OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: Tubs on July 31, 2018, 10:05:20 pm
-
I just updated to 18.7. But now I cannot login any more with root and my local password. It is getting rejected with "wrong password". :(
Network connection to internet is working. Servers on VLAN connection via HAproxy I also cannot reach.
-
Sounds like...
o The authentication fallback for the GUI/system has been removed in favour of selecting multiple authentication servers at once. Reassign your fallback as a primary authentication method or now use more than two methods.
Do you have console / ssh access?
Cheers,
Franco
-
LADP connection also is used, but not for administration login. Here I always use root with local password. Order of servers us default.
Console I have. SSH I can enable over console. But as it is night in Europe this must wait till tomorrow.
Any hint that can help would br apreciated.
At keast I have created a backup before update.
-
Yup, from the console / SSH option 3) Reset the root password will turn Local Database back on. You will need to log into GUI, go to System: Settings: Administration, scroll down to Authentication Server and select both "Local Database" and your LDAP Server.
Cheers,
Franco
-
Same here. After the update to 18.7 it was not possible to log in to the GUI as root, not even via SSH. The password reset function of the installer has helped. Not "3) Reset the root password" on the console (didn't work), but the password reset function which can be started immediately before installation.
Greetings, Stefan
-
Hi Stefan,
The password reset of the installer calls the same script that is option 3. ;)
I suspect you skipped answering "y" to "Do you want to set it back to Local Database? [y/N]". The installer reset assumes yes, the script asks but defaults to no.
Cheers,
Franco
-
Same problem, and I can't login as root on the console. I guess I'm locked out.
-
No, use the 18.7 image password reset feature as previously mentioned.
-
Is that documented yet? I don't know how exactly.
-
Use a 18.7 image to boot the live mode, start installer, select "reset password" in main menu. Reboot without install, remove image and you can log in. Don't forget to set your correct authentication methods in System: Settings: Administration: Authentication Server.
Cheers,
Franco
-
Aha, like so. Thanks, I'm back in.
-
Hello Franco,
I chose no because I had absolutely no plan what the problem was. ;)
Before the update I had set System --> Access --> Settings --> Authentication Server = TOTP Server and Authentication Server (fallback) = Local Database. Was the TOTP server set for the GUI logon after the update? That was my original suspicion, but I could not login via TOTP either.
-
Yes, TOTP was active. In fact it's always active in your case. Please confirm with the tester that it works.
But it makes no sense to have TOTP and Local set at the same time, because if you don't input the TOTP token you can login because that's your plain local password which gives you zero TOTP benefit. ;)
Cheers,
Franco
-
I only use TOTP for VPN users and I was no longer aware that I had set anything under System --> Access --> Settings --> Authentication Server. I probably didn't realize in those days that this setting applied to the GUI.
And I have not assigned an OTP seed for root, because I am not logging in via VPN with this user. That's why the login with root didn't work after the update in my case.
We have learned: If you have set up One-time Password 2 Factor Authentication, you may want to check this setting again BEFORE upgrading. ;)
-
Ah, that explains it. It's fine in OpenVPN because each server can select its authentication method.
True about the location too. The new location under System: Settings: Administration is a bit better in 18.7, but still a bit difficult to explain that console login and SSH follow this setting as well.
Cheers,
Franco
-
Ah, same here. TOTP was activated for VPN users.
-
Password reset via installer solved my problem. SSH was not possible to use as it was switched of and console was not possible to use as password was set and not accepted.
Also HAproxy is running again. But I did not do any change and do not know why it was not running after update and now it is running again.
-
I am reading this and it has me scared to upgrade. I normally do an upgrade from the web GUI and what I am reading here makes me worry that if I do that I may not be able to log back in afterwards. I want to be able to login to both the web interface and via ssh. This is basically just a home router, I am not using anything fancy like a LDAP server or a VPN or anything like that, I just need to be able to log in from another machine on my local network like I do now, and the previous posts in this thread aren't really making sense to me.
So my question is, if I upgrade will I lose the ability to log in via the web interface or via ssh? If so, could someone please explain as clearly as possible how to prevent that from happening, or failing that, to recover from it, preferably without needing to directly connect to the router (which normally does NOT have a keyboard/mouse/display connected)?
-
You only have to make sure your primary authentication method actually works.
-
I don't know what you mean by "primary authentication method" - I currently use a username and password to login to the web interface, and for ssh I login using key authentication. Both currently work. My question is, will these continue to work if I upgrade?
This is a home router, not part of some corporate network or anything, so I am not doing anything like using a separate server for authentication. It's just your use of the term "primary authentication method" that's confusing me here, since I don't know if that means something specific or special.
EDIT: Also, both my "Authentication Server" and "Authentication Server (fallback)" are set to "Local Database", if that is what you mean.
-
Yes, that's what I meant. You won't run into this issue because your authentication server (not fallback) is properly configured.
Cheers,
Franco
-
Just to mention: After updating to 18.7 I had to do the following to get ssh working for my user:
- Adminstration: Allow group the user belongs to for ssh access
- User configuration: Set a shell
Currently not able to lookup the exact name or location of these settings..
-
System: Settings: Administration: "Login Group" and System: Access: Users: "your user": Login shell
Cheers,
Franco
-
Thanks franco :)
I think this should help if one gets confused about ssh access not working after updating
-
After upgrading to 18.7, I am now unable to login as root via WebUI or SSH/Console. How do I access option 3 when I am unable to login as root? I am running on APU2 from PCEngines.
Any ideas are most welcomed.
Patrick
-
The login seems to be broken after the upgrade to 18.7. I have 2FA configured on the box and I am able to successfully login through the GUI without any issues. But not able to login via console anymore as it seems for some reason console is also trying to take the 2FA settings but not successful. When logging in via console it authenticates successfully if 2FA is provided, but then errors out stating that the account is not available (See screenshots).
Also the earlier implementation of the console bypassing the 2FA was the ideal situation as if there is any issue in the 2FA (like faulty RTC or lost token) then there is at least a way to login through the console. Hope this gets fixed ASAP
-
Just a guess:
Did you set a login shell for the user admin?
-
The "Wizard" aka initial setup to input password prompt for the login is broken, you can change the password, however you have to do it within the Lobby>password field. I've replicated this on a VM 32bit and a physical 64bit machine on fresh installs
The remedy for me to fix was to goto the Lobby>Password and change it from there. :) This issue seems to be isolated to just 18.7, as 18.1 didn't have that issue in my testing. The imputed values into the wizard initial setup aren't changing the default opnsense value for some reason.
I seem to be not the only user with this issue.
-
I can confirm that the password doesn't get updated.
I also get an "Invalid LAN IP address" error when choosing dhcp or leaving the field empty.
And saving an edited user only works if a password is entered (would expect to work and leaving the password at it's old value when leaving empty)
-
@bigops you don't get a login unless you set a shell for that user. That's a new feature in 18.7 to improve security because 18.1 had yielded shell access rights too easily. Added bonus is that you can pin a specific shell.
@sigrme2449 thanks, it was fixed now https://github.com/opnsense/core/commit/abf1e44d
@Evil_Sense LAN IP in wizard was always static only and mandatory input
-
Thanks Franco. That helps and I am able to login to the system now.
-
I am Facing almost the same but on a different way.
on a VM after i updated to the 18.7 the web gui is not availble , i can access using ssh but no gui.
is there a way to rebuild this ?
-
Hi
I have the same problem here. As I use an appliance it is a bit difficult to access it. I can access via SSH but cannot login.
Would you mind giving a step-by-step instruction how I can recover my password? "opnsense" as password for installer does not work when accessing by SSH.
I am a bit stuck here.
I did not read this in the readme, which would have made me more careful when upgrading.
-
So to be more specific:
I have more or less all of the problems above:
Login with username and password via GUI and SSH worked well.
After upgrade: Nada.
Not with root, admin, installer, tried all the passwords (including my previous set ones).
I am a little bit... Well, in a bad mood. As I use a nice dedicated applicance it is pretty difficult to access it otherwise than via net. so please help.
-
For anyone who is still having issues and not super familiar with how to get into installer mode ( like me ) here are some steps that worked for me.
1) load image 18.7 onto usb drive or bootable dvd
2) Once booted into the live image let it continue until you are prompted for a login
3) To get into installer mode type "installer" as the user name without quotes and "opnsense" as the password
4) Once in installer mode choose the "reset password" option which IIRC is option 3 and reboot. You should now be able to log into the gui.
Please correct me if I'm wrong here but this solved my issue which I believe had something to do with OTP which I setup and have not used in awhile. Also make sure to choose a shell for your user in system>access>users if you are wanting to ssh into the firewall. Just thought I would post to help someone because some of the answers here are a little cryptic and probably targeted to people who are more familiar with the install procedure.
-
For everyone who is not able to login:
Use a 18.7 image to boot the live mode, start installer, select "reset password" in main menu. Reboot without install, remove image and you can log in. Don't forget to set your correct authentication methods in System: Settings: Administration: Authentication Server.
Cheers,
Franco
For ssh access, look there:
System: Settings: Administration: "Login Group" and System: Access: Users: "your user": Login shell
Cheers,
Franco
@anon000 seems we had the same idea :D
-
Oops sorry about that ;) The "installer" mode was kinda confusing if you dont read the console output which I missed the first couple times.
-
Hi
for everyone who has made a backup (i thought I posted this yesterday, but I cannot find my post here) there might be another solution:
Open you Backup.xml file. Search for "Admin user (root). There is the OTP seed listed as clear text. Enter this value into google authenticator. Then login in the gui with <authenticatorcode><yourpassword> and it should work.
I was a bit confused as I usually have set <password><onetimecode> and not the other way around. But that worked for me and makes sense when you are not able to easily access the console (like ourselves with the deciso appliances).
Hope that helps somebody.