root/admin password after restore

Started by tdalej, November 03, 2025, 12:23:13 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 03, 2025, 12:23:13 AM
I spun up a new install of 25.7.
After getting to the login and doing the basic wizard setup bit, I restored a backup of my running OPNSense running 25.1

None of the passwords from either setup work on the console after reboot.

Is this expected?
Should I have modified the backup file and blanked password fields?
I don't recall seeing anything particular in the docs other than restore steps.

Or is this just some incompatibility between versions?
 
November 03, 2025, 05:22:18 PM #1
Not working in the console but working in the GUI? Likely a keymap issue.


Cheers,
Franco
November 03, 2025, 05:30:59 PM #2
ive experienced this as well on the business edition.  posted it a few weeks ago i believe

i had to restore with out the users if i recall.   to be able to login with a blank password to use my backup
November 04, 2025, 12:58:45 AM #3
The config I restored didn't require a login on the local console.
Can't put it on the network to even try the GUI until I am sure the interfaces are properly assigned.

Can I just edit the config file to remove the root/admin userid?
The whole <user> or just blank  <password> like this:  <password></password>
 
November 04, 2025, 10:21:24 AM #4
What's your goal? Breaking access?

The <password/> entry has been compatible across versions forever.

The only thing that could change are:

1. authentication settings
2. console keyboard mapping


Cheers,
Franco
November 05, 2025, 12:15:02 AM #5
Quote from: franco on November 04, 2025, 10:21:24 AMWhat's your goal? Breaking access?

The <password/> entry has been compatible across versions forever.

The only thing that could change are:

1. authentication settings
2. console keyboard mapping


Cheers,
Franco

Well, unless a restore does one or both of those things, that's not what this is. <shrug>


Unless .. the keyboard mapping done at installation has changed?
Could that do it?
It's been a while since I did the install of the one I'm restoring, and it's gone through a few upgrades...
I selected the one I always use on the fresh install -- it's common enough I didn't even think about it.

What setting would that be in the backup file?
November 05, 2025, 08:22:13 AM #6
> Unless .. the keyboard mapping done at installation has changed?

Yes, it's a per install setting not found in the config.xml export. We debated the good and bad about making it more persistent, but it did not seem very important unless you have a special keyboard (diverging from a basic US layout) AND use special characters from the special keyboard.

This doesn't happen for SSH or the web GUI, but it's a possibility for the console.

I mention 1. and 2. because:

With 1. you have to check the authentication settings (an OTP will not allow your plain password to be used, NTP needs to work in order for OTP to work too) and there is a GUI tester for that as well.

For 2. if you have a special keyboard layout and know your password it's easy to infer that it could be susceptible to this problem, but nobody else can tell and certainly not from a password hash. It's also why the default password is rather plain which makes keyboard mapping issues like that very unlikely.

In either case you have all the data to identify the problem and we can help assist with this after diagnosing which one it is.


Cheers,
Franco
November 07, 2025, 10:55:53 AM #7
Quote from: franco on November 05, 2025, 08:22:13 AM> Unless .. the keyboard mapping done at installation has changed?

Yes, it's a per install setting not found in the config.xml export. We debated the good and bad about making it more persistent, but it did not seem very important unless you have a special keyboard (diverging from a basic US layout) AND use special characters from the special keyboard.

This doesn't happen for SSH or the web GUI, but it's a possibility for the console.

I mention 1. and 2. because:

With 1. you have to check the authentication settings (an OTP will not allow your plain password to be used, NTP needs to work in order for OTP to work too) and there is a GUI tester for that as well.

For 2. if you have a special keyboard layout and know your password it's easy to infer that it could be susceptible to this problem, but nobody else can tell and certainly not from a password hash. It's also why the default password is rather plain which makes keyboard mapping issues like that very unlikely.

In either case you have all the data to identify the problem and we can help assist with this after diagnosing which one it is.


Cheers,
Franco


At the end of the day I just need to figure out the proper procedure to recover a backup to an identically configured computer (but with obviously different MAC addresses for each interface).

So long as the NIC assignments are done based on interface order Ix0, Ix1 and so on, I should be good -- I know which interface will be the LAN interface and I assume that attaching a laptop directly to that port will allow me to login to the UI (using the known GUI password) and address the console password issue?

I use a standard US keyboard and keyboard layout -- selecting the default in the installer on the recovery installation and _pretty sure_ but not 100% positive I did the same on the original install. 

Sounds like my best approach is to start over and document every step of the recovery.




Print
Go Up Pages1
User actions