to access the dev dir "/root/.node-gyp/8.12.0"

0 Likes

#13

Ok, here's where I am at:

The security message mentioned at the top of the page links to: documentation.

It goes on and says:

This section describes how you can secure Node-RED. The security is split into two parts:

Ok. No problems.

It then goes down to:

Username/password based authentication

Further down it has:

Generating the password hash

To generate a suitable password hash, you can use the node-red-admin command-line tool:

node-red-admin hash-pw

The tool will prompt you for the password you wish to use and then print out the hash that can be copied into the settings file.

Ok.

I got messed up and was sent to:

The link

But at the top of the pages is written:

Command-line Administration

Command line? Yeah, ok.
Installation. Ok. I goofed and did the sudo part.
Installed. Got the message about "root not authurised to access (path)" Yeah. R-I-G-H-T.... Worriedly.

Then it gets to:

If authentication is enabled, you must then login :

Huh? I am coming here to set up the security. Where does this question fit in what I am doing?

Moving on.

node-red-admin login

That is ONE command, with an option.

It then says:

These commands create a file called ~/.node-red/cli-config.json that stores the target and access token information.

THESE????

Putting that aside, I tried the command. Nothing seemed to happen.
There is no ~/.node-red/cli-config.json file.

pi@TimePi:~/.node-red $ node-red-admin login
pi@TimePi:~/.node-red $ lf
lib/  node_modules/  public/  flows_TimePi_cred.json  flows_TimePi.json  package.json  package-lock.json  settings.js
pi@TimePi:~/.node-red $ 

Where?

0 Likes

#14

If you are just using node-red-admin for the hash-pw option then you do not need to do anything else on that page other than the install.

Yes, I acknowledge that page says "The tool must first be pointed at the Node-RED instance you want it to access. " ... but that is for the tools main purpose which is remote administration of a Node-RED instance. The hash-pw option is the one thing the tool does that doesn't need targetting.

So - forget about node-red-admin login. Go back to the security page and follow what it says about generating your password hash.

0 Likes

#15

And for the sake of completeness... there is a mistake in the docs. The token file is ~/.node-red/.cli-config.json - the docs miss out the . in front of cli-config.json. That means its a hidden file so wont be listed with a simple ls command - but ls -la will show it.

1 Like

#16

Ok. Thanks.

So I now have the "hash".

Below (on the page) where that is shown, it goes on to the alternative way of doing it.

But then............... nothing.

It just leave me there.

It goes on to

OAuth/OpenID based authentication

But it hasn't closed the first part: Username/password based authentication

Where is it put? Though it is implied it is in the settings.js file in the

adminAuth: {

part.

It doesn't explain where/how the name is set.
Can I just add a "name" where it has "admin"?

I'm also guessing that I do NOT enable the existing admin - as it is documented what the password is. So that would defeat the purpose of it anyway.

0 Likes

#17

The docs provide an example adminAuth setting you can copy and paste into your settings file:

That shows you what it should look like. You can change admin to whatever username you want to use. You then paste in the password hash to replace the example password.

0 Likes

#18

Thanks.

So "admin" has full access. Got that.
The password (hash) is....... something unknown at this point. That's fair enough to say. Though it is "password" as I have read. (Doesn't matter see next part)

But I guess it would be good practice to remove the user altogether and put the new one there.

I shall do that now.

0 Likes

#19

Yes! That is an example configuration for how to configure a user under adminAuth. It is not intended for you to use that specific set of values otherwise everyone would know your user/password.

0 Likes

#20

Thanks.

I kind of got that.

So I have now (since) added the new two lines and deleted the two existing lines.

I'm guessing I need to reboot the machine now?

And being a bit pre-emptive: When it is rebooted and I get back to it: What will I be shown when I log into the page?

0 Likes