18.7: password not acepted any more after update

[Tubs]

I just updated to 18.7. But now I cannot login any more with root and my local password. It is getting rejected with "wrong password". 


Network connection to internet is working. Servers on VLAN connection via HAproxy I also cannot reach.

[franco]

Sounds like...

o The authentication fallback for the GUI/system has been removed in favour of selecting multiple authentication servers at once.  Reassign your fallback as a primary authentication method or now use more than two methods.

Do you have console / ssh access?


Cheers,
Franco

[Tubs]

LADP connection also is used, but not for administration login. Here I always use root with local password. Order of servers us default.

Console I have. SSH I can enable over console. But as it is night in Europe this must wait till tomorrow.

Any hint that can help would br apreciated.
At keast I have  created a backup before update.

[franco]

Yup, from the console / SSH option 3) Reset the root password will turn Local Database back on. You will need to log into GUI, go to System: Settings: Administration, scroll down to Authentication Server and select both "Local Database" and your LDAP Server.


Cheers,
Franco

[Reiter der OPNsense]

Same here. After the update to 18.7 it was not possible to log in to the GUI as root, not even via SSH. The password reset function of the installer has helped. Not "3) Reset the root password" on the console (didn't work), but the password reset function which can be started immediately before installation.

Greetings, Stefan

[franco]

Hi Stefan,

The password reset of the installer calls the same script that is option 3.

I suspect you skipped answering "y" to "Do you want to set it back to Local Database? [y/N]". The installer reset assumes yes, the script asks but defaults to no.


Cheers,
Franco

[PimB]

Same problem, and I can't login as root on the console. I guess I'm locked out.

[franco]

No, use the 18.7 image password reset feature as previously mentioned.

[PimB]

Is that documented yet? I don't know how exactly.

[franco]

Use a 18.7 image to boot the live mode, start installer, select "reset password" in main menu. Reboot without install, remove image and you can log in. Don't forget to set your correct authentication methods in System: Settings: Administration: Authentication Server.


Cheers,
Franco

[PimB]

Aha, like so. Thanks, I'm back in.

[Reiter der OPNsense]

Hello Franco,
I chose no because I had absolutely no plan what the problem was. 

Before the update I had set System --> Access --> Settings --> Authentication Server = TOTP Server and Authentication Server (fallback) = Local Database. Was the TOTP server set for the GUI logon after the update? That was my original suspicion, but I could not login via TOTP either.

[franco]

Yes, TOTP was active. In fact it's always active in your case. Please confirm with the tester that it works.

But it makes no sense to have TOTP and Local set at the same time, because if you don't input the TOTP token you can login because that's your plain local password which gives you zero TOTP benefit.


Cheers,
Franco

[Reiter der OPNsense]

I only use TOTP for VPN users and I was no longer aware that I had set anything under System --> Access --> Settings --> Authentication Server. I probably didn't realize in those days that this setting applied to the GUI.

And I have not assigned an OTP seed for root, because I am not logging in via VPN with this user. That's why the login with root didn't work after the update in my case.

We have learned: If you have set up One-time Password 2 Factor Authentication, you may want to check this setting again BEFORE upgrading. 

[franco]

Ah, that explains it. It's fine in OpenVPN because each server can select its authentication method.

True about the location too. The new location under System: Settings: Administration is a bit better in 18.7, but still a bit difficult to explain that console login and SSH follow this setting as well.


Cheers,
Franco