Octopus manager authentication

fps · 10 November 2020 06:16

HI,

I am new to Octopus and I installed it and it seems to be great and does exactly what i was looking for.
One thing i cant work out is the “Octopus Manager” (not the portal) opens without any authentication and I was able to export the data without any restrictions, is that how its expected to behave.

I was hoping that non administrators logging into the Octopus server will not be able to export unless they know password or master key but looks like its not or Am I understanding it incorrectly.

paul.calvert · 10 November 2020 06:44

Hi @fps,

Thanks for getting in touch!

That is correct, the octopus manager is just displaying information stored within config files on the server so there is no authentication built-in.

A user with access to the octopus server and installation folder can execute all of these commands without using the octopus manager.

Regards,
Paul

fps · 11 November 2020 10:44

Hi Paul,

Thanks for getting back, so any user with privileges to server can export the scripts and config from Octopus and reverse engineer the password as well right.

paul.calvert · 11 November 2020 10:50

Hi Dhaya,

Using the octopus.server.exe it is possible to completely reset the Octopus admin user and have full access to everything in there.

The Octopus Server needs to be secured so that only trusted users have access to it. We a section on security that provides a number of areas to consider hardening.

Regards,
Paul

system · 12 December 2020 10:50

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.