kingy444 108 Posted June 18, 2015 Share Posted June 18, 2015 I would like to be able to have a checkbox to allow/deny remote access based on a user account. Three reasons for this 1. I have multiple accounts. Some with weak passwords that i would never trust externally anyway 2. i would like to minimize access points to my home network 3. I would prefer not allow a full system admin remote assess as they could essentially access and delete my entire content library 7 Link to comment Share on other sites More sharing options...
Cerothen 89 Posted June 18, 2015 Share Posted June 18, 2015 You could always make use of the local pin option? Just make the password for the remote login something obscene (Something like: ~8~T.~3w7_;gq=74h^09^m44!;~.9.5+u4G9j-%w) then make a pin code. Emby knows when a device is making the request from the local network and allows you to use the pin instead. That would effectively make logins from the internet impossible (since you will never remember the password and its unlikely to be guessed) while still making it so you can use those account's locally. Link to comment Share on other sites More sharing options...
kingy444 108 Posted June 18, 2015 Author Share Posted June 18, 2015 With the ability to detect whether you are internal or external to the network wouldnt it be simple enough to allow/block a user connection based on a true/false on each account Much safer than 'that password is too hard to guess so it must be safe' approach Link to comment Share on other sites More sharing options...
Cerothen 89 Posted June 18, 2015 Share Posted June 18, 2015 You could also go to the user account and disable that account from being able to log in using any devices that reside outside your local network. In terms of blocking the internal vs external login disabling. If you already have accounts that WILL be able to be accessed from the internet then why would just making a ridiculously complex password. Chances are if someone wanted in they would do it through your other account anyways... One because they would hit the password much sooner and two because if they were watching your traffic or even saw the username over your shoulder then you wouldn't be using the account that you didn't want to be accessible externally anyways.. I would say as long as the user's password is more secure than the next account you would be using externally that would be sufficient. Link to comment Share on other sites More sharing options...
kingy444 108 Posted June 18, 2015 Author Share Posted June 18, 2015 Devices such as laptops and mobiles dont really work in this setup though as sometimes they are internal others external. Hell i take my xbox one on holidays and use it remotely sometimes. Restricting accounts that can be accessed remotely should be a relativly simple task in my opinion. I work in IT and would be highly suprised if you could find a security adviser who would agree that 'security via obscurity' is the right approach We have SSL connections in the works, already test connections via device as you said and the ability to check if your accessing internal or externally. Checking if an account is permitted to perform an action is always safer than obscurity. An obscure password should be your final layer of security. Not your only one Link to comment Share on other sites More sharing options...
kingy444 108 Posted July 19, 2015 Author Share Posted July 19, 2015 Any devs have an opinion on this? Link to comment Share on other sites More sharing options...
kingy444 108 Posted July 23, 2015 Author Share Posted July 23, 2015 @@Luke ? I wouldnt think this type of check would be hard and wpuld be beneficial to strengthen security? Link to comment Share on other sites More sharing options...
MSattler 387 Posted July 23, 2015 Share Posted July 23, 2015 @@Luke ? I wouldnt think this type of check would be hard and wpuld be beneficial to strengthen security? I pressed for this previously but there really was no response and not much interest from the community. I've gone the obscure password route myself. Honestly, I have all my logs hitting Splunk, and I can tell you that the Emby install does not see a ton of traffic other than my users. I think we would get further here by implementing a lock out option, based upon password failures. Link to comment Share on other sites More sharing options...
Luke 37112 Posted July 23, 2015 Share Posted July 23, 2015 It's not a bad idea and maybe we will but in the meantime you do have options to achieve a similar result. Link to comment Share on other sites More sharing options...
ebr 14929 Posted July 23, 2015 Share Posted July 23, 2015 I think we would get further here by implementing a lock out option, based upon password failures. We had that at one point and it was more trouble than help. It was too easy for an app to unwittingly lock you out of your account. Link to comment Share on other sites More sharing options...
Deathsquirrel 741 Posted May 27, 2017 Share Posted May 27, 2017 In light of a user's recent post about his system being remotely accessed, this seems worth bumping for further consideration. @@Luke, you're correct that you can use the internal PIN to achieve a sort-of similar effect but under the current system it's not nearly as good. The main reason is the account name shows up to remote access. i don't want that. I want a group of internal accounts with user names that show up for logins internal to the network. The client apps are a LOT easier to use if configured this way. These accounts shouldn't be used for external access though. For external access I want you to have to guess both the username and pw. Alternatively you could make the current 'Hide this user from login screens' option one that has an internal/external component. That, combined with the existing internal PIN system, would be just about as good as allowing an internal/external flag on whole users. 4 Link to comment Share on other sites More sharing options...
Luke 37112 Posted May 27, 2017 Share Posted May 27, 2017 Yes its' a good idea. Link to comment Share on other sites More sharing options...
otispresley 81 Posted September 28, 2017 Share Posted September 28, 2017 [first post liked]: I agree with this. There are 2 accounts I use on my internal network that I leave visible for ease of use, but I would like to be able to hide these accounts when accessing the server from remote networks. Link to comment Share on other sites More sharing options...
computerprep 142 Posted February 27, 2018 Share Posted February 27, 2018 Similar conversation going on over here... Link to comment Share on other sites More sharing options...
MSattler 387 Posted February 27, 2018 Share Posted February 27, 2018 Similar conversation going on over here... Plex has had this ability for quite some time...... sigh 1 Link to comment Share on other sites More sharing options...
Luke 37112 Posted March 3, 2018 Share Posted March 3, 2018 Beginning with the next release of Emby Server, you'll be able to restrict incoming traffic by IP address: Enjoy. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted March 3, 2018 Share Posted March 3, 2018 Plex has had this ability for quite some time...... sigh No it doesn't. Plex has no ability to do much of any of this. In Plex with a Plex Pass you can set up a "Home" and then create local users who are only tied to your admin account and it's servers. They however can log in from anywhere. You can't for example create a "Baby Sitter" or "Guest" account that is only usable in your own LAN and not accessible from outside your network. In Plex if you create a guest account it's usable from anywhere. In Plex there is no concept of a local only account if your server has it's ports open to the internet. Emby is already better than Plex's implementation before this is even added. With this feature request it's just that much better. Carlo Link to comment Share on other sites More sharing options...
computerprep 142 Posted March 3, 2018 Share Posted March 3, 2018 (edited) @@Luke, I don't see you confirm anywhere... Will this be a per-user setting? Edited March 3, 2018 by computerprep Link to comment Share on other sites More sharing options...
Luke 37112 Posted March 3, 2018 Share Posted March 3, 2018 You will be able to set a global ip address filter, and then there will be a per-user toggle to enable or disable remote access altogether. Link to comment Share on other sites More sharing options...
computerprep 142 Posted March 3, 2018 Share Posted March 3, 2018 Awesome. So we'll be able to blacklist based on suspicious behavior, and whitelist restricted users. Link to comment Share on other sites More sharing options...
NearWinter 1 Posted March 6, 2018 Share Posted March 6, 2018 I'm excited to hear about this, I have an administrator account that I'd prefer not be accessed remotely for security reasons. Nice work! So glad I've made the switch from Plex to Emby with all these amazing features. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now