Need help bypassing login screen without compromising machine security
I'm in a weird situation, i have a dedicated mini pc for my Jellyfin server
Here are the requirements for solutions
I cannot use an interface like a keyboard or mouse
-I will not use linux for this particular machine
-The device does have USB ports and a screen
So to just have the jellyfin server start automatically, i would like to be able to hit the power button and have it boot into windows, thus automatically starting the jellyfin server and allowing me to do server restarts to fix issues.
Problem is the login screen, i can go as far as removing my password but it still requires user input to login. I need to bypass this but on the other hand i would not like to leave this giant vulnerability in my system. Is there any sort of way to get the best of both worlds? to have the PC be able to go from power button to jellyfin server started and still have some measure of security?
Thanks if anyone has any insight to my problem it would be wildly appreciated
As people have said, you can add Jellyfin as a service to start with windows regardless of users being logged in.
No one seems to have said how to do this.
The easiest way is to use the NSSM open source tool - it stands for "Non Sucking Service Manager" and it gives a GUI route to create services, as well as some useful reliability and fall back functions.
It can also be used from the command line if you prefer but regardless it's probably the easiest way without faffing around with powershell or command line and in built windows tools (which do suck).
Edit. The official website is NSSM.cc and it includes guidance on how to use it. There are also plenty of guides online if you search "how to create a windows service".
Edit2: the easiest way is to use the Jellyfin windows installer itself but the documentation is pretty vague on that and gives a warning about ffmpeg config. It should work but using NSSM will give you more direct control. I think the installer uses NSSM anyway.
Sounds like you need to set up the Jellyfin server as a windows service so it starts without logging in. I'm surprised it doesn't do this automatically as part of the installer setup.
Alternatively you can just set up auto-login for your windows user account, but that gives you no security from local access.
Can you set the Jellyfin server service to start with Windows? Shouldn't need a login then. If not, you can use a PowerShell script that starts the Jellyfin .exe and use a scheduled task to run it when event id 6005 is triggered. That's the event id created when the event log starts.
This might work, do you know how secure this is? Could i just put it in to automatically input the password on startup? i imagine that wouldn't just "unlock" the machine for anyone trying to SSH in
Very true. I have a couple items at work that don't work when I pick "at startup" so I usually just go with the event log startup as the trigger nowadays.
Is there any sort of way to get the best of both worlds? to have the PC be able to go from power button to jellyfin server started and still have some measure of security?
Windows with auto login? Not really. That is, anyone with a mouse + keyboard locally can get in there.
You can set up jellyfin to run as a windows service and then it should auto start and run as a particular user without you having to log in. Have a look in the "advanced" section in the jellyfin docs.
I mean if someone is in local that's already further than I'm looking to protect, I just need the jellyfin to not be a vulnerability on my network. It's not like there's sensitive data on there
I don't remember exactly how, but I did the same thing for my streaming gaming laptop. I had to put my unencrypted password in the registry somewhere, but it's been a few years, I don't remember where I put it. But perhaps this piece of information will help.
You could migrate jellyfin into a Linux container and share the media through a local loopback and configure it for a headless installation if you can't give up that Windows installation.
Alternatively like another person suggested configuring it as an service could help here