I tried to setup a USB with the /conf directory tree on it using freebsd-usfs file system type, but the autoconfigurator seems to only work with msdos_fs, so I reformatted the USB to use vfat32and added the /conf directory tree to it.
As the autoconfigurator option from USB boot (vga version) only wants to mount msdos_fs the sshd keys have incorrect permissions; I have to login to the console (usually a headless box) and adjust the permissions for the /conf/sshd/*key files to 600 and then manually start sshd.
I would have thought that a freebsd system should be able to read the freeebsd-ufs partition's /conf directory tree for use with the autoconfigurator.
Is there a better way to solve this so that the sshd key files have the appropriate permissions without needing to fix it with a login shell? The autoconfigurator should adjust file permissions for the sshd keys...
It would also be good if the autoconfigurator could scan the devices and only present the one(s) that have a valid /conf directory and if only one valid device is found, then use it after a short delay without requiring any user action -- the machine could then be headless and keyboardless again.
Hi,
The importer supports a number of formats. The common denominator for these (excluding MSDOS as you found out) is that they resemble correctly installed OPNsense layouts:
https://github.com/opnsense/core/blob/5301999708823064c9509bce00e6115c10d64efc/src/sbin/opnsense-importer#L158-L169
The reason for this is that the importer is for moving the existing OPNsense install to a new home.
You are right about the keys in MSDOS having the wrong permission since the file system does not have these properties. The following should fix it.
https://github.com/opnsense/core/commit/530199970
I don't think we will be auto-inspecting the available ones and probing all of them for seemingly correct content. It runs the risk of doing what it should but that not being what the user intended (i.e. restoring the wrong /conf directory).
In any case thanks for your feedback. Was rather refreshing to see since the component hasn't received any feedback in almost two years. :)
Cheers,
Franco
Thanks.
The reason I come across this is that upgrades have become a problem for me of late.
This time I had a completely unbootable system, but the m.2 SATA SSD in place was able to be used to fetch the config and run LiveCD environment. Then I tried the installer and it took forever adding a partition. Eventually I rebooted and cleaned the internal disk and am now running just with LiveCD environment until I can check out the SSD which seems to be giving people grief with older installed systems like mine is now.
It would be handy to have smarttools and/or other diagnostics included to help check the health of disks.
Well, as I said you can always install them in live mode (i.e. os-smart). The core system is stripped of third party glue as much as it makes sense for the bulk of users.
Cheers,
Franco
I believe this would work too for the keys:
find /conf -name '*key' -print0|xargs -0r chmod 600
As we always have the /conf directory at that time, there is no need to check for sshd directory or to process each found file separately -- it's only a minor change, but it's neater I think. What's more, if no files are found then xargs won't run chmod at all.
Uh, there should be keys in sshd directory, not everywhere else as well.
Line 322 has a couple of errors, it won't work as far as I can tell.
After taking away the dash before the f for -type, you still get this problem:
# for FILE in "$(find /conf/sshd -type f -name '*key')";do ls "${FILE}";echo;done
ls: /conf/sshd/ssh_host_rsa_key
/conf/sshd/ssh_host_ecdsa_key
/conf/sshd/ssh_host_ed25519_key: No such file or directory
You will need to remove the double quotes.
This works:
# for FILE in $(find /conf/sshd -type f -name '*key');do ls "${FILE}";echo;done
/conf/sshd/ssh_host_rsa_key
/conf/sshd/ssh_host_ecdsa_key
/conf/sshd/ssh_host_ed25519_key
The above is testing....
This is the code replacement I think is needed if you want to include just the sshd directory, but you will still need to test for the existence of the directory:
find /conf/sshd -name '*key' -print0|xargs -0r chmod 600
And for what it's worth, if we want verbose-ness to show exactly what was changed and how, then add -vv with chmod
find /conf/sshd -name '*key' -print0|xargs -0r chmod -vv 600
Line 317 (unless it is done by line 314), creates the sshd directory if it doesn't exist, so perhaps still no need to check if it exists?
You are right, it was already past midnight yesterday. ;)
I changed it in the repository.
Cheers,
Franco