Jump to content
bigdessert

RMM+ Passwords: A password syncing tool for ScreenConnect and Labtech

Recommended Posts

The hard part about 2FA is that really the only attack surface is during the login to get the token. If you enable 2FA on control and automate that helps but the API is still there so there is an attack surface present. Not sure how I would even do it if I wanted to but it would have to be separate from the Automate or Control 2FA implementations.

Maybe as an alternative would be to limit exposure in different ways like IP filtering or other methods.

Share this post


Link to post
Share on other sites

Here's a scary thought: This bypasses automate 2FA and can connect to any automate server which utilizes it.
 

Share this post


Link to post
Share on other sites

So does the manage plugin or any other plugin that offers 2-way communication.

I could implement a OTP type 2FA but I don't believe I can easily tie into the automate 2FA because that is a plugin itself. The helper is completely unaware of the server installation on control so I can't use that for 2FA so I am stuck with either creating my own or finding another way to secure or minimize risk. If you have other ideas I am all ears!

Share this post


Link to post
Share on other sites

Just throwing this out there ... What about tying in something like WinAuth

https://winauth.github.io/winauth/

Open-source, portable authenticator app that takes a key (or reads a QR code you load into it) and runs the same as a mobile-device authenticator app. I'm not sure about command-line usage, but I've been thinking about playing around with it to allow me to enable 2FA on my Automate service account (special user account I set up for running jobs on our app server).

You can set WinAuth to run on startup and even create global keyboard shortcuts for pasting specific tokens on the fly. Folks at my office take screenshots of their QR codes when setting up any new 2FA and use the same code for their phone app and for WinAuth, so they can generate identical tokens either way.

Might be useful if there's a way to tie them together.

Share this post


Link to post
Share on other sites

@bigdessertGreat plugin, however, running into a few problems.

Works fine for superadmins but unfortunately not working for other user permission classes. I have confirmed RMM Password Link Plugin is checked under User Class Manager. I have also confirmed that client level all boxes (to include Password Read, Edit, Del and Schedule Scripts) have been checked.

Currently running LT v19.0.225 (patch eight) and SC v19.2.24707.7131.

Lastly, I can not find where to configure timeout within LT's new interface - seems screenshots before are prev LTv19.

Any help would be appreciated.

Share this post


Link to post
Share on other sites
8 minutes ago, automationGuy said:

Works fine for superadmins but unfortunately not working for other user permission classes. I have confirmed RMM Password Link Plugin is checked under User Class Manager. I have also confirmed that client level all boxes (to include Password Read, Edit, Del and Schedule Scripts) have been checked.

Can you confirm if one of the users logs into the control center they can in fact see and/or edit passwords?

8 minutes ago, automationGuy said:

Lastly, I can not find where to configure timeout within LT's new interface - seems screenshots before are prev LTv19.

@automationGuy This is under tools->RMM Password Link

Share this post


Link to post
Share on other sites

@bigdessert Thank you for the fast reply! Both my questions above were solved with restarting Labtech after the plugin was installed. The plugin shows in User Class Manager after you install it but had to restart Labtech for it to show the drop down (Use Passwords and Use Scripts). In addition, I looked under Tools before but a restart of Labtech and its now reflecting there.

Thanks!

Share this post


Link to post
Share on other sites

BIG SECURITY IMPROVEMENTS!!!!

Released Control version 1.0.27 and Automate plugin version 1.0.0.20 today. This release uses MFA codes if configured for each user that are the same codes used to access automate. If a user is configured to require MFA then so is this plugin.

  • Thanks 1

Share this post


Link to post
Share on other sites

@bigdessert Great plugin. Having an issue since installing the newest version of the plugin.

All of our users are getting a Error: Token Issue: Token Error when pulling up the plugin in Control, and when we enter our user/pass, we just get a blank screen.

Currently running Automate 19.0.250 Patch 9, and Control 19.4.25666.7235.

Any help on this would be appreciated.

Share this post


Link to post
Share on other sites

I had the same issue @drobert88  were you once hosted in the cloud and now on prem? 

 

if that is the case, you may have an old host entry in your database.   in the config table, DownloadURL was wrong in my case.  That was still pointing towards hostedrmm.com.  once he fixed that the plugin worked and Automate was much faster.

 

Share this post


Link to post
Share on other sites
3 minutes ago, bigdessert said:

Yes this sounds just like the issue we had with @apbirch67. Check that field in the config table and update it to your correct URL if not correct. 

To my knowledge we have always been on prem. I checked the config table just to be safe, and confirmed the download URL is pointing to our Automate server.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...