2FA Oopsie

[jim2cpu]

Hi folks. I haven't seen many articles on performing a 2FA recovery, so I thought I would start a clean, current thread.

I got frustrated with my iPhone today and decided to wipe it and "start fresh". Yeahhhh, forgot my 2FA apps. I've been able to recover everything with the exception of OPNsense. I had disabled ssh access and the root account "for security reasons" and I'm thinking at this point I may have to reboot the machine into single user mode and either reset the root password or change some configuration file to restore access to the Web GUI?

Appreciate any insights. Cheers.

[jim2cpu]

I followed the high level guidance provided by franco in this thread:

https://forum.opnsense.org/index.php?topic=15875.0

Worked perfectly. Very simply:

- Boot OPNsense to Single-User Mode
- Mount the / with "mount -o rw /"
- Run "/usr/local/sbin/opnsense-shell password"

It will ask you if you want to reset the root password and also the authentication method... it will shut off the TOPT server and flip you back to local database.

Then "/sbin/reboot" and you should be good to go.

Cheers!

[space_cadet]

I followed the high level guidance provided by franco in this thread:

https://forum.opnsense.org/index.php?topic=15875.0

Worked perfectly. Very simply:

- Boot OPNsense to Single-User Mode
- Mount the / with "mount -o rw /"
- Run "/usr/local/sbin/opnsense-shell password"

It will ask you if you want to reset the root password and also the authentication method... it will shut off the TOPT server and flip you back to local database.

Then "/sbin/reboot" and you should be good to go.

Cheers!

Thank you, jim2cpu! This helped me login again. Had to follow the steps for ZFS (https://docs.opnsense.org/troubleshooting/password_reset.html).

The first question was, do you want to change Authentication to Local Database!  ;D
Still had to reset the root password, but who cares. I was able to login after the reboot.

[Tearlach]

So, to verify, not only did this procedure (1) reset the root password, (2) allow you to change the authentication method back to Local Database, but also (3) reenable the previously disabled root user account?  I have been wondering about #3.

[passeri]

Is not the simpler method today to SSH in then use Console option 3?

[Tearlach]

passeri:

It is, and I plan on implementing SSH shortly.  I'm just trying to get all recovery options clear in my mind, along with the consequences/side effects of each.  One might have to recover via the method I asked about if, e.g., there were issues with both web access and SSH access, unlikely though that might be. ;-)