Hi,
i have 2FA enabled for the WebGUI-login. After updating to 25.1 i couldn't login with the 2FA and also without it (only using the password).
I needed to connect to the machine via SSH an reset the root login and login method.
After that i need to regenerate the OTP seed.
When this is done it works again.
Now, when the appliance is rebooted, i have the same problem.
The issue also persists after upgrading to 25.1.1.
Does anyone else have the same problem or know how i can resolve it?
Thank you in advance!
Check your system time. Make sure you allow access for SSH via key in emergency cases.
Quote from: franco on February 27, 2025, 01:38:58 PMCheck your system time. Make sure you allow access for SSH via key in emergency cases.
Hey franco,
do you have an easy to do tutorial for SSH-Access via Keys?
- generate a privat/public key pair with e.g. ssh-keygen
- place the public key in the user account via the OPNsense UI
That's essentially all. First step depends on your client. You don't still use Putty, do you? :-) Windows 10 and up come with native SSH.
Hi, thank you for your answers.
The problem is not the connection via SSH. I already set it up and can connect to the appliance via SSH.
My problem is, that after rebooting, the root login is broken.
When i reboot the appliance, i can't login with the user root with only the password or password + 2FA.
I need to reset it (password and login method) via the CLI.
After resetting it to Local Database only, i can login again.
Then i enable the 2FA for the login again, and the login with 2FA also works again.
But after rebooting, the "loop" begins again.
wild guess. Have you changed the root user's login shell? What is it set to?
Quote from: Patrick M. Hausen on February 27, 2025, 04:06:46 PM- generate a privat/public key pair with e.g. ssh-keygen
- place the public key in the user account via the OPNsense UI
That's essentially all. First step depends on your client. You don't still use Putty, do you? :-) Windows 10 and up come with native SSH.
Thank you. I created the keys and assigned them to the users. However, SHH login didn't work for me with these keys.
What's the output of
ssh -v <username>@<opnsense-ip>?
Quote from: Patrick M. Hausen on February 28, 2025, 02:31:57 PMWhat's the output of
ssh -v <username>@<opnsense-ip>?
I'll watch it again tonight, thanks!
Maybe post one of your public keys. That's not a problem, hence "public".
Hi,
I've discovered the same issue today.
Will look at it tomorrow and provide an update.
br
Quote from: cookiemonster on February 28, 2025, 02:01:55 PMwild guess. Have you changed the root user's login shell? What is it set to?
Hi cookiemonster,
i didn't change the login shell, it's still the default "opnsense-Shell" or what it is called.
But nevertheless thank you!
Quote from: Mks on February 28, 2025, 11:55:29 PMHi,
I've discovered the same issue today.
Will look at it tomorrow and provide an update.
br
Hi Mks,
thank you very much!
As further info: I've updated yesterday to version 25.1.2 and the issue persists.
Quote from: Patrick M. Hausen on February 28, 2025, 02:57:20 PMMaybe post one of your public keys. That's not a problem, hence "public".
SSH-Access via Keys is now working! Thank you! :)
Hi,
I've analyzed the issue today and it was not related to OpnSense.
The NTP daemon on my Admin Workstation stopped for what ever reasons and due to that the time was out of sync.
br
Quote from: Mks on March 01, 2025, 07:45:32 PMHi,
I've analyzed the issue today and it was not related to OpnSense.
The NTP daemon on my Admin Workstation stopped for what ever reasons and due to that the time was out of sync.
br
Hi Mks,
in my case, this isn't the problem.
But i just figured out it may be the "daylight savings time", which seemingly isn't handled correctly by the OPNsense.
In the logs i can see the the timestamp of current actions with my time -1 hour.
Do you know if that could be the problem for the faulty OTP-token?
Also, if this is really the problem, can someone explain, why it just happens with version >=25.1?
Hi!
Not sure what's wrong, but 2FA stopped working since the update to 25.1 for me too. I'm using Google Authenticator, and it still works for every other login.
The usual cause is that the system time is off for whatever reason. 2FA generally works fine with 25.1.x.
Hi!
Thanks, but system time was definitely not off.
I got in via console into my box and verified the system time was correct to a second. Veirfied ntp with ntpq -p, it has shown many reachable peers. Then I rebooted. 2FA still did not work. Updated from 25.1.2 to 25.1.3. Still no login possible, until I used "opnsense-shell password" to reset password and auth to local database.
Something is fishy.
Peter
Set up 2FA from scratch again, in trial mode only. See whether that testing works on a new instance. If clocks are right on both devices then the code string is wrong on one or the code is at the wrong end. I am not actually suggesting you got the latter wrong, it is just a remaining available cause.
I have had no problems at all with 2FA through upgrades from 24.7 to 25.1.3.
Thanks for your time and your tests Passeri! It´s a possibility of course, that I got the "code string" wrong and I´m sure I did it wrong several times. I´m also sure though, that despite my lacking typing capabilities, I got it right some times. :)
I will set 2FA up again this evening and do some further testing.