Jump to content
Ultimaker Community of 3D Printing Experts
  • Sign Up
Oj00

Password Protecting Printer on Network

Recommended Posts

Posted · Password Protecting Printer on Network

Hi, 

 

Is it possible to set a password to protect accessing the printers over the network? We've just recently connected ours to the network to allow remote monitoring, but I don't want anybody on site being able to connect and potentially print/watch prints. 

 

Thanks, 

 

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

Did you find a solution to this?

I just set up a UM3e on our campus network, and it seems to be accessible to anyone.

 

I thought there was an extra validation step - such as having to confirm first prints from any new PC, directly on the UM control panel, but I can't seem to find that option.

 

Resetting Cura Connect hasn't helped either.

 

Thanks!

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

If you have the UM3 or UM3X, when you hook up a new computer to the printer, it requires you to confirm on the printer screen itself, that you're willing to let that computer be used with the printer. This should prevent anyone who is not physically present with the printer from getting access.

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

That's what I thought...

but I just installed Cura on 2 new machines (laptop and desktop) and both were able to submit prints that started without confirmation on the printer.

 

I tried resetting "Cura Connect" on the printer, but that didn't helped, I'm not sure that's related to the access control system...

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

any solution for this ???

since the latest firmware, everybody who has the IP of the printer can connect 'Cura Connect' via a browser and stop/pauze printjobs ...

I have no problem with people who check what is being printed, but I do find it an issue they can stop a print job...

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

This is quite an important feature in an educational environment (such as a university). Surely the Ultimaker designers can introduce basic password protection into the network/wifi connection.

 

Is there any plans to implement some form of network security?

  • Like 1

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

Is this on the development roadmap? I just setup our S5 yesterday and my network admin is informing me that if I can't password protect it, it can't be on our network, which means I'll be boxing it up and returning it. I can't be giving printer access to 1000+ employees. It also appears that anyone on our LAN can come to http://<device_ip>/settings and disconnect me from Ultimaker Cloud. If Gina Häußge can incorporate into OctoPrint, certainly Ultimaker can as well.

 

Is there an individual at Ultimaker that I can discuss this with? Or info@ultimaker.com? Thank you.

 

(Side note: as I'm fiddling with developer mode, I'm signed in as root... wondering if I can install zero-tier, then setup ufw to block all connections other than the zt virtual adapter.)

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

Hi mkemper, We had exactly the same problem, however our IT managed to set it up with password protection so it can be done.

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network
1 hour ago, thorsenrune said:

however our IT managed to set it up with password protection so it can be done.

But only when modifing the configuration files in developer mode on the printer itself. Ofc it works when you do it right, but be aware that with the next firmware update you have to do it again. 

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network
4 hours ago, thorsenrune said:

Hi mkemper, We had exactly the same problem, however our IT managed to set it up with password protection so it can be done.

If you could share the basics of how they did that, I'd greatly appreciate it - assuming this was something they did to the printer and not by modifying your network (vlans, etc).

 

Thanks!

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network
This was what they said: "
A DNS record was created on a domain name and then a rule was made on the Reverse Proxy associating the printer's private address to the public name. In addition ul Reverse Proxy has been put a rule that requires the insertion of login credentials to allow you to see the page.
As for viewing the video, our impression was that however the page explicitly used the private address to load the streaming stream ... another rule was made on the Reverse Proxy so that there is a public name that redirects to the specific path of the streaming stream."

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

@Smithy, understanding the risk of opening developer mode, are you aware of anyone setting up basic password authentication in nginx or even htaccess files? I'm trying to stumble through it but not having any luck. Thanks.

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

No sorry, I never tried it and I am also not sure if Cura will work when you setup a password authentication, I guess it willl have problems.

 

The solution of thorsenrune is another approach, they have the printer (and I guess the workstation with Cura) on a seperate network and use a reverse proxy with authentication to access the printer status pages from "outside". This is safest option, you don't need to touch the printer software (developer mode) but it works only if you have the option to seperate the networks.

 

Depending on your needs and if you are able to use a seperate network, you could also work with access rules to permit only a specific workstation or two. But this setup requires more network setup, different VLANs and ofc equipment (firewall) which can handle such a setup.

 

What is you specifc need, can you elaborate it?

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

I'm just trying to add some basic level of authentication on my LAN. In this case it's an office environment, but it could be home or anywhere else. I don't need to access this machine from the outside world.

 

Just like in Octoprint, you create a username/password, authenticate, and credentials are cached for some duration.

 

I'm not sure why the API has authentication required for PUT/POST, while anyone who discovers the printer on the LAN can start a job, but so be it.

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

I agree, it makes little sense to protect the APIs, but to leave the rest open. I suspect it was in the planning stages, but was then discarded for reasons I do not know.

 

An authentication like Octoprint does not exist at the moment, but could possibly come. There have been some requests for a simple authentication recently.

 

In your particular case, the only thing I can think of at the moment is to put the printer into a separate VLAN and control access through a firewall. I can't judge if this is worth the effort, but I don't see any other possibility at the moment.

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network
1 hour ago, mkemper said:

I'm not sure why the API has authentication required for PUT/POST, while anyone who discovers the printer on the LAN can start a job, but so be it.

 

Well, technically it's easy to answer. The "old" API (.../api/v1/) needs digest authentication (*). Cura Connect (.../cluster-api/v1) was added in a later firmware version and works without authentication.

 

(*) Anyone with physical access to the printer can confirm its own account at any time on the printer. That means: it is not of much help in an office environment anyway.

 

So i guess that the authentication part was not left out by accident, or because it's hard to implement (it was already there, right?) - but for a specific reason.

 

Maybe @nallath can share some inside knowledge? 🤷‍♂️

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

I'm not sure why the authentication was removed from Connect. I've heard some vague reasons, but nothing concrete.

 

The authentication is also very far from what most companies / large organisations would want. Just a simple authentication just isn't enough. You probably want some sort of role based access, preferably tied in to whatever is already in use (eg; Active directory, or something like that). But that's a whole lot harder to do.

 

I know that we helped out some people in setting up a gateway that sits in between the printer & the network that does allow for authentication. I've already forwarded this topic to some people, so I hope they will contact everyone here that is interested about this.

  • Like 1
  • Thanks 1

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

Also, I understand the way they have the Debian configured/customized may have made a traditional authentication more difficult to implement in nginx (pure speculation on my part). From my router, to networked cameras, Raspberry Pis running Node-RED, OctoPrint, MotionEye, NAS... I can't think of a LAN'd thing I own that doesn't have some way of locking its front door. 

 

I though about messing around with ufw, but I don't want to lock myself out!

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

Before you play with ufw, I would look into protecting the nginx with allowed ip addresses. In that case, Cura should still work from the allowed pc, and you don't lock yourself out if something goes wrong. The camera stream is created by mpegstreamer, so if you want to protect it as well, you have to look into the options of mpegstreamer.

 

But this is only theory, never tried it myself, so mybe I am wrong and it will not work.

Share this post


Link to post
Share on other sites
Posted (edited) · Password Protecting Printer on Network

I dipped a toe into that. Found nginx where I expected it and the hosted pages located in /usr/share/griffin/www/  I'll have to play with it some more this weekend.

 

Ha a quick fix would be to comment out hyperlinks in /usr/share/griffin/www/default.html

 

Of course people could still find their way in but I'm just trying to keep the casual, non-savvy snooper at bay.

 

My quick fix... I'll take it!

6tlXdFY.jpg

Edited by mkemper
Add snip

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

Just to add my month of experience with 'Remote control' of UM5. It works perfectly on the LAN connection in office. Exposing the printer to the internet should theoretically allow me to monitor the process and eventually stop it using my smartphone.

It works buuuut, when I needed it the most the mobile data connection was probably to slow for me to see the video and the webinterface hung up and I had tremendous problems stopping this 'over the weekend' printjob.

So don't trust it too much.

 

Share this post


Link to post
Share on other sites
Posted · Password Protecting Printer on Network

Building on top of what @nallath says, based on customer research we have found that authentication in the local network using a simple username/password simply doesn't cut it. Using Ultimaker Cloud (https://mycloud.ultimaker.com), any UM3 or newer benefits from (a currently basic) form of account-based authentication and team sharing. This is the place that we'll extend with more elaborate access control functionality that fits better with the growing B2B customer profile (but still keep it usable for individuals as well).

 

I also strongly recommend against exposing the printer's local web server to the public internet in any form. If a 0-day exploit is discovered in any of the 3rd party software running on the printer your printer becomes an entrypoint into your entire network.

 

Instead use Ultimaker Cloud and put the printer in a separate (virtual) subnet to block any local access. The connection between the printer and Ultimaker Cloud is securely initiated from the printer and encrypted as well as all G-codes being sent to it from Cura, giving you end-to-end security.

 

In the near future we plan on expanding the Ultimaker Cloud feature set so that the local web interface of Connect can be entirely ignored or shielded off as explained above.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...