Admin password not required for external login (security)
I just got my new unit, and installed it on the local LAN with a static IP.
I set up a reverse SSH pipe from my Internet based VPS back to the unit here at home.
I can login to the admin page from the outside world without entering the password.
The Security settings (I have not changed) are set
"Admin auto-login from local net even if password set? Yes"
The password is visible.
This should not be possible.
Bart ZL4FOX
Comments
Update: When I change the 'Admin auto-login from local net" to 'No' it does ask me for the password. So I will leave it like that for now.
But I do not see how de device could detect that my PC is on the local net if I connect via the Internet VPS, as the 'from' IP address is in this case my ISP address (Starlink).
I also made a new connection from another browser (to prevent any Cookie interference) but it got into the Admin pages via the VPS just as easely.
This should not be possible.
No, it's working exactly as intended.
That "Admin auto-login from local net even if password set?" option exists just for the situation you have: A VPS/VPN/proxy/rev-SSH setup that presents as a local IP address to the Kiwi but is actually a gateway to the wider Internet.
If you're going to do something that violates the integrity of local IP space then there needs to be a way to disable the auto-login. And that's why that option exists. Not that the auto-login feature is somehow a problem.