While browsing github with 54 pull requests open and 540 active issues, stumbled on a webrpc item and link to this documentation what it all can do: https://boinc.berkeley.edu/trac/wiki/WebRpc#show_user

and another: https://github.com/BOINC/boinc/issues/3925

just FYI

The good thing I think is writing things out with proper file name references etc and regardless of 'I knew that', it might actually help some other reader who's faltering on same/similar connect issues or who thinks that's good to know instead of struggling with that 32 hex char random password.

I have an explanation. Bear with me

From the docs: https://boinc.berkeley.edu/wiki/Controlling_BOINC_remotely

1. All remote RPCs are authenticated using the GUI RPC password.

2. By default, remote RPCs are not accepted from any host. To specify a set of hosts from which RPCs are allowed, create a file remote_hosts.cfg in your BOINC data directory containing a list of allowed DNS host names or IP addresses. Only these hosts will be able to connect.

3. You can also set <allow_remote_gui_rpc>1</allow_remote_gui_rpc> in the options section of a cc_config.xml

4. Alternatively, if you run the client with the --allow_remote_gui_rpc command line option, it will accept connections from any host (subject to password authentication). If you have a remote_hosts.cfg file but also start the client with --allow_remote_gui_rpc, the file will be ignored, and any host will be allowed to connect.

Items 1 1nd 2 seem straight forward.
Item 3 seems to say that you turn on remote RPCs using 1. Default is off or 0.
Item 4 tells me that if I start the client with this option it is an alternative to starting remote RPC but it will accept any IP connection and if you you have a remote_hosts.cfg it will be ignored. The magic word is "alternatively" and my testing and logs show item 3 will also accept any connection (subject to password authentication) and ignore remote_hosts.cfg

Docs are ambiguous. The order of 3 and 4 should be flipped.

From what I can make out, the existence of a remote_hosts.cfg with something in it allows selective RPC IPs or to allow from any IP use either item 3 or 4. I would have expected an on/off switch, an allow list, and an allow all list from the command line.

What about (subject to password authentication)? You would expect to put a password in gui_rpc_auth.cfg. A human would enter a complicated password like 7urutlspunafrlkld. Right? Well yeah but you need to enclose it in <gui_rpc_password></gui_rpc_password>. And where is this written? Nowhere in the docs.

I looked into the boinc executable and found it there. Tried it and it worked. Is this correct? Who knows. Anything in the gui_rpc_auth.cfg without the format or the with the format and nothing enclosed means no password.

This is no way official. It's just the way I found it to work.

I'll leave boinccmd to someone else.

They state it is a security risk but only if these machines run in offices or large places or in a cloud somewhere. The 4 machines are in my basement. zero security risk. I wonder how many users are like me doing this from their home.