OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: ivoruetsche on August 29, 2018, 08:47:58 pm

Title: Preshared Key no longer accepted?
Post by: ivoruetsche on August 29, 2018, 08:47:58 pm

Hi all

We just updated some OPNsense boxes from 18.1 -> 18.7 and got a problem with the nightly backup process.

The centralized server got all configurations from all boxes with a preshared key and a special backup user, who have no password access to the OPNsense etc.

After the update to 18.7 it doesn't work again, but I found these in the logs:

Aug 29 19:01:12 lab-ch-rma01-fw02 sshd[69339]: User backupCFG from 198.18.6.3 not allowed because none of user's groups are listed in AllowGroups
Aug 29 19:01:12 lab-ch-rma01-fw02 sshd[69339]: Postponed keyboard-interactive for invalid user backupCFG from 198.18.6.3 port 42896 ssh2 [preauth]
Aug 29 19:01:12 lab-ch-rma01-fw02 opnsense: user 'backupCFG' could not authenticate.


I check with the web gui the "Effective Privileges" from this user and I can't find the point "User - System: Shell account access" anymore.

On the 18.1 configuration, because the security, this user is not a member of the admin group, "/sbin/nologin" is the Login Shell and only the "Effective Privileges" "User - System: Shell account access" was set. With the preshared key we get the configuration with scp. It work's fine.

How can I setup it up with the 18.7 release?

gruss ivo
Title: Re: Preshared Key no longer accepted?
Post by: fabian on August 30, 2018, 06:57:11 am
Only by adding the admins group or if it will be ready and released at some time, OPNsense can push backups via SCP.

All non-admin users are blocked from SSH for exactly this reason (SSH allows access to the file system via SFTP even if the user should not be able to log in (has no login shell assigned))
Title: Re: Preshared Key no longer accepted?
Post by: Evil_Sense on August 30, 2018, 08:39:29 pm
Until the scp backup push is integrated, you could make it yourself like I did;

Cron action (replace '{USER}'):

/usr/local/opnsense/service/conf/actions.d/actions_scp-backup.conf
Code: [Select]
[scp-backup]
command:su {USER} -c /usr/home/scp-backup.sh
type:script_output
message:backing up config file
description:Backup config file

Because ssh_key and known hosts I make sure it gets executed as the right user, so replace '{USERID}'

/usr/home/scp-backup.sh
Code: [Select]
#!/bin/sh

if [ $(id -u) -eq {USERID} ]; then
    APPENDIX="$(hostname)-$(date +"%Y%m%d%H%M%S")"

    echo "Uploading config-$APPENDIX.xml"
    scp /config/config.xml {USER}@{HOST}:{PATH}/config-$APPENDIX.xml
fi
Title: Re: Preshared Key no longer accepted?
Post by: ivoruetsche on October 05, 2018, 06:30:03 am

Thank you for sharing your code. We use it vise-versa (our server pull it from opnsense), because the external FW boxes can't reach the backup server.

I think from the security perspective, it was safer in the 18.1 version to have a ssh key and a dedicated user without any permissions, just pull the configuration. Now, we have to give the backup admin and bash rights.

gruss ivo
Title: Re: Preshared Key no longer accepted?
Post by: fabian on October 07, 2018, 04:10:01 pm
I think from the security perspective, it was safer in the 18.1 version to have a ssh key and a dedicated user without any permissions, just pull the configuration. Now, we have to give the backup admin and bash rights.

18.7 is better - It will get an endpoint to download the config with the API but the plugin is currently not marked as stable so it will be available for command line installation in the next release.

You may want to give it a try.