1
General Discussion / Re: Champagne anybody?
« on: October 31, 2024, 10:02:21 am »Auja! Wir verlinken hier die schönsten Kommentare vom Heise-Forum! Dafür sollten wir ein eigens Board einrichten! :-D
Heise-Forum?
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Heise-Forum?
3
General Discussion / Re: Edit ssh configs (to allow certificate signed ssh access)
« on: October 23, 2024, 11:54:06 am »
Thanks Patrick, my fault.
I was searching for (permanently) changes to the ssh keys to generate when i stumbled upon this question, so i had a "key-bias" in mind...
I was searching for (permanently) changes to the ssh keys to generate when i stumbled upon this question, so i had a "key-bias" in mind...
4
General Discussion / Re: Edit ssh configs (to allow certificate signed ssh access)
« on: October 23, 2024, 10:04:03 am »
Hi Scenic3050,
you can configure all you need with the webgui.
Keys:
System \ Access \ Users \ [ Username ] \ Authorized keys
No password:
System \ Settings \ Administration \ Secure Shell \ Authentication Method
Nevertheless, "sshd_config" is located at "/usr/local/etc/ssh/"
Cheers
you can configure all you need with the webgui.
Keys:
System \ Access \ Users \ [ Username ] \ Authorized keys
No password:
System \ Settings \ Administration \ Secure Shell \ Authentication Method
Nevertheless, "sshd_config" is located at "/usr/local/etc/ssh/"
Cheers
5
23.7 Legacy Series / Limitation of "Firewall : Log Files : Plain View"
« on: May 30, 2024, 05:15:23 pm »
OPNsense 23.7.12_5
When I use the search field in "Firewall : Log Files : Plain View" it seems I only get events displayed if they fill up a hole page (at least 20).
To reproduce I choose a known target - e. g. "142.250.185.195" (www.google.de) - to search for and get a lot of events.
After the resuts are displayed, I extend the seach string about the displayed source port number digit by digit "142.250.185.195,6"
And "142.250.185.195,60" - I know, there is at least one event, but I only get:
I don't expect this as an intended behavior, how can I find single or seldom events?
Thanks for any hint!
When I use the search field in "Firewall : Log Files : Plain View" it seems I only get events displayed if they fill up a hole page (at least 20).
To reproduce I choose a known target - e. g. "142.250.185.195" (www.google.de) - to search for and get a lot of events.
Code: [Select]
2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,49516,0,none,1,icmp,80,192.168.3.2,142.250.185.195,datalength=60
2024-05-30T15:21:05 Informational filterlog 1,,,0,igb1,match,nat,out,4,0x0,,64,49516,0,none,1,icmp,80,192.168.3.2,142.250.185.195,datalength=60
2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,60424,443,0,S,1344628171,,65228,,mss;nop;wscale;sackOK;TS
...
After the resuts are displayed, I extend the seach string about the displayed source port number digit by digit "142.250.185.195,6"
Code: [Select]
2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,60424,443,0,S,1344628171,,65228,,mss;nop;wscale;sackOK;TS
2024-05-30T14:23:18 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,6304,443,0,S,820402105,,65228,,mss;nop;wscale;sackOK;TS
2024-05-29T17:17:46 Informational filterlog 1,,,0,igb1,match,nat,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,62739,443,0,S,3333951251,,65228,,mss;nop;wscale;sackOK;TS
...
And "142.250.185.195,60" - I know, there is at least one event, but I only get:
Code: [Select]
Loading...
I don't expect this as an intended behavior, how can I find single or seldom events?
Thanks for any hint!
6
23.1 Legacy Series / Re: Can't get PPPoE with tagged VLAN to work
« on: October 23, 2023, 12:21:56 pm »
I struggled with that yesterday and it turned out, that my VDSL provider doesn't use VLAN.
So be sure you really need it.
So be sure you really need it.
7
23.1 Legacy Series / Re: 2FA fallback - "Disable integrated authentication" doesn't work as expected
« on: October 23, 2023, 11:59:41 am »
That solved the problem with console login and su for me.
Thanks a lot!
Thanks a lot!
8
23.1 Legacy Series / Re: 2FA fallback - "Disable integrated authentication" doesn't work as expected
« on: October 23, 2023, 10:15:44 am »
I just did another test. I reset the device to factory defaults. Logon at the console works as expected.
Then I only activated the option "Disable integrated authentication" and I no longer able to login at the console.
Is this an intended behavior?
Then I only activated the option "Disable integrated authentication" and I no longer able to login at the console.
Is this an intended behavior?
9
23.1 Legacy Series / Re: 2FA fallback - "Disable integrated authentication" doesn't work as expected
« on: October 20, 2023, 04:32:20 pm »
If I have enabled 2FA, local database and deactivated "Disable integrated authentication" I can login at the console with the user with and without OTP and also with root and the password.
Connecting to the device per ssh/pubkey with the user works and I can su to the root:
Then I activate "Disable integrated authentication", nothing else is changed. After that I can't login at the console with any account with or without OTP.
I still can login per ssh/pubkey, but I can't su to the root.
Code: [Select]
FreeBSD/amd64 (OPNsense.occami.infra) (ttyu0)
login: root
Password:
Last login: Fri Oct 20 16:29:16 on ttyu0
----------------------------------------------
| Hello, this is OPNsense 23.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
*** OPNsense.occami.infra: OPNsense 23.1.11_2 ***
CFG_Admin_Local (igb0) -> v4: 192.168.1.1/24
LAN_Infra_Local (ix0) ->
LAN_Infra_Radio (vlan01) ->
LAN_Infra_WLAN (vlan02) -> v4: 10.0.1.129/25
LAN_Public_Backup (vlan03) ->
WAN_Public_Access (igb1) -> v4/DHCP4: 192.168.178.25/24
HTTPS: SHA256 5E 99 57 74 85 72 52 90 D3 DF 6B 0C E9 3D F8 B5
6F 3A 8F 7C F6 A7 D0 9A 77 98 B8 99 64 A9 93 E7
SSH: SHA256 8yafIRgFQ21iCl4AJF56oEODquLTyKdEbPBXbtS30gM (ECDSA)
SSH: SHA256 SrrUo+UJhaXi/cZyTFu+cekJLH4OVV+D350hVsuYrXU (ED25519)
SSH: SHA256 JJiT0rGWy4RZ/+rnBIM4oltpRXEBzxBmZ78u4s3nEq4 (RSA)
0) Logout 7) Ping host
1) Assign interfaces 8) Shell
2) Set interface IP address 9) pfTop
3) Reset the root password 10) Firewall log
4) Reset to factory defaults 11) Reload all services
5) Power off system 12) Update from console
6) Reboot system 13) Restore a backup
Enter an option:
Connecting to the device per ssh/pubkey with the user works and I can su to the root:
Code: [Select]
~]$ ssh admin@192.168.1.1 -p 7016
Last login: Fri Oct 20 12:33:38 2023 from 192.168.1.100
----------------------------------------------
| Hello, this is OPNsense 23.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ $ su
Password:
*** OPNsense.occami.infra: OPNsense 23.1.11_2 ***
CFG_Admin_Local (igb0) -> v4: 192.168.1.1/24
LAN_Infra_Local (ix0) ->
LAN_Infra_Radio (vlan01) ->
LAN_Infra_WLAN (vlan02) -> v4: 10.0.1.129/25
LAN_Public_Backup (vlan03) ->
WAN_Public_Access (igb1) -> v4/DHCP4: 192.168.178.25/24
HTTPS: SHA256 5E 99 57 74 85 72 52 90 D3 DF 6B 0C E9 3D F8 B5
6F 3A 8F 7C F6 A7 D0 9A 77 98 B8 99 64 A9 93 E7
SSH: SHA256 8yafIRgFQ21iCl4AJF56oEODquLTyKdEbPBXbtS30gM (ECDSA)
SSH: SHA256 SrrUo+UJhaXi/cZyTFu+cekJLH4OVV+D350hVsuYrXU (ED25519)
SSH: SHA256 JJiT0rGWy4RZ/+rnBIM4oltpRXEBzxBmZ78u4s3nEq4 (RSA)
0) Logout 7) Ping host
1) Assign interfaces 8) Shell
2) Set interface IP address 9) pfTop
3) Reset the root password 10) Firewall log
4) Reset to factory defaults 11) Reload all services
5) Power off system 12) Update from console
6) Reboot system 13) Restore a backup
Enter an option:
Then I activate "Disable integrated authentication", nothing else is changed. After that I can't login at the console with any account with or without OTP.
Code: [Select]
FreeBSD/amd64 (OPNsense.occami.infra) (ttyu0)
login: root
Password:
Login incorrect
I still can login per ssh/pubkey, but I can't su to the root.
Code: [Select]
~]$ ssh admin@192.168.1.1 -p 7016
Last login: Fri Oct 20 16:10:53 2023 from 192.168.1.100
----------------------------------------------
| Hello, this is OPNsense 23.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ $ su
Password:
su: Sorry
10
23.1 Legacy Series / [SOLVED] "Disable integrated authentication" doesn't work as expected
« on: October 20, 2023, 01:19:52 pm »
With the activated option "Disable integrated authentication" it is not possible to login at the console and not possible to do su in ssh.
OPNsense version 23.1.11_2
Context:
I have configured 2FA with TOTP and set up a user (not root) with an OTP seed. This user is a member of the group "admins". Additionally I configured SSH public keys for that user. Login to the webgui with 2FA and SSH-login with public key works well. The user 'root' doesn't have either an OTP seed or a public key.
As fallback in case of problems with 2FA, I wanted to login per SSH with key or console. But as soon as I activate "Disable integrated authentication" I can not login to the console and I can not su to root in SSH.
Thanks for any hint!
OPNsense version 23.1.11_2
Context:
I have configured 2FA with TOTP and set up a user (not root) with an OTP seed. This user is a member of the group "admins". Additionally I configured SSH public keys for that user. Login to the webgui with 2FA and SSH-login with public key works well. The user 'root' doesn't have either an OTP seed or a public key.
As fallback in case of problems with 2FA, I wanted to login per SSH with key or console. But as soon as I activate "Disable integrated authentication" I can not login to the console and I can not su to root in SSH.
Thanks for any hint!
11
23.1 Legacy Series / Dashboard Widget Services empty for restricted users
« on: October 20, 2023, 08:05:41 am »
We use a group of restricted users to gain access to the webgui with the following assigned privileges.
GUI Dashboard (all)
GUI Diagnostics: Logs: DHCP
GUI Diagnostics: Logs: Firewall: Live View
GUI Services: Unbound DNS: Log File
GUI Status: DHCP leases
In OPNsense version 22.7.2 (2 devices) those users see running services in the dashboard. In version 23.1.11 (11 devices) those users see an empty service widget. Services will be shown in the widget, if we additional assign the privilege "GUI Status: Services". But then they are able to stop or start services, which isn't intended.
Any idea how to list running services for restricted users without the option to start or stop any services?
Thanks for any hint!
GUI Dashboard (all)
GUI Diagnostics: Logs: DHCP
GUI Diagnostics: Logs: Firewall: Live View
GUI Services: Unbound DNS: Log File
GUI Status: DHCP leases
In OPNsense version 22.7.2 (2 devices) those users see running services in the dashboard. In version 23.1.11 (11 devices) those users see an empty service widget. Services will be shown in the widget, if we additional assign the privilege "GUI Status: Services". But then they are able to stop or start services, which isn't intended.
Any idea how to list running services for restricted users without the option to start or stop any services?
Thanks for any hint!
12
22.7 Legacy Series / Re: Interface: Diagnostics: Netstat - what is 'flags' - EtherType?
« on: December 02, 2022, 02:01:13 pm »
IDS is off for all boxes. I try to keep configuration of all running boxes the same way, that is why i stumbled about this.
13
22.7 Legacy Series / Re: Missing info button on IPSEC Status Overview
« on: December 02, 2022, 01:54:48 pm »
The status page changed with 22.7. release. The former i-button is replaced by a checkbox.
14
22.7 Legacy Series / Re: Interface: Diagnostics: Netstat - what is 'flags' - EtherType?
« on: December 02, 2022, 01:06:30 pm »
Yes, there is a DHCP server at all ix0 interfaces, but onle some are in the promiscuous mode.
15
22.7 Legacy Series / Re: Interface: Diagnostics: Netstat - what is 'flags' - EtherType?
« on: November 30, 2022, 06:55:36 pm »
Thanks, that matches, but leads me to a new issue. Why are some interfaces (0x8963) in promiscuous mode (0x0100)? - At the interface configuration page the 'Promiscuous mode' checkbox is not checked.