Messages

Hi franco,

thank you for your explanation and I understand the reason for that decision.

One of the problems with disabled integrated authentication is that it downgrades password strength through SSH and for the console.  Console is less risk because you need "physical" access, but the game changes in SSH password authentication which should be avoided.

SSH is limited to ssh-keys, password login is not permitted.

For physical systems in server racks I enable auto console log in so I don't have to deal with this at all. The rack or the server room should provide enough protection.  ;)

My boxes are physical systems but located at customers place, so auto login is obviously no option.

Enforce 2FA for all administrators except root, which keeps password authentication, set an e.g. 40 character password and keep it somewhere safe for emergency access. Like failing time synchronisation.

That would be a nice solution (and root does not need direct remote access gui/ssh).

Additional use case:

Loading a customers configuration in a box without internet connection (no ntp server reachable).

Kind regards,
proctor

Hi,

what is the idea behind removing this feature?

I used the feature to force Web-GUI login via 2fa, SSH via keys, but allow console login and su for root without 2fa (sudo disabled). So root can't login (directly) at Web-GUI or SSH (no 2fa and no key). After update to 25.x i am not able to "su root".

Thanks for some explanation and ideas to get a similar setup again

Hallo derbert,

bin auch über das Problem - und dabei über deinen Beitrag - gestolpert. Zumindest in meinem Fall konnte ich feststellen, warum die automatischen Regeln allein nicht reichen. Diese umfassen nur ausgewählte ICMPv6-Typen. In meinem Fall war zusätzlich eine Regel notwendig, welche ICMPv6 Typ 130 (Multicast listener query) mit Ziel ff02::1 beinhaltet. Wozu das Paket benötigt wird, würde mich auch interessieren (DS-Lite?)...

Beste Grüße

Auja! Wir verlinken hier die schönsten Kommentare vom Heise-Forum! Dafür sollten wir ein eigens Board einrichten! :-D

Heise-Forum?

https://www.heise.de/news/APNIC-Chefwissenschaftler-IPv6-Einfuehrung-wohl-obsolet-9995140.html

https://www.heise.de/meinung/Kommentar-IPv6-obsolet-Ich-glaub-ich-steh-im-Wald-9999396.html

Thanks Patrick, my fault.
I was searching for (permanently) changes to the ssh keys to generate when i stumbled upon this question, so i had a "key-bias" in mind...

Hi Scenic3050,

you can configure all you need with the webgui.

Keys:
System \ Access \ Users \ [ Username ] \ Authorized keys

No password:
System \ Settings \ Administration \ Secure Shell \ Authentication Method

Nevertheless, "sshd_config" is located at "/usr/local/etc/ssh/"

Cheers

OPNsense 23.7.12_5

When I use the search field in "Firewall : Log Files : Plain View" it seems I only get events displayed if they fill up a hole page (at least 20).

To reproduce I choose a known target - e. g. "142.250.185.195" (www.google.de) - to search for and get a lot of events.

Code Select Expand


2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,49516,0,none,1,icmp,80,192.168.3.2,142.250.185.195,datalength=60
2024-05-30T15:21:05 Informational filterlog 1,,,0,igb1,match,nat,out,4,0x0,,64,49516,0,none,1,icmp,80,192.168.3.2,142.250.185.195,datalength=60
2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,60424,443,0,S,1344628171,,65228,,mss;nop;wscale;sackOK;TS
...


After the resuts are displayed, I extend the seach string about the displayed source port number digit by digit "142.250.185.195,6"

Code Select Expand


2024-05-30T15:21:05 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,60424,443,0,S,1344628171,,65228,,mss;nop;wscale;sackOK;TS
2024-05-30T14:23:18 Informational filterlog 76,,,fae559338f65e11c53669fc3642c93c2,igb1,match,pass,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,6304,443,0,S,820402105,,65228,,mss;nop;wscale;sackOK;TS
2024-05-29T17:17:46 Informational filterlog 1,,,0,igb1,match,nat,out,4,0x0,,64,0,0,DF,6,tcp,60,192.168.3.2,142.250.185.195,62739,443,0,S,3333951251,,65228,,mss;nop;wscale;sackOK;TS
...


And "142.250.185.195,60" - I know, there is at least one event, but I only get:

Code Select Expand


Loading...


I don't expect this as an intended behavior, how can I find single or seldom events?

Thanks for any hint!

I struggled with that yesterday and it turned out, that my VDSL provider doesn't use VLAN.
So be sure you really need it.

That solved the problem with console login and su for me.

Thanks a lot!

I just did another test. I reset the device to factory defaults. Logon at the console works as expected.
Then I only activated the option "Disable integrated authentication" and I no longer able to login at the console.

Is this an intended behavior?

If I have enabled 2FA, local database and deactivated "Disable integrated authentication" I can login at the console with the user with and without OTP and also with root and the password.

Code Select Expand

FreeBSD/amd64 (OPNsense.occami.infra) (ttyu0)

login: root
Password:
Last login: Fri Oct 20 16:29:16 on ttyu0
----------------------------------------------
|      Hello, this is OPNsense 23.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website:      https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook:     https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums:       https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code:         https://github.com/opnsense  |        @@@@         @@@@
| Twitter:      https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------

*** OPNsense.occami.infra: OPNsense 23.1.11_2 ***

CFG_Admin_Local (igb0) -> v4: 192.168.1.1/24
LAN_Infra_Local (ix0) ->
LAN_Infra_Radio (vlan01) ->
LAN_Infra_WLAN (vlan02) -> v4: 10.0.1.129/25
LAN_Public_Backup (vlan03) ->
WAN_Public_Access (igb1) -> v4/DHCP4: 192.168.178.25/24

HTTPS: SHA256 5E 99 57 74 85 72 52 90 D3 DF 6B 0C E9 3D F8 B5
               6F 3A 8F 7C F6 A7 D0 9A 77 98 B8 99 64 A9 93 E7
SSH:   SHA256 8yafIRgFQ21iCl4AJF56oEODquLTyKdEbPBXbtS30gM (ECDSA)
SSH:   SHA256 SrrUo+UJhaXi/cZyTFu+cekJLH4OVV+D350hVsuYrXU (ED25519)
SSH:   SHA256 JJiT0rGWy4RZ/+rnBIM4oltpRXEBzxBmZ78u4s3nEq4 (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:



Connecting to the device per ssh/pubkey with the user works and I can su to the root:

Code Select Expand


~]$ ssh admin@192.168.1.1 -p 7016
Last login: Fri Oct 20 12:33:38 2023 from 192.168.1.100
----------------------------------------------
|      Hello, this is OPNsense 23.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website: https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook: https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums: https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code: https://github.com/opnsense  |        @@@@         @@@@
| Twitter: https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ $ su
Password:

*** OPNsense.occami.infra: OPNsense 23.1.11_2 ***

CFG_Admin_Local (igb0) -> v4: 192.168.1.1/24
LAN_Infra_Local (ix0) ->
LAN_Infra_Radio (vlan01) ->
LAN_Infra_WLAN (vlan02) -> v4: 10.0.1.129/25
LAN_Public_Backup (vlan03) ->
WAN_Public_Access (igb1) -> v4/DHCP4: 192.168.178.25/24

HTTPS: SHA256 5E 99 57 74 85 72 52 90 D3 DF 6B 0C E9 3D F8 B5
               6F 3A 8F 7C F6 A7 D0 9A 77 98 B8 99 64 A9 93 E7
SSH:   SHA256 8yafIRgFQ21iCl4AJF56oEODquLTyKdEbPBXbtS30gM (ECDSA)
SSH:   SHA256 SrrUo+UJhaXi/cZyTFu+cekJLH4OVV+D350hVsuYrXU (ED25519)
SSH:   SHA256 JJiT0rGWy4RZ/+rnBIM4oltpRXEBzxBmZ78u4s3nEq4 (RSA)

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Update from console
  6) Reboot system                      13) Restore a backup

Enter an option:


Then I activate "Disable integrated authentication", nothing else is changed. After that I can't login at the console with any account with or without OTP.

Code Select Expand


FreeBSD/amd64 (OPNsense.occami.infra) (ttyu0)

login: root
Password:
Login incorrect



I still can login per ssh/pubkey, but I can't su to the root.

Code Select Expand

~]$ ssh admin@192.168.1.1 -p 7016
Last login: Fri Oct 20 16:10:53 2023 from 192.168.1.100
----------------------------------------------
|      Hello, this is OPNsense 23.1          |         @@@@@@@@@@@@@@@
|                                            |        @@@@         @@@@
| Website: https://opnsense.org/        |         @@@\\\   ///@@@
| Handbook: https://docs.opnsense.org/   |       ))))))))   ((((((((
| Forums: https://forum.opnsense.org/  |         @@@///   \\\@@@
| Code: https://github.com/opnsense  |        @@@@         @@@@
| Twitter: https://twitter.com/opnsense |         @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ $ su
Password:
su: Sorry


::)

With the activated option "Disable integrated authentication" it is not possible to login at the console and not possible to do su in ssh.
OPNsense version 23.1.11_2

Context:
I have configured 2FA with TOTP and set up a user (not root) with an OTP seed. This user is a member of the group "admins". Additionally I configured SSH public keys for that user. Login to the webgui with 2FA and SSH-login with public key works well. The user 'root' doesn't have either an OTP seed or a public key.

As fallback in case of problems with 2FA, I wanted to login per SSH with key or console. But as soon as I activate "Disable integrated authentication" I can not login to the console and I can not su to root in SSH.

Thanks for any hint!

We use a group of restricted users to gain access to the webgui with the following assigned privileges.

GUI    Dashboard (all)
GUI    Diagnostics: Logs: DHCP
GUI    Diagnostics: Logs: Firewall: Live View
GUI    Services: Unbound DNS: Log File
GUI    Status: DHCP leases

In OPNsense version 22.7.2 (2 devices) those users see running services in the dashboard. In version 23.1.11 (11 devices) those users see an empty service widget. Services will be shown in the widget, if we additional assign the privilege "GUI Status: Services". But then they are able to stop or start services, which isn't intended.

Any idea how to list running services for restricted users without the option to start or stop any services?

Thanks for any hint!

IDS is off for all boxes. I try to keep configuration of all running boxes the same way, that is why i stumbled about this.