2FA broken since the update

[jke]

Hi,

i have 2FA enabled for the WebGUI-login. After updating to 25.1 i couldn't login with the 2FA and also without it (only using the password).

I needed to connect to the machine via SSH an reset the root login and login method.
After that i need to regenerate the OTP seed.
When this is done it works again.

Now, when the appliance is rebooted, i have the same problem.
The issue also persists after upgrading to 25.1.1.

Does anyone else have the same problem or know how i can resolve it?

Thank you in advance!

[franco]

Check your system time. Make sure you allow access for SSH via key in emergency cases.

[PhoenixRider]

Check your system time. Make sure you allow access for SSH via key in emergency cases.

Hey franco,

do you have an easy to do tutorial for SSH-Access via Keys?

[Patrick M. Hausen]

- generate a privat/public key pair with e.g. ssh-keygen
- place the public key in the user account via the OPNsense UI

That's essentially all. First step depends on your client. You don't still use Putty, do you? :-) Windows 10 and up come with native SSH.

[jke]

Hi, thank you for your answers.
The problem is not the connection via SSH. I already set it up and can connect to the appliance via SSH.
My problem is, that after rebooting, the root login is broken.

When i reboot the appliance, i can't login with the user root with only the password or password + 2FA.
I need to reset it (password and login method) via the CLI.
After resetting it to Local Database only, i can login again.
Then i enable the 2FA for the login again, and the login with 2FA also works again.
But after rebooting, the "loop" begins again.

[cookiemonster]

wild guess. Have you changed the root user's login shell? What is it set to?

[PhoenixRider]

- generate a privat/public key pair with e.g. ssh-keygen
- place the public key in the user account via the OPNsense UI

That's essentially all. First step depends on your client. You don't still use Putty, do you? :-) Windows 10 and up come with native SSH.

Thank you. I created the keys and assigned them to the users. However, SHH login didn't work for me with these keys.

[Patrick M. Hausen]

What's the output of

Code Select Expand

ssh -v <username>@<opnsense-ip>?

[PhoenixRider]

What's the output of

Code Select Expand

ssh -v <username>@<opnsense-ip>?

I'll watch it again tonight, thanks!

[Patrick M. Hausen]

Maybe post one of your public keys. That's not a problem, hence "public".

[Mks]

Hi,
I've discovered the same issue today.

Will look at it tomorrow and provide an update.

br

[jke]

wild guess. Have you changed the root user's login shell? What is it set to?

Hi cookiemonster,
i didn't change the login shell, it's still the default "opnsense-Shell" or what it is called.
But nevertheless thank you!

[jke]

Hi,
I've discovered the same issue today.

Will look at it tomorrow and provide an update.

br

Hi Mks,
thank you very much!
As further info: I've updated yesterday to version 25.1.2 and the issue persists.

[PhoenixRider]

Maybe post one of your public keys. That's not a problem, hence "public".

SSH-Access via Keys is now working! Thank you! :)

[Mks]

Hi,

I've analyzed the issue today and it was not related to OpnSense.

The NTP daemon on my Admin Workstation stopped for what ever reasons and due to that the time was out of sync.

br