Jump to content

Profile visibility different within LAN than from WAN


computerprep
 Share

Recommended Posts

computerprep

Is there any way to hide user profiles from the login screen when accessing from WAN, but leave a few select profiles visible when accessing from LAN?

 

If not, this would be awesome.

  • Like 13
Link to comment
Share on other sites

computerprep

Then let's make this an official feature request.

 

With increased use of Android TV boxes, Chromecasts, Roku's, etc., and the ability to have easy pin codes for logging in with apps and in-network devices... selecting key family members to show on the login screen only when logging in locally would be a great feature. To have a visible login with easy pin code for my close family to use that my extended family outside my physical home can't accidentally select...

 

That would be wonderful. Potential UI implementation of an additional checkbox option.

 

569fcbf6b3324_embylocaluser.jpg

  • Like 5
Link to comment
Share on other sites

  • 4 months later...
ABotelho

I was just looking into this today. I agree with this!

My reason is mostly for security. With a public facing device, I'd like only my profiles with actual passwords available from the internet. I'd like family members (who only stream at home) to not have to use passwords necessarily. It's gotta work as easily as Netflix for them if they'll even attempt at using it.

  • Like 3
Link to comment
Share on other sites

computerprep

ABotelho, some settings I use that might look into if your not already using them are: 1) hide this user from login screens, and 2) enable easy in-network sign in with my easy pin code.

See two screenshots, attached and also linked below. First from server management > users > *username* > profile... and scroll all the way down.

The second is from server management > users > *username* > password.

They don't take care of my request, to show user photos only on certain device types, or show users in-network but hide them out of network... but it will make it easier for your family members.

Plus you can usually save the username and password for an "auto-login" type of experience after they get in the first time.

post-1756-0-05738300-1465472356_thumb.png

post-1756-0-65153000-1465472367_thumb.png

Edited by computerprep
Link to comment
Share on other sites

Correct, they don't exactly fulfill the request, but come pretty close to it.

Link to comment
Share on other sites

Natilus13

Is there any way to hide user profiles from the login screen when accessing from WAN, but leave a few select profiles visible when accessing from LAN?

 

If not, this would be awesome.

I would love this feature. Even more so now after having had my server hacked.

Link to comment
Share on other sites

computerprep

Luke... luckily I haven't had my Emby hacked yet (knock on wood). But I have had to deal with hacker activity on my FTP server. It has IP Binding capability. Those would be great features that I haven't seen in the management yet.

 

IP Binding, IP blacklisting after X failed attempts, user blacklisting after X failed attempts... maybe features in the future?

 

And if your IP or username gets blacklisted, the only way to remove the block should be to contact the administrator through other means... a phone call or text.

Edited by computerprep
Link to comment
Share on other sites

  • 2 weeks later...
computerprep

I was just looking into this today. I agree with this!

 

My reason is mostly for security. With a public facing device, I'd like only my profiles with actual passwords available from the internet. I'd like family members (who only stream at home) to not have to use passwords necessarily. It's gotta work as easily as Netflix for them if they'll even attempt at using it.

My mom lives 1,000 miles away from me, and my sister lives 2,500 miles away... and I just set her device up with a VPN connection into my home.

 

So she can open her VPN app on phone or Android TV, then open Emby... and it acts like she's on LAN.

 

This could be a solution... here's a new thread since this seems like a different feature request to me. http://emby.media/community/index.php?/topic/36194-vpn-capability-for-device-apps/

Edited by computerprep
Link to comment
Share on other sites

  • 1 year later...
computerprep

@@Luke... Any thoughts on this capability?

 

Someone liked a post above and it got me to thinking... A more versatile way to handle this would be optional custom profile visibility lists per device.

 

You have a default profile visibility list... but in the devices menu, there could be an option to use a custom profile visibility list.

 

So my friends/family could have easy access to their accounts on Rokus, AppleTVs, etc., without filling my own Roku login screen with unnecessary profile pictures.

Edited by computerprep
Link to comment
Share on other sites

Spaceboy

No, I just want the name cards to show up on the lan but not externally. Existing functionality does not satisfy this in any way

  • Like 1
Link to comment
Share on other sites

  • 4 months later...
theswordsmahin

This isn't exactly the same thing. I don't think we want to absolutely lock a user out, just hide them from the login screen. What if the "Hide user from login screens" checkbox functioned something like this:
 

1. Select "Hide user from login screens"

2. Another checkbox appears, "Hide from all devices". Selected by default. 
3. Unchecking this box would then show your device list (similar to the "Enable access from all devices" checkbox), and allow you to select/deselect which devices to hide the user from

 

Thoughts? 

 

We already support that by restricting device access for a user. If a user is restricted from a device, they wont' show on the login screen for that device.

 

You can learn more on our wiki:

https://github.com/MediaBrowser/Wiki/wiki/Device%20Access

 

Thanks.

 

Link to comment
Share on other sites

computerprep

@Luke, there's been quite a bit of discussion on how people would like this to happen. A new idea occurred to me. Limiting profile visibility based on 2 new factors from the user configuration page would be helpful. We can already restrict users from new/existing devices, but this does not accomplish the goal. It disallows login from that user on restricted devices, basically saying the username/password was incorrect, but the user's profile image still shows up on the login screen.

 

We're talking about two different things that need to work together. It'd be great to:

1. Allow/disallow login based on (a) device, ( B) lan/wan, and © ip/hostname whitelisting.

2. Allow/disallow profile picture visibility based on the same a, b, c above.

These settings (like device access) are either all on, or all of except selected entries. So new devices/locations are not allowed by accident.

 

So if I allow all access for login for Jimmy, and whitelist his home IP/hostname for profile visibility, he can use whatever device anywhere to login, but he'll see his profile picture only on his home network.

And if I only whitelist Jason for access at his home IP/hostname, but don't explicitly allow any profile visibility, then he can only login from home and his profile picture will never be displayed.

Edited by computerprep
  • Like 1
Link to comment
Share on other sites

Beginning with the next release of Emby Server, you'll be able to restrict incoming traffic by IP address:

 

5a9a433f9018d_Untitled.png

 

Enjoy.

Link to comment
Share on other sites

Beginning with the next release of Emby Server, you'll be able to restrict incoming traffic by IP address:

 

5a9a433f9018d_Untitled.png

 

Enjoy.

 

That will make them unable to connect as opposed to just hiding them from the login screen (as requested here) correct?

Link to comment
Share on other sites

otispresley

Correct...and a whitelist when you are talking about primarilay internet devices that change IP addresses constantly is almost impossible to maintain. That dialog would mainly just be for private space that is not on the same subnet as the Emby server.

Link to comment
Share on other sites

Correct...and a whitelist when you are talking about primarilay internet devices that change IP addresses constantly is almost impossible to maintain. That dialog would mainly just be for private space that is not on the same subnet as the Emby server.

 

Yes but a blacklist would be just as hard to maintain so it really depends on your perspective as to which one is better for you.  Using a whitelist is the most secure method and, assuming that is the reason anyone would fill something in here, makes the most sense as a start.

Link to comment
Share on other sites

It's a comma delimited list. We could have a toggle to allow it to serve as either whitelist or blacklist.

  • Like 1
Link to comment
Share on other sites

In the next release you will also be able to grant or deny remote access on a per-user basis.

 

5a9ac9668bed4_Untitled.png

 

Enjoy.

  • Like 1
Link to comment
Share on other sites

otispresley

Yes but a blacklist would be just as hard to maintain so it really depends on your perspective as to which one is better for you.  Using a whitelist is the most secure method and, assuming that is the reason anyone would fill something in here, makes the most sense as a start.

 

It depends on how you look at it. While a whitelist is more secure, it is harder to maintain because you have to know which addresses/ranges to allow in the first place; you cannot use access logs to make these decisions and you have to rely on users reporting that they cannot access your service. A blacklist, while less secure, is easier to maintain because you can just block addresses/ranges on an as-needed basis when you find unauthorized access attempts in the logs or when you know that there are certain ranges of addresses that you want to block. This is why being able to hide accounts from remote access but show them locally is so important since it would not be presenting valid accounts to the outside world for a bad actor to try and brute force.

 

Personally, I use a firewall to whitelist ports (services) that I want to have access to and use a blacklist in each application with external access to disallow addresses or ranges. Of course, VPN would be the most secure way to access these services, but it make it much less user-friendly.

 

I am glad to see these features coming to Emby and can't wait to see more down the road! Thanks for all the hard work.

Edited by otispresley
Link to comment
Share on other sites

It's a comma delimited list. We could have a toggle to allow it to serve as either whitelist or blacklist.

 

That would be great!

 

In the next release you will also be able to grant or deny remote access on a per-user basis.

 

5a9ac9668bed4_Untitled.png

 

Enjoy.

Very nice.

 

This would be great for setting an account up for the baby sitter, visiting relatives/friends, etc to allow them to use devices in your house while visiting but keep them from accessing your server when not on your LAN..

Link to comment
Share on other sites

digger11

In the next release you will also be able to grant or deny remote access on a per-user basis.

 

5a9ac9668bed4_Untitled.png

 

Enjoy.

 

Nice!   Will unchecking the above for a user also prevent that user from being shown on the login screen of a remote connection? 

 

On our vacation home's Emby server I have a user called OurGuests that is the only user I allow to be shown on the login screen.  On the local LAN connection, login is allowed via a blank easy pin code.  I'm relying on a long and obscure password to hopefully prevent a remote login to that account, but it does show up on the login screen of a remote connection.  Once the option is available to prevent remote logins to that account I'll be taking advantage of that option.  I'm hoping that will also make it where someone who stumbles across Emby on my server won't be presented with any user names to attempt password brute force attacks against.  (Not that I guess it would do them any good if they wouldn't be allowed to log in remotely to that account even with the correct password.)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...