How can I add authentication to MythServices (i.e. port 6544)

[KennyB]

Hey so I am kind of not sure what I'm doing here. I have an Android client called Mythling that runs off the MythServices API and connects to my backend on port 6544. Well, I forwarded the port from my router so that I could connect to it remotely, and it works pretty well over my LTE. The only thing is I don't notice any authentication required? It just seems to let anyone that wants to connect, but I feel like that's a bit unsafe because wouldn't that allow people to delete my media through the API? I can see that Mythling does have an authentication section where I can put in a myth user, but it's not being required to connect.

I've looked around, but not really sure what I'm looking for. I found something on the mythtv user list that mentions using curl to add a password with the API itself, but it seemed kinda confusing to a dullard like me.

Here's the post in question. Is this what I even need?

http://lists.mythtv.org/pipermail/mytht ... 75651.html

[bill6502]

If you're on v30 or above, see here: https://www.mythtv.org/wiki/Myth_Servic ... DigestUser
and it's friend below (Myth/ManageUrlProtection.) Turn on the services you want. I suspect
most will choose All. You can add more users if you like.

It is possible in earlier versions, but the above endpoints don't exist there. It is possible to
change the HTTP/Protected/Urls setting. Mention your MythTV version if you like.

[KennyB]

If you're on v30 or above, see here: https://www.mythtv.org/wiki/Myth_Servic ... DigestUser
and it's friend below (Myth/ManageUrlProtection.) Turn on the services you want. I suspect
most will choose All. You can add more users if you like.

It is possible in earlier versions, but the above endpoints don't exist there. It is possible to
change the HTTP/Protected/Urls setting. Mention your MythTV version if you like.

Thanks! More detail than what I found on the user-lists. I'm on v30

So if I add a user and password like that, will I need to enter that on Mythweb for it to work or on my Mythfrontend, or only the apps that use the MythService API?

I also wonder if it's very common for people to target these service ports? I just wonder because I use fail2ban to ban IPs that are constantly trying to brute-force my sshd and a few other services, so I wonder if I should just keep it on a non-standard port along with password protecting it. I'm thinking that'd be "safe enough" and making a custom fail2ban filter for it would be more work than its worth.

[bill6502]

The admin user is already there. The default password is mythtv. Since that's easy
to find on the Web, I'd change it using the endpoint above. You may choose to add
more users too.

mythweb doesn't appear to use any of the protected services, so no you wouldn't
need to enter a protected url user/password. Anything else, like apps or Python
programs importing MythTV/services_api can be protected.

[KennyB]

The admin user is already there. The default password is mythtv. Since that's easy
to find on the Web, I'd change it using the endpoint above. You may choose to add
more users too.

mythweb doesn't appear to use any of the protected services, so no you wouldn't
need to enter a protected url user/password. Anything else, like apps or Python
programs importing MythTV/services_api can be protected.

Okay seems to work, except that I have to use the curl formation that I saw in the user list. If I try to just enter the URL in Chrome I get a "401 invalid action/404 Not Found".

With curl I changed the admin pass and required applies protection to All.

If I added a second user, would I be able to set the permissions for what that user would be able to do, or does the admin user just by default have certain priveleges that a secondary user account won't?

Thanks for all the help so far!

[bill6502]

Endpoints that alter data must be an HTTP POST. The browser sends a GET, that's
why it failed. It's documented in the table at the start of the Wiki (Requires POST
column.) Not sure why the examples imply that it works from a browser, probably
needs a major rework. Note in the email above the --data switch. That causes
curl to use a POST.

[KennyB]

Endpoints that alter data must be an HTTP POST. The browser sends a GET, that's
why it failed. It's documented in the table at the start of the Wiki (Requires POST
column.) Not sure why the examples imply that it works from a browser, probably
needs a major rework. Note in the email above the --data switch. That causes
curl to use a POST.

Oh okay that makes sense, sorry I missed the part about it needing to be POST data. That makes sense. curl works pretty well anyway now that I'm used to the syntax.

Well hopefully I didn't miss anything else obviously stated in the docs, but if I create a secondary account will it have lesser permissions than the admin? Kind of thinking it in the general nix setup where I should be using a secondary account other than the admin one that has reduced permissions. In any case I guess it's just being paranoid at that point since I already set it up with a good password.

Thanks!

[bill6502]

The only thing special about user admin is that it can't be removed (unlike additional
users.) There is, however no password reset for admin, and if it's changed then forgotten,
there's no way to recover it. Unless the DB is reloaded from a backup where the
admin password is know.