3.70~96, security and Node Red

Now on 3.70~96, and same behavior as below…

I rooted and have been Superuser. With the recent beta upgrade 3.70~91, got the warning about “Inconsistent network security profile.” Instructions say “For the New UI, ‘Change password’ can be used if you want a password.” It was set to weak, so I changed the password. The Inconsistent warning went away.

But now when I open Node Red, it wants a username and password. Tried my email and the password just set as described above. No go. Leave the fields empty, no go. Can’t get into Node Red. A bit of searching and I did a “echo -n “” > /data/conf/vncpassword.txt” from SSH (fortunately, I had keys set up). Rebooted (although more testing proved that unnecessary). Now I again get the Inconsistent warning, but I can get into Node Red again.

Trying (in Remote Console) to change from Superuser to User or User & Installer and it wants a password which I’ve never set and using the one I set as above doesn’t work. But perhaps that’s a different issue, I have had a reason to try since rooting.

In the process, I invited myself under a different email. Registered and got into VRM (different browser, apparently cookies held on the the account when using the same browser). Went through the process and that new account was also a Superuser, even though the account was set to Technician (Remote Console isn’t available if set to User (read only). Again, trying to change in Remote Console to User or User & Installer asks for a password.

admin and your Cerbo pw

The Access Level is a property of the device and only controls which menu entries are shown / can be changed and is not related to the permissions of VRM or Local Network Access. The password asked to switch to user is not the password of the Local network security profile.

As mentioned by Jan the Node Red login is the user admin and the password you entered.

And yes, removing password protection (with the echo), but not changing the security profile will trigger that warning again, since it is inconsistent.

Thanks. Some of my confusion is because my install is a work in progress, and I deliberately avoided locking it down locally at this point, figuring I’d research the various security settings later. I don’t have a display on the Cerbo GX, and it’s in an RV stored a few miles away, so I only did enough to get Remote Console access through VRM. I’ve been blissfully ignorant of passwords and user levels until the recent “Inconsistent” notification. I did go back and found mention of the “admin” name buried in a Node Red FAQ.

I just did a test. Set the Cerbo (“Network security profile”) password so it’s happily consistent. Set network security to weak. Logged out of VRM, deleted all cookies from victronenergy.com (vrm.victronenergy.com, xxxxxx-gui.proxyrelay12.victronenergy.com), then went back into VRM. Logged in and no additional password was needed to open remote console from VRM. So that’s probably how I got into the “Inconsistent” state with no need for a Node Red name/pass - I never had a need to set or use it. But it’s inconsistent that without the Network security profile password, one can open Remote Console but not Node Red.

There’s apparently something being passed from VRM saying it’s OK to open Remote Console, bypassing the need to enter a local password. That also seems inconsistent if the VRM account and local one are supposed to be separate.

There’s very little discussion of passwords in the Cerbo GX manual, but there is this about access levels:

“Set this to ‘User’ to prevent accidental and unwanted changes to the configuration. User & Installer has additional privileges and once changed from default requires a password. Password is available from your dealer.”

It seems these passwords aren’t under control of the owner, but are somehow generated from the serial number or held in some database, which seems to be security through obscurity. Can they not be changed?

Edit: those passwords are publicly disclosed in the root access instructions, so there’s really no security there. Also, if anyone responsible for the docs is reading, the root instructions are incorrect for gui v2 - they say:

make sure you are in the General Page, not the Access Level page … When using the New UI, select, drag down and hold down the entire list of General menu entries for five seconds, and until you see the Access level change to super user.

But in reality, you have to be in the Access & Security page, and pull down the items there.

Indeed as said before Access level has nothing to do with security. It is about “accidental and unwanted changes for some system”. The default is “User & Installer”. If you are set to User, someone must have set it to it, and if you are not able to figure what the “password” is, it is likely a good Idea to stay a User. It is just to protect regular end users, not DIYers / people interested in becoming “root”.

It is, but that is what it is (at least for now).

That is from before the menu got restructured. I will have a look if I can update that text.