Getting back in to a "locked" OpnSense box using console

[FBachofner]

I am a very recent OpnSense convert and enjoying it tremendously so far.  It is incredibly intuitive and/or cleanly laid out compared to OpenWRT, DD-WRT and especially MikroTik's RouterOS with which I had multiple false starts.  Thank you OpnSense developers (and predecessors) for your great work!

In spite of the intuitiveness, this afternoon I managed to lock myself out (of the web interface) while experimenting with VLANs.

Surprisingly, I am NOT able to log in via SSH to get anything done.  Connection attempts to a known correct port time out with either the admin or my single "named" user.

I am fairly certain I gave each user SSH access and that the non-standard SSH port was added (automatically, then double-checked) to the "anti-lockout" rule.  It is, however, possible I did that on an earlier test installation.

So, I guess I am left with attaching a keyboard and display.

My related questions then are:

• Where are the docs showing how to use the console? [I have poked around in https://docs.opnsense.org/manual/  and found nothing, even in the troubleshooting section, which surprised me quite a bit.
• In the absence of such documentation what are the steps to restore from a backup when in the console? (I assume it might be much quicker to do that than find and fix whatever arcane thing I was trying to do with VLANs (especially since I applied a bunch of changes (I know, I know!  ::) )

I'm hoping to not have to reinstall to restore a backup (although that would not be a worst-imaginable case scenario! )

Thanks in advance for any insights.

[FBachofner]

what are the steps to restore from a backup when in the console?

From a screenshot of the console I just found elsewhere online, it looks like restoring from a backup is a top-level option.

I'll try that in a moment and will report back.

Either way, I would still like to hear any ideas about my inability to login via SSH.

[FBachofner]

looks like restoring from a backup is a top-level option.

I'll try that in a moment and will report back.

)(*&^#@$! Firefox . . . how I love thee!

From the recesses of my brain upwelled a memory / thought that maybe I should clear my Firefox cache, etc.  This has sometimes helped when having problems accessing protected sites (although usually when I am presented with authentication dialog which I was not getting from OpnSense at all).

Lo and behold! I have logged in to OpnSense, without resorting to console!

Either way, I would still like to hear any ideas about my inability to login via SSH.

I will investigate this further in another moment.  There does not seem to be an anti-lockout (or maybe it was actually "auto-lockout" !!) rule.  So much for the double check (referenced above) I thought I had performed.

[franco]

Anti-lockout and SSH listening capabilities can be tricky depending on interface layout and specific SSH settings used. Anti-lockout is bound to LAN by default, but can move to another device if interfaces were removed or reassigned. On LAN you also have default allow rules, but on other interfaces you have not, so if the anti-lockout is on the wrong interface and the rule is not in place it couldn't possibly work.


Cheers,
Franco

[FBachofner]

Hi @franco

It turns out the shell specified for the named user was /sbin/nologin

When I changed that, I was able to SSH in.

However, the shell is not automatically present the helpful "console" I have seen a couple times on initial installation and configuration of OpnSense.

The root user should get that (i.e. I presume that is what is referred to by  /usr/localsbin/opnsense-shell )

Alas:

• that shell is not available to the named user from the dropdown (nor can I manually type it in)
• I still can not SSH in as root

Trying to SSH / login as root, I get the following:

Code Select Expand


Password:
Password:
Password:
root@192.168.1.1's password:
Permission denied, please try again.

Meanwhile, everything seems primed for SSH login by Root.  [ See attached screenshot. ]

Anti-lockout and SSH listening capabilities can be tricky depending on interface layout and specific SSH settings used. Anti-lockout is bound to LAN by default, but can move to another device if interfaces were removed or reassigned. On LAN you also have default allow rules, but on other interfaces you have not, so if the anti-lockout is on the wrong interface and the rule is not in place it couldn't possibly work.

This rule has moved to NAT as I opened various ports for remote management of OpnSense a couple important machines on the network and access to their services.

Remote (i.e. from WAN) access via SSH was also not possible.  Web access was also attempted and it failed.  My remote user did not have time to clear Firefox cache to attempt another login . . .

[franco]

Personally I'm using non-root user and "sudo su" after having Sudo configured as required in the same GUI page.

Non-root users can use opnsense-shell, but the features it uses will be only partially available since they alter administrative settings which you need root for anyway :)


Cheers,
Franco

[FBachofner]

Hi @franco


Meanwhile, I am "locked out" of the web interface again.  No login page, endless wait . . .  [ this time it is definitely not Firefox.  I have cleared cache, etc. ]

Personally I'm using non-root user and "sudo su" after having Sudo configured as required in the same GUI page.

Non-root users can use opnsense-shell, but the features it uses will be only partially available since they alter administrative settings

Because of the new "lockout" I SSHed in as the named user.  Alas, can not even reboot as I do not have sudo permission for that user.  Your input above seems exactly on point.

Alas, I can not get in to change it!  Grrrr.

[FBachofner]

I should mention, the first time I finally got back in I immediately updated to 22.1.6 . . .

Just in case this would solve anything.


Also, is there any way to upload a text-based OpnSense config file here (redacted of passwords and other sensitive info) so that any forum gurus can review for massive configuration errors?

[franco]

Feel free to post a config.xml but I think specific questions are better suited for this forum as they don't bind too much time.

Not sure how you end up being locked out, because you don't say what you are doing, what your setup is: e.g. VMs may have strange behaviour during reconfigure of IPs and so on and so forth.


Cheers,
Franco

[FBachofner]

Hi @franco

Not sure how you end up being locked out, because you don't say what you are doing, what your setup is: e.g. VMs may have strange behaviour during reconfigure of IPs and so on and so forth.

This is installed "on metal" (not VM).  It is a ultra-small form factor PC based on Intel Celeron J4125 with just two NICs, one bound to WAN, the other to LAN.  All host connections are handled by a NetGear 24-port switch which is (of course) attached to the OpnSense LAN port.


FYI, I did not do anything which could be construed to cause a lockout this 2nd time.  No editing of firewall rules, no work with VLANs, etc.  The only thing I had done was to press save after reviewing the root user's settings (which had not changed, but I wanted to "confirm" those settings, hoping SSH login would become enabled).

In the case of this 2nd lockup, I decided to reboot the machine and could then immediately again log into the web interface.  Perhaps earlier clearing the Firefox cache did not actually achieve anything (the successful login there happened to be about 9 hours after the lockout).

BTW, during each "lockout" I could still connect to other hosts on the network and also browse the internet.

During the second lockout I also "successfully" SSHed in, but could not reboot because of a lack of permissions.

[FBachofner]

With regard to SSH access, I have noticed that in:

Code Select Expand

System: Access: Groups

There is nothing which indicates an ability to select "SSH" or shell access or similar.

So too in

Code Select Expand

System: Access: Users

I can not edit "Effective Privileges" to include anything indicating I would be able to login in any sort of text mode (although one user can).

The lack of such options contravenes @franco's help from 2015 in the post: https://forum.opnsense.org/index.php?topic=1930.msg6008#msg6008

Granted, it is 6.5 years later and things have changed, but the fact I can not find similar settings is a bit puzzling.

I have also checked plugins and packages for anything obviously missing but am not seeing anything jump out.

[franco]

See https://forum.opnsense.org/index.php?topic=27870.0


Cheers,
Franco

[FBachofner]

See https://forum.opnsense.org/index.php?topic=27870.0

Thank you for the additional info.

Hey!  I now have SSH access for root.

I may have discovered a bug.

At

Code Select Expand

System: Settings: Administration

I changed Authentication:Server from "nothing" to "local database" (#1 in screenshot) even though that is supposed to be the default if "nothing" is selected.

The ONLY other change I had made was to Authentication:Sudo to "ask password" (#2 in screenshot).  That change, however only conceptually affects a sudo request once logged in.

[FBachofner]

Now that I have SSH access as root, I am wondering how to gain sudo for my names user so that I can access the opnsense-shell on login.

It seems that enabling option 2 in the screenshot in my prior post has done this?

The named user can now

Code Select Expand

sudo reboot

Is that as definitive as it seems?   :-\

[franco]

Local database setting is irrelevant since, yes, it is the default. Sudo asks for the current user's password if configured, not for root. To gain the root menu use "sudo su" or to gain a shell use "sudo csh".


Cheers,
Franco