Clackdor 109 Posted February 4, 2024 Posted February 4, 2024 (edited) @kingy444There's still the issue of having a reverse proxy misconfigured though. A reverse proxy could very well be exposing a server externally while reporting an internal or localhost address to emby. The mitigation in 4.7 didn't really prevent that scenario, it really only prevented headers from being spoofed, which affected directly exposed servers, not just ones behind a proxy A perfect example of this is how after the mitigation my server would report localhost as the connecting IP when clients were connecting through the reverse proxy on the local network. It's as if the x-forwarded-for header was never set in the first place. As most reverse proxy setups are either located on the same machine/network, or even a separate vlan in private ip address space as emby, there is no setting in emby that would prevent it detecting remote addresses as local IP addresses if the reverse proxy isn't setup to forward headers properly. There's just too many ways that putting the option back could go wrong and provide a false sense of security, be misconfigured, or otherwise exploited with some factors being completely unrelated to emby and unconfigurable within emby itself. Like I said before, the all or nothing approach to passwords takes the guesswork out of the equation. Either your server is locked down, or it isn't as it's blatantly obvious whether or not you have passwords configured. Most self hosted services have never had an option to have an account without a password at all, so emby is one of the few exceptions to the rule in this regard. Edited February 4, 2024 by Clackdor Edited for further clarification 2
Baenwort 118 Posted February 4, 2024 Posted February 4, 2024 15 hours ago, kingy444 said: Unfortunately this assumes that the general end user either trolls the forum or runs beta. I do not recall stable being directed here for anything related to local network configurations. I can echo this as I'm beyond a general user (I help maintain the TrueNAS plug-in and generally try to help people on the FreeBSD sub-fora and elsewhre) and I didn't know this change was coming or was able to give my feedback on this. I'd say putting the option that would re-open the whole for those using reverse proxies into the config file (and not a GUI option) and providing warnings would have made for a smaller overall problem as I think there are a lot more people who run locally without password but want a remote password than there are people who run reverse proxies and would dig into the config file and NOT also read the wiki page for the flag that has the big giant warning not to turn on both options. It was absolutely a good break to require admin users to have passwords everywhere. But standard view only users are reasonably held to a different standard.
ebr 16169 Posted February 4, 2024 Posted February 4, 2024 15 hours ago, kingy444 said: It is common practice especially in government. Internal authentication will require a single factor, external requires MFA. You have an internal 'Trusted Network' and outside that MFA is required. Right but those are large entities (companies or governments) with large IT departments that can ensure that the determination of "local connection" is truly accurate with whatever hardware and software means available. For us, we have a person who installed the server on their home network and has no idea nor access to such protocols to fully ensure the local determination is accurate. Thus, our system making security decisions based on the supposed origin of the connection is just inherently insecure - this was proven in practice. 2
Endlesss 3 Posted February 4, 2024 Posted February 4, 2024 This password and pin thing is the dumbest change I have ever seen! The pin does not work on my Sony Android TV or my Roku media play! Checked and no update to the Emby app on either! Just get invalid login when I add a pin to the profiles! This also makes in very very hard for kids to use this app! I guess for now I have to stop hosting Emby outside by local network, as the only way I can get Emby working on my TVs is to turn off the profile passwords. Which I need on to host! If this change is not rolled back and the password/pin redesign, I'll need to move away from Emby! I have Emby Premiere which is a waste now!
darkassassin07 652 Posted February 4, 2024 Posted February 4, 2024 The updates for the TV apps are in review by their distributors and should be out soon. In the meantime, you can sideload the update to get it now. https://github.com/MediaBrowser/Emby.Releases/tree/master/androidtv
Endlesss 3 Posted February 4, 2024 Posted February 4, 2024 7 minutes ago, darkassassin07 said: The updates for the TV apps are in review by their distributors and should be out soon. In the meantime, you can sideload the update to get it now. https://github.com/MediaBrowser/Emby.Releases/tree/master/androidtv Right, but this is a poor workaround! The server update shouldn't have been push until the apps were updated to work with the pin.
Luke 42077 Posted February 4, 2024 Posted February 4, 2024 Agree that it's not ideal, however we had to get the release out for other reasons. The app updates are coming though, so we're just about there.
Endlesss 3 Posted February 4, 2024 Posted February 4, 2024 45 minutes ago, Luke said: Agree that it's not ideal, however we had to get the release out for other reasons. The app updates are coming though, so we're just about there. That's fair on the release, but what is not if is works this way....? I have a family TV in the family room for all to watch. The old way I could have passwords on for not local network and off for local networks. This meant that anyone could choose their profile and start watching. Now...You have to remember a profile and use pin to switch profile. But you can only remember one profile per device. So this makes the profiles on the family TV useless! So what I have to make a catch all kid friendly profile to remember and hope is does get signed out!? There is no way a young kid is going to be able to have emby easily anymore. I under the need to up security, but is it a balancing act. This change went to far in the security direction and has been the Emby un-useable for some. This app is a media server, not banking software. I know it sounds like an excuse after excuse, but fact of the matter is, that this change destroyed my media setup that was working fantastically well! I loved Emby! nice clean fast media app. Even paid for Emby Premiere, but if I can't get the Emby working to suit my needs I guess I'll be looking an other. 1
ebr 16169 Posted February 4, 2024 Posted February 4, 2024 17 minutes ago, Endlesss said: Now...You have to remember a profile and use pin to switch profile. But you can only remember one profile per device. That is not correct. The PIN is optional and the app will remember all authenticated users. Have you tried it?
darkassassin07 652 Posted February 4, 2024 Posted February 4, 2024 Until you explicitly select sign-out, the app will remeber your users. Login as one user (select 'remember me'), select 'change user', login as the second user (also remember me). You can now switch users directly under the top right user icon menu. (where the switch user button is) Optionally, you can add pins to those users; you will then be prompted at initial login if you'd like to use that pin when switching to that user. This now works everywhere, not just at home. (great for servers on a vps, or family in another house)
Endlesss 3 Posted February 4, 2024 Posted February 4, 2024 37 minutes ago, ebr said: That is not correct. The PIN is optional and the app will remember all authenticated users. Have you tried it? Hi ebr, No I did not try is before...just tried now and it does remember all users. Thanks for the info, I'll update my post!
Endlesss 3 Posted February 4, 2024 Posted February 4, 2024 24 minutes ago, darkassassin07 said: Until you explicitly select sign-out, the app will remeber your users. Login as one user (select 'remember me'), select 'change user', login as the second user (also remember me). You can now switch users directly under the top right user icon menu. (where the switch user button is) Optionally, you can add pins to those users; you will then be prompted at initial login if you'd like to use that pin when switching to that user. This now works everywhere, not just at home. (great for servers on a vps, or family in another house) Thanks just tried it and your right thanks for the info!
Maarten 4 Posted February 5, 2024 Posted February 5, 2024 On 2/3/2024 at 5:47 AM, thekingswolf said: I miss that. New version is cool, but why remove the user account setting checkbox that allows me to log in to accounts without a pass when I'm on the local network? Well, this kills my Emby adventure. I also got other issues but this one makes it complete to say bye bye to Emby. Well done devs, another user is gone for ever! Shame on you!!!! @Luke because of security issues? How about that issue that has been live and kicking for 6 years with no effort from your part to fix it. After a hacker used it you people fixed it. Better fix this login problem every emby update feels like a downgrade….. but it could be only me 2
Maarten 4 Posted February 5, 2024 Posted February 5, 2024 On 2/4/2024 at 10:06 PM, darkassassin07 said: Until you explicitly select sign-out, the app will remeber your users. Login as one user (select 'remember me'), select 'change user', login as the second user (also remember me). You can now switch users directly under the top right user icon menu. (where the switch user button is) Optionally, you can add pins to those users; you will then be prompted at initial login if you'd like to use that pin when switching to that user. This now works everywhere, not just at home. (great for servers on a vps, or family in another house) Not working for me. I use the emby web app/browser.
darkassassin07 652 Posted February 5, 2024 Posted February 5, 2024 (edited) 2 minutes ago, Maarten said: Not working for me. I use the emby web app/browser. Details. What exactly are you doing? What happened when you did what you did? What server version are you running? 'it doesn't work' isn't very helpful debugging info... Edited February 5, 2024 by darkassassin07 1
Happy2Play 9780 Posted February 5, 2024 Posted February 5, 2024 1 hour ago, Maarten said: On 2/4/2024 at 1:06 PM, darkassassin07 said: Until you explicitly select sign-out, the app will remeber your users. Login as one user (select 'remember me'), select 'change user', login as the second user (also remember me). You can now switch users directly under the top right user icon menu. (where the switch user button is) Optionally, you can add pins to those users; you will then be prompted at initial login if you'd like to use that pin when switching to that user. This now works everywhere, not just at home. (great for servers on a vps, or family in another house) Not working for me. I use the emby web app/browser. Those are the steps I am testing with without issue. User A authenticates with password Change User to User B and authenticate with password Charge to User A without issue and back to User B Scenario 2 Apply PIN to each user User A authenticates with password Change User to UserB and authenticates (get popup) Note clicking NO will not require PIN when switching users. Switching users that are authenticated with password will use PIN if set. But in the End yes a password is required now for initial unauthenticated user. 1
thekingswolf 48 Posted February 6, 2024 Author Posted February 6, 2024 seems this function operates different depending on the platform. After I choose a PIN and enable that function on 2 accounts, I can switch back and forth between the two with no pass and no pin being requested on a FireStick, but the Roku asks for the PIN
virtualsamurai 1 Posted February 6, 2024 Posted February 6, 2024 W the Actual F ? I was fine with local logons. They are local. I know they are good. Put it back please.
Luke 42077 Posted February 6, 2024 Posted February 6, 2024 2 hours ago, thekingswolf said: seems this function operates different depending on the platform. After I choose a PIN and enable that function on 2 accounts, I can switch back and forth between the two with no pass and no pin being requested on a FireStick, but the Roku asks for the PIN Hi, the profile pin feature is coming soon to Emby for Fire TV.
Luke 42077 Posted February 6, 2024 Posted February 6, 2024 Just now, virtualsamurai said: W the Actual F ? I was fine with local logons. They are local. I know they are good. Put it back please. Hi, are you able to do a full sign in once? That's all you need to do and you'll be remembered after that.
virtualsamurai 1 Posted February 6, 2024 Posted February 6, 2024 (edited) So far Luke is correct. I have Firesticks with Emby and after the first logon its retaining the logons, no asking for PINs (yet). So when I switch profiles when app is already open goes right in, or choose a profile at app open/server logon it let me directly in. Hopefully this holds. I did test this on my TV which cuts the power to the USB when off, so appears to hold in the FireStick memory overall. NOW... I have 5 profiles for the family and 4 firesticks. So 20 logons to cache around the house. Edited February 6, 2024 by virtualsamurai
rbjtech 5284 Posted February 6, 2024 Posted February 6, 2024 (edited) 6 hours ago, virtualsamurai said: So far Luke is correct. I have Firesticks with Emby and after the first logon its retaining the logons, no asking for PINs (yet). So when I switch profiles when app is already open goes right in, or choose a profile at app open/server logon it let me directly in. Hopefully this holds. I did test this on my TV which cuts the power to the USB when off, so appears to hold in the FireStick memory overall. NOW... I have 5 profiles for the family and 4 firesticks. So 20 logons to cache around the house. They should be fine - I've used this since the early beta months ago and have never had to re-enter a password (nor optional PIN) on any of my fire-tv sticks using the emby AndroidTV app. Edited February 6, 2024 by rbjtech
Darkseidd 59 Posted February 6, 2024 Posted February 6, 2024 On 2/3/2024 at 6:13 PM, Ninko said: So you have to enter your PIN EVERY time when switching profiles on the local network? no 1
pwhodges 2012 Posted February 6, 2024 Posted February 6, 2024 Only if you choose to require it (e.g. set that on for an adult/admin account and off for a child/ordinary account). Paul
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now