Messages

Oh no!
Forget my last replies.
I guess after removing the user with vipw the OPNsense was clean.

But while testing i reused the command with ssh root@... and got more Permission denied errors.
Then, when posting the ssh -v output, the user wasn't recreated before the attempt.

I can now connect to the OPNsense. Thank you both very much for your help!

Try "id <user>" on OPNsense and "ssh -v ..." from the external system to get more debug info.

Code Select Expand

root@OPNsense:~ # id github-runner
id: github-runner: no such user


Code Select Expand

github-runner@runner-1:~$ ssh -v 10.1.0.1 -p 2222
OpenSSH_9.6p1 Ubuntu-3ubuntu13.9, OpenSSL 3.0.13 30 Jan 2024
debug1: Reading configuration data /runner/.ssh/config
debug1: /runner/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 10.1.0.1 [10.1.0.1] port 2222.
debug1: Connection established.
debug1: identity file /runner/.ssh/id_ed25519 type 3
debug1: identity file /runner/.ssh/id_ed25519-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.9
debug1: Remote protocol version 2.0, remote software version OpenSSH_9.9 FreeBSD-openssh-portable-9.9.p2_1,1
debug1: compat_banner: match: OpenSSH_9.9 FreeBSD-openssh-portable-9.9.p2_1,1 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 10.1.0.1:2222 as 'github-runner'
debug1: load_hostkeys: fopen /runner/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: sntrup761x25519-sha512@openssh.com
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:ap8uNQSdCZ0vwEBaiulo6GXdDiqup6KOH9egGfi8y60
debug1: load_hostkeys: fopen /runner/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /etc/ssh/ssh_known_hosts2: No such file or directory
debug1: Host '[10.1.0.1]:2222' is known and matches the ED25519 host key.
debug1: Found key in /runner/.ssh/known_hosts:4
debug1: ssh_packet_send2_wrapped: resetting send seqnr 3
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: Sending SSH2_MSG_EXT_INFO
debug1: expecting SSH2_MSG_NEWKEYS
debug1: ssh_packet_read_poll2: resetting read seqnr 3
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: kex_ext_info_check_ver: publickey-hostbound@openssh.com=<0>
debug1: kex_ext_info_check_ver: ping@openssh.com=<0>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_ext_info_client_parse: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256>
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Will attempt key: /runner/.ssh/id_ed25519 ED25519 SHA256:7vQBdTAhIVJCRnHC2K3KNfUglYKfFQz0e1jE+5T5pZ8 explicit
debug1: Offering public key: /runner/.ssh/id_ed25519 ED25519 SHA256:7vQBdTAhIVJCRnHC2K3KNfUglYKfFQz0e1jE+5T5pZ8 explicit
debug1: Authentications that can continue: publickey
debug1: No more authentication methods to try.
github-runner@10.1.0.1: Permission denied (publickey).


And when i did i tried it, but the problem sadly persists.

Did you remove and recreate the user in OPNsense after you removed it from the system?

Yes, a few times

Did you use "vipw" or "pw" to remove the user from master.passwd and friends? Because there's a database generated from the plain text file in BSD. "vipw" takes care of rebuilding that.

I just found out about this :)
And when i did i tried it, but the problem sadly persists.

Update: I can't find any more evidence of the user (deleted home directory/zfs dataset and the lines with reference in /etc/passwd, /etc/groups, /etc/master.passwd, /usr/local/etc/sudoers), but it still doesn't work.
I think i will setup a clean system again and use the backup of the right now existing appliance.

Or do you maybe have any other idea, where anything else could be, that interferes with the OPNsense setup?
find / -name and grep -r / -e had no more results (only log entries)

Okay, thank you very much for your help.
I guess i found the cause of the Problem, but as of right now, not a solution.
The system was before a "plain" FreeBSD-System, where i had already created the user "github-runner".
There i ran the opnsense-bootstrap script, which i thought, would clean up the system.
But I just found out, the users do not seem to be cleaned correctly.

The must be some sort of conflicts, when creating a user with the same name.

I will clean up every evidence of the "user artifacts" and try again.

I just tested it with a new user.
There it works. Do you know of any restrictions in naming users?
The user "test" works just fine, with the same setup, but the original user "github-runner" does not work.

In the end you got one line starting with 'ssh-ed25519' or 'ssh-rsa' in that field, yes?

What OPNsense version are you using?

Yes, i use ed25519 and the (single) line starts with ssh-ed25519
I first thought the comment in the end of the line is the problem, but that is also not the case.
I removed it and it doesnt work, and the keys of the admin user do have comments, and they work.

The OPNsense version is the latest (OPNsense 25.1.4_1-amd64)

On the client you want to log in from, you created an SSH key? Did you copy the public key (<key name>.pub in ~/.ssh/) of the client SSH key into the users 'Authorized Keys' field?

Yes, thats just, what i did.
I also tried with the keys, working for the root user, but that didn't change anything. For root it works, for the new user it doesn't.
I've done this setup in the past. But it was some time ago, so i don't remember the exact steps to get it working.
I thought the steps i've gone through, were everything i need to do.

Hi everyone,

i've added a User, selected the default "admins" group, selected a shell (/bin/sh) and pasted a SSH key for the user.
Then i've gone to Settings -> Administration.
Under secure shell, i enabled it, selected "wheel, admins" for Login Groups and gone to the Authentication section, where i also selected "wheel, admins" and ask password for sudo.

But when i try to connect to the appliance via SSH to the new user, i get a "Permission denied (publickey)".

I've also tried it with other SSH keys, but it won't work, so i think it is something i messed up with the settings.
Do i forget anything obvious?

Thanks for your help in advance!

Hi,

I've analyzed the issue today and it was not related to OpnSense.

The NTP daemon on my Admin Workstation stopped for what ever reasons and due to that the time was out of sync.

br

Hi Mks,
in my case, this isn't the problem.
But i just figured out it may be the "daylight savings time", which seemingly isn't handled correctly by the OPNsense.
In the logs i can see the the timestamp of current actions with my time -1 hour.
Do you know if that could be the problem for the faulty OTP-token?

Also, if this is really the problem, can someone explain, why it just happens with version >=25.1?

Hi,
I've discovered the same issue today.

Will look at it tomorrow and provide an update.

br

Hi Mks,
thank you very much!
As further info: I've updated yesterday to version 25.1.2 and the issue persists.

wild guess. Have you changed the root user's login shell? What is it set to?

Hi cookiemonster,
i didn't change the login shell, it's still the default "opnsense-Shell" or what it is called.
But nevertheless thank you!

Hi, thank you for your answers.
The problem is not the connection via SSH. I already set it up and can connect to the appliance via SSH.
My problem is, that after rebooting, the root login is broken.

When i reboot the appliance, i can't login with the user root with only the password or password + 2FA.
I need to reset it (password and login method) via the CLI.
After resetting it to Local Database only, i can login again.
Then i enable the 2FA for the login again, and the login with 2FA also works again.
But after rebooting, the "loop" begins again.

Hi,

i have 2FA enabled for the WebGUI-login. After updating to 25.1 i couldn't login with the 2FA and also without it (only using the password).

I needed to connect to the machine via SSH an reset the root login and login method.
After that i need to regenerate the OTP seed.
When this is done it works again.

Now, when the appliance is rebooted, i have the same problem.
The issue also persists after upgrading to 25.1.1.

Does anyone else have the same problem or know how i can resolve it?

Thank you in advance!