Gateway Password Reset

Is there a way to disable the reset to the default admin username password for the GUI?

You’re talking about in the little GCU utility?

Oops sorry Yes…GCU.

No, you can’t disable that.

The GCU only runs on the machine the gateway is installed on. If someone you don’t trust has physical access to the machine all bets are off; they could do far worse than reset the passwords.

Mmm…Like deactivate a license/delete project etc

Hi !!

Any updates on this ?
Can we do something now in Ignition v7.9.x to protect our projects ??

Protect the machine running Ignition?

1 Like

Kevin, supposing that another integrator has access to that machine, how can we do then to protect our project?

This is not a use case we intend to support. Access to the machine is access to everything.

There’s always going to be a bail-out way to reset your password and admin access to the machine is going to allow it (among many, many other things).

1 Like

Use OS-level protections/user restrictions. There’s really nothing we even could do - if an untrusted individual has full access to a production server, they can do just about anything.

2 Likes

can we do something now to protect our projects ?

Nothing has changed since the last activity in this thread.

What’s your use case or threat model? Who are you trying to protect projects from and what does “protect” mean to you?

The same thing, that nobody can reset the password

In case you hadn’t noticed, Ignition stores this kind of stuff in the internal config database. Even if they take the functionality out of the gwcmd tool, anyone with a clue can directly edit the config database to change the security setup.

Access to the gateway is access to everything, one way or another. There is no magic wand.

Bingo. This will never change. Don’t let untrusted users have access to the server running your Ignition Gateway.

Security through obscurity isn’t security.

If you don’t trust someone, don’t let them on the machine, full stop.

how can I delete the gwcmd tool?

Use the OS’s file delete function. And any bad actor with access to the server can put it back. Even under a different name.

It is totally useless, from a security standpoint, to delete it.

You simply cannot stop someone with access to the server from manipulating the Ignition service installed there. Don’t give out access to the server to untrusted individuals.

On a side note, it feels like people are trying to pretend to be proprietary OEM software. And force customers into a life long relationship.

But at some point,

  • you might be hired to takeover a project
  • someone might be hired to take over your project
  • you might be a part of a team for a project
  • a team might be created to work on project

At the end of the day, stopped being worried about other people. Just be worried about going and getting your money. If you do good, and the “customer” likes/trust you they will keep coming back to you.

I want to delete it, but also I found the identify provider, do you think can help?