How to disable OTP on console

[MiRei]

I have just installed version 25.1 and all services and functions work without any problems. I really like the new dark theme.

Thank you very much for the great upgrade!

I noticed one small point: If OTP is set for authentication, the OTP code is now also required on the console to log in. If the system has a fault and does not receive a valid time, it is no longer possible to log in on the console. In the previous version, there was a switch "Disable integrated authentication" in the Administration - Settings Authentication under the servers. By activating it, you could log on to the console without OTP. Is there another way now?

Thank you very much!

[franco]

You can set auto-login on the console instead -- and don't forget to set a SSH key as well. That takes the OTP out of the equation.


Cheers,
Franco

[MiRei]

I have a little problem understanding your reply.
Do you mean ssh-copy-id ?

Cheers,
MiRei

[franco]

The SSH key setup hint is just for the next person saying SSH also wants the OTP now.


Cheers,
Franco

[Patrick M. Hausen]

I have a little problem understanding your reply.
Do you mean ssh-copy-id ?

ssh-copy-id would work for a standard FreeBSD or Linux system but in OPNsense you must use the UI to add the key to the user account in question.

[you]

ssh-copy-id would work for a standard FreeBSD or Linux system but in OPNsense you must use the UI to add the key to the user account in question.

Wow, what a coincidence :)

Just this morning, I manually edited /root/.ssh/authorized_keys on my OPNsense instance and added a second public key to it.

I tend to generate device based keys, which in this case leads to at least two public keys for the same user "root" on OPNsense.

Now: If I checked user parameters via gui, I can only see the original, first key. The second one is not visible. A quick test from my second device shows it nevertheless works. Shouldn't we be able to add more than one pub key to a user for device based keys?

[franco]

You can, but only from the top (the GUI).

Well, you can also use the API now but in either case do not edit the file and expect it to stick permanently.


Cheers,
Franco

[you]

Thanks Franco,

I was organizing this device's access for different server, all linux, and just continued in the same way with my sense. In fact I wasn't even aware I could do it via OPNsense's gui :D

I deleted the second entry in the file. Checked file. Added the second key via gui. Et violá authorized_keys is again carrying two entries.

Cool coincidence indeed.

Thanks guys!

[Patrick M. Hausen]

A quick test from my second device shows it nevertheless works.

Until you save anything user related from the UI when your second key will be deleted.

All UI configuration is stored in a single XML file and all dependent configuration is regenerated from that. Whatever you do on the command line is almost never persisted.

[MiRei]

Perhaps I have not described my problem clearly enough.
By the console I meant the serial interface or the VGA terminal.
In the event of a fault, I may no longer have a network interface and
therefore no correct time in the system.
I have not yet discovered the place in 25.1 for the configuration so
that I can only log on to the terminal with a password.

Thanks a lot!

Cheers,
MiRei

[franco]

That's why I said you should consider disabling "Password protect the console menu" instead.

Nowadays you can probably get away with adding system users locally with "pw" that offer you UID 0 access via a separate password protected account, but it's not worth all the trouble as your physical access should be secured properly as well.


Cheers,
Franco

[MiRei]

Now I have also found the switch ;-)
Yesterday I was not so successful ...
Problem solved.

Cheers,
MiRei