Log out security hole

[cpeng 3]

I just started using emby with premiere and dvr, long time plex user tired of their bugs. 

 

I having trouble figuring out a way to remove access to my server from a previously used device. I have changed my password on both my user on the server and my user on this community, and deleted the device from the from the server settings, yet still the device just shows back up when I open the app, even when the device is not on my home network. So basically if I sign a device on to emby it seems I have no way of removing access unless I physically have access to the device to sign out. If this is true this a is a large security hole.

 

One other question, are passwords transmitted encrypted even if my server is not (no ssl cert or reverse proxy). I only use emby for dvr at this point so don't care if people figure out what I watch remotely but I don't want to give them access.

 

Thanks

 

cpeng

[Luke 37060]

Hi, this isn't true. If you want to block someone, do it by user, so for example, you could change the password for the user on your server. When you do that it will sign out all existing sessions for that user and they'll have to sign in again.

[cpeng 3]

Thank you for your quick reply.

 

I tried this again and found out that after I changed my user password on the server it blocked that user's access to the remote emby, but not local emby even with the option "Require password on the local network" as the setting. So I guess my statement was only half true. I don't think this is ideal but it is much better then I thought.

 

 

My use case with plex was:I would sign on with my plex account on a friends roku or ipad so I could show them something, then I would be able to easily log that device out using the web interface of the server after I left without access to the original device. I would skip the step of creating a new user because it was so easy to manage connected devices through the web interface on plex, but now know of the limitation with emby.

 

One other question is even without an installed ssl cert is the login credentials exchanged securely?

 

Thank you

 

CPEng

[Luke 37060]

Just to clarify, it doesn't block the user's access but rather it just makes them sign in again. 

 

 

 

My use case with plex was:I would sign on with my plex account on a friends roku or ipad so I could show them something, then I would be able to easily log that device out using the web interface of the server after I left without access to the original device. 

 

You can do this as well in Emby by deleting the device. It will close existing sessions, but the user can just log in again if they have credentials.

 

 

 

One other question is even without an installed ssl cert is the login credentials exchanged securely?

 

Yes, but only if you use our Emby Connect feature. By doing this, you log into us with your Emby Connect credentials and that connection is secure. After that all communications will be direct from client device to your server.

[Luke 37060]

You can also create separate users for them, in that case, you could just disable or delete the users altogether when you're done with them. Then they'll need all new credentials to sign in again.

[cpeng 3]

You can do this as well in Emby by deleting the device. It will close existing sessions, but the user can just log in again if they have credentials.

 

 

I've double checked and this doesn't work in my setup for what ever reason. I have rokus and ipads I've tested this on. I'm running ubuntu 18.10, emby server 4.3.0.30, ios 1.8.9 and the latest roku releases. I misspoke earlier, a user password change doesn't kick out any of my devices and force them to resign on either locally or remotely. I'm encouraged that it is what is suppose to happen but it seems to be broken currently.

[Luke 37060]

Are they linked with emby connect?

[Happy2Play 8281]

Just tested having Emby open in Firefox and Chrome and deleting the FireFox from Devices and when I went back to FireFox navigation gave me the circle of death.  Refreshed the browser and I had to log in again.  Did the same on my Iphone and got the same results, I was not redirected to login screen but could not do anything (circle of death) until I relaunched app or selected sign out.

[cpeng 3]

Are they linked with emby connect?

Yes they are linked with connect. Is that the issue?

[Luke 37060]

Yes because when you use Emby Connect, that's the login mechanism, not your local server credentials.

 

So what you would need to do is remove the Emby Connect association from that local user on your server. Looks like you were sharing the plex cloud login across lots of devices and users but in our world here everyone will have their own. That's why if you want to cut someone off, you do it via the user rather than the device.

[Luke 37060]

Has this answered your concerns?

[cpeng 3]

Looks like you were sharing the plex cloud login across lots of devices and users but in our world here everyone will have their own. That's why if you want to cut someone off, you do it via the user rather than the device.

 

 

That's not really what I said, I (1 user) use other peoples devices to access my content. My inlaws have a amazon fire tv, my parents have a tivo. I would login to my plex as my user to watch my content then I would want to make sure that i'm logged out, trouble is I never know the last time I will use that device until I'm gone. Then I want to log it out. I'm trying to block devices, not users. But even if I change my connect password, device access persists, this isn't ideal in my opinion. Amazon prime music lets you kill devices logged into it because they have a 5 device limit. So basically what you are telling me is there isn't a way to block a device connected through "emby connect" unless I block my user?  I will stop using emby connect then.

[Luke 37060]

Correct. They should have their own user and then you just block the user.

[darkassassin07 423]

I have to agree with cpeng here.

Removing a device via the device list on the server dashboard should expire that auto/remembered-login regardless of how it was authenticated, forcing the signed-in user of that device to re-enter their pass even if it hasn't been changed.

 

As described above, that lets you sign into a device then later expire that login without having access to the device or being forced to change your password.

[Luke 37060]

It does, but because they're signed into the app with emby connect it gets them right back in.

 

We can't just log them out of emby connect because it is a multi server login system.

[darkassassin07 423]

Would it be possible to have emby connect itself require re-entry of your password when trying to connect to a server via a device that was previously removed from that server?

 

Not necessarily signing out of emby connect on the device, just requesting your password to re-auth when trying to access that specific server.

[Luke 37060]

I'm theory by what does it really matter if you're revoking users or devices as long as you have a way?

[darkassassin07 423]

As cpeng described,

It would be useful when visiting friends/family and signing into emby connect, then later verifying that device can't access the server without re-auth.

 

 

From the server owners point of view, if a user of mine visited their friend and forgot to sign out, I'd like to be able to require that device to re-auth without nessesarily forcing the user to change their pass or straight up blocking that users access.

 

 

It sounds like currently if a user of mine signed into a device via connect and forgot to sign out before losing physical access, the only thing I could do is completely disable that user until they change their connect pass themselves.

Edited December 18, 2019 by darkassassin07

[ebr 14910]

That's not really what I said, I (1 user) use other peoples devices to access my content. My inlaws have a amazon fire tv, my parents have a tivo. I would login to my plex as my user to watch my content then I would want to make sure that i'm logged out, trouble is I never know the last time I will use that device until I'm gone. Then I want to log it out. I'm trying to block devices, not users. But even if I change my connect password, device access persists, this isn't ideal in my opinion. Amazon prime music lets you kill devices logged into it because they have a 5 device limit. So basically what you are telling me is there isn't a way to block a device connected through "emby connect" unless I block my user?  I will stop using emby connect then.

 

Yes, if you stop using Connect when you login on someone else's device, I think that will provide you what you want as you can just delete the device from your server end.

[cpeng 3]

I just confirmed that changing your connect password and deleting the device at the same time still allows all devices that you entered your emby connect credentials into to still access your emby.

 

Steps taken:

1. Close emby on edge browser and iphone

2. Change emby connect password on the emby community using chrome browser

3. Delete edge and iphone devices from emby manager using chrome browser

4. Go to emby.media on edge browser click sign in, redirects straight to emby

5. Open iphone emby app. Goes straight to emby

 

So basically there isn't a way to prevent any device from accessing your emby if you once had entered your emby connect credentials into it. I'm lost for words. 

[Luke 37060]

Well that's what I already told you earlier. Emby Connect is a user based system, not device based. You're trying to take a paradigm from other software that doesn't really apply here.

 

What we're saying you can do as a workaround is just not use Emby Connect to sign in with.

[cpeng 3]

I understand it is a user based system, but does it not seem logical that if the user changes his or her password that it should kill all current logged in sessions?

[ebr 14910]

I understand it is a user based system, but does it not seem logical that if the user changes his or her password that it should kill all current logged in sessions?

 

Yes, that makes sense and that is what will happen if you use your local credentials.  With Connect it is a bit more complicated because, in order to not force you to have multiple accounts, we tie Connect into the forum user system.  But, when you change your password in the forum, our system does not currently know about it because we don't store passwords and the forum doesn't know about our system that is also using its database.  So it is just a level of integration we haven't implemented at this time.

 

Connect is not required though and is just a convenience redirection.

 

Thanks.

[cpeng 3]

Yes, that makes sense and that is what will happen if you use your local credentials.  With Connect it is a bit more complicated because, in order to not force you to have multiple accounts, we tie Connect into the forum user system.  But, when you change your password in the forum, our system does not currently know about it because we don't store passwords and the forum doesn't know about our system that is also using its database.  So it is just a level of integration we haven't implemented at this time.

 

Connect is not required though and is just a convenience redirection.

 

Thanks.

 

 

Thank you for your response. I very much appreciate the getting quick developer responses. I do still think its a problem but the workaround of not using emby connect is decent and will work just fine for my needs.