Forum GLPI-Project

sim72

Member

Registered: 2022-11-18

Posts: 8

Agent authentication on server side

Hello everybody,

I recently found this awesome some software but i don't understand how can I  stop bad users to add inventory in my server. Our business have multiple sites (different geographical locations) and the agent on remote location should reach the server.
I was thinking to use port forwarding on router so I can reach the server from outside but if I can upload an inventory, everybody can do this and .... this can be bad. Of course, VPN it is an (much better)  option but ... maybe for next time.
I saw that  on the agent we have options for  --user= and --password= for server authentication. 
How can I enable this authentication of an agent on server side? In apache configuration/.htaccess?  Or maybe I am completely on the wrong track.

On the past I was using spiceworks and if I recall correctly, they use some (secret) authentication key.

I am testing with GLPI Agent (1.4) and GLPI 10.0.5

Thanks!

gbougard

Moderator

From: Montpellier, France

Registered: 2021-07-21

Posts: 534

Website

Re: Agent authentication on server side

Hi sim72,

user & password in agent can be used to perform basic authentication. You must then use SSL at the same time to have completely secure exchange with the server. You have to configure you Apache server to only accept your agents submitted inventory via SSL & basic authentication.

A better solution with be integrated in GLPI during the next months, but we don't have any date or version goal to share with you at the moment.

Another solution could also to use glpi-agent proxy mode: see https://glpi-agent.readthedocs.io/en/la … lugin.html

You can use SSL and change the target url to completely hide how inventory can be submitted. If you want to try, the nightly build even support a basic authentication plugin.

---

GLPI-Agent developer from Teclib' and GLPI-Network team
Previously FusionInventory-Agent maintainer

JohnDousse

Member

Registered: 2023-09-11

Posts: 2

Re: Agent authentication on server side

Hello,

A better solution with be integrated in GLPI during the next months, but we don't have any date or version goal to share with you at the moment.

Any news about that ?

Regards,

John

Last edited by JohnDousse (2023-09-11 14:46:28)

JohnDousse

Member

Registered: 2023-09-11

Posts: 2

Re: Agent authentication on server side

Hello,

Is basic auth server side still the only way to configure agent authentication ? Can't find much information regarding that matter in the docs.

Regards,

John

Ragnarok

Member

Registered: 2019-10-28

Posts: 44

Re: Agent authentication on server side

The lack of documentation in particular for these security issues is worrying.

supportuser27

Member

Registered: 2024-02-05

Posts: 3

Re: Agent authentication on server side

Hi,
We've managed to set Basic Auth in /front/inventory.php, but all agent still sending information without user and password.
Can anyone give us some more information?
We don't want to publish our server and get inventory from anyone without authentication.
Thanks in advance!!

Last edited by supportuser27 (2024-02-06 12:56:03)

tuharsky

Member

Registered: 2023-05-26

Posts: 5

Re: Agent authentication on server side

Is it even possible to specify server-side, which user is allowed to update the Inventory by the means of glpi-agent?

cconard96

Moderator

Registered: 2018-07-31

Posts: 2,418

Website

Re: Agent authentication on server side

We are currently working on built-in support on the GLPI side for basic authentication as well as OAuth client credentials for GLPI 11.
For now, you can add basic authentication in your web server config for the specific inventory page and configure the agent with the user and password options.

---

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

handerson.marques

Member

Registered: 2024-04-15

Posts: 2

Re: Agent authentication on server side

I just can't find how to enable basic authentication only for the inventory part in the cloud solution. Could you please tell me where this option is located?

cconard96

Moderator

Registered: 2018-07-31

Posts: 2,418

Website

Re: Agent authentication on server side

If you have a GLPI Cloud instance, you should contact GLPI support about this as it involves web server configuration changes.

---

GLPI Collaborator and Plugin Developer.
My non-English comments are automated translations. Sorry for any confusion that causes.
Mes commentaires non anglais sont des traductions automatiques. Désolé pour toute confusion qui cause.
Mis comentarios que no están en inglés son traducciones automáticas. Perdón por cualquier confusión que cause.

handerson.marques

Member

Registered: 2024-04-15

Posts: 2

Re: Agent authentication on server side

Basic authentication is not enabled by default, you have to make a request to glpi to enable it. Thanks

Zzafaia

Member

Registered: 2024-04-23

Posts: 1

Re: Agent authentication on server side

I would also like to implement the authentication system for GLPI agent when sending the inventory.  Is there no solution I can consider?  the proxy doesn't seem like a valid solution to me, I tried with basic authentication but the packet that the device sends with the agent still arrives as if authentication didn't exist.  Furthermore, we don't know when the glpi 11 version will be released