Bitwarden - Self-hosted password manager
-
@gml yes, the ldap invite tool would be nice. I think the best for the moment would be to slap Apache Infront of bitwarden (would be needed anyways for the websocket part) and hide the admin panel behind ldap auth (only allow admin users from within cloudron). Then invites and open registration can be disabled and admins can manually create accounts as needed.
-
I've now spent a bit of time to get the admin page "properly" working. Registrations are now disabled in the app itself, but users that are in the cloudron admin group can login to /admin to create the required users.
Stuff like Websockets support (for folder notifications) is still missing, as well as automatic SMTP configuration but I would say the general app is "done".
Looking forward to feedback.
-
Hi @fbartels
Thank you for your great work! This is definitely on a good path
Some few things I noticed:
- Saving a config throws a
Error saving config: IOError
. I also checked with a reboot and it seems it really can't be saved right now. (also smtp wouldn't be possible without this fixed) - When accessing the admin panel when not logged into cloudron, you get a password prompt. A 403 HTTP would probably be more suitable and secure
And as a small Bonus: As the app is getting in a pretty good shape, it is time for a logo =D
here you go: https://github.com/bitwarden/brand/blob/master/icons/256x256.png - Saving a config throws a
-
@gml thanks. I have fixed the location of the config.json created by the admin panel. Settings can now be stored (but SMTP settings should probably be done in start.sh instead). I have also added your logo.
The password prompt is actually expected since ldap auth is used in the webserver. The only way around the prompt would be to use oauth instead, but in previous attempts (the cloud torrent app) I did not get this to run.
-
Many thanks!
It's working for me. A few observations:- the invitation e-Mail did not get send as I hadn't change the SMTP settings, but once the e-Mail is on the invite list, this e-Mail can register an account
- even with 1 GB of memory assigned, I get a "ran out of memory" quite often
- currently the app is quite unresponsive as it's searching for favicons (as I can see from the logs)
- Importing from Enpass 6 (json) worked fine for me
-
Another question - how are updates done? Or will your app eventually become an "official" cloudron app?
-
@necrevistonnezr said in Bitwarden - Self-hosted password manager:
even with 1 GB of memory assigned, I get a "ran out of memory" quite often
currently the app is quite unresponsive as it's searching for favicons (as I can see from the logs)
Importing from Enpass 6 (json) worked fine for meThis probably depends quite a bit on the amount of data you throw at it. I actually started with an empty vault since password history etc would not have carried over anyways. But in my case it's easy to keep a portable version of keepass around if I need a password from the old database.
Maybe the icon caching is causing some troubles for you? You could deactivate this from the settings. Probably also a good idea to get in touch with the upstream project if they are already aware on this and if there is anything to lighten the load a bit
@necrevistonnezr said in Bitwarden - Self-hosted password manager:
how are updates done? Or will your app eventually become an "official" cloudron app?
My idea is to have a good base so that @nebulon can make this an official app.
-
LDAP syncing is now available for bitwarden_rs. Check it out on the wiki.
Do you have your app shared on git.cloudron.io yet? If so I can help contribute.
-
@iamthefij The repo is at https://git.cloudron.io/fbartels/bitwardenrs-app
-
I've got a branch where I've almost gotten LDAP syncing fully working, but invites don't seem to be working properly.
Even if I try to send an invite directly through the web interface, it just hangs. The user shows in the list, however the logs never show a success or failure response for the request. I've checked the SMTP settings and they appear to be correct. I'll keep debugging though.
https://git.cloudron.io/iamthefij/bitwardenrs-app/tree/ldap-sync
-
Just set up the scheduler, but I'm getting weird results.
When the sync is run through the scheduler I get:
Apr 23 00:10:08 thread 'main' panicked at 'Could not authenticate with http://127.0.0.1:3000. Error { kind: Hyper(Error { kind: Connect, cause: Os { code: 111, kind: ConnectionRefused, message: "Connection refused" } }), url: Some("http://127.0.0.1:3000/admin/") }', src/bw_admin.rs:62:17
However, it runs just fine when I drop into a terminal and select the task from the dropdown and run it.
@girish I figured it would be using
docker exec
, and when I ssh to my server I can run it successfully usingsudo docker exec 92ad3d37-2014-44f4-870f-25d862f57b4a sh -c '/app/code/ldap_sync.sh'
However I just dug through the source for the
scheduler
addon and found that it's creating a new container.How should we access the original container via HTTP? Is there a reason this is a new container and not simply an exec?
-
@iamthefij hm.. I just noticed that I see the same behaviour in bitwarden. Sending a mail does not give an error in the ui and the log states
12:09:50 - [2019-04-23 10:09:50][lettre::smtp::client][DEBUG] connecting to 172.18.0.13:2465
, but no mail is actually retrieved (on the same cloudron system).Adding SMTP_EXPLICIT_TLS on the other hand left me with a
Error sending email. handshake error
error when sending mails.I am not quite sure btw about setting a token for the admin interface. this unfortunately seems required by the sync job, but in the cloudron case it complicates stuff a bit, since there is afaik no easy way to add this token somewhere where an admin without shell access can easily read it.
-
@fbartels I'm not certain it's actually required, but it is recommended.
I added it because I saw some strange behavior with the LDAP access controls. Without the Admin Token, I was somehow able to access the admin page with no auth check via a Private Browsing window. I can do some more testing and see if I can do away with the token.
For sending the email, I had set both SSL and TLS to true. Though I just realized I may have been using Mailgun as I did switch to that to rule out the Cloudron SMTP server. I'll do another test. Edit: Just verified and it works using the Cloudron SMTP server with both those settings as true.
-
Bitwarden_rs 1.9.0 is out
https://github.com/dani-garcia/bitwarden_rs/releases/tag/1.9.0 -
As proper database support is mentioned in https://github.com/dani-garcia/bitwarden_rs/issues/246 I think we should be waiting for a release until either MySQL or Postgres is supported. Otherwise we will end up with some migration issues from sqlite to one of the others.
-
@nebulon Why do you say that? Is there something wrong with SQLite? Or you just worried about when support is eventually added?
Any insights on the issues accessing the API from a scheduled task? It would be good to get this resolved anyway.
-
FYI: When you increment to build number in the Dockerfile and in CloudronManifest.json, bitwarden_rs 1.9.0 builds & installs without problems...
Maybe @fbartels can update the repo even while we're waiting for other databases being supported?
-
@necrevistonnezr said in Bitwarden - Self-hosted password manager:
Maybe @fbartels can update the repo even while we're waiting for other databases being supported?
sure. done.