Remote SSH Admin user creation and password reset
-
I have a lot of firewalls, hundreds and without central management we need to get creative.
So I have two options at my disposal which is Power Automate that has website integration to run all firewalls or SSH. SSH is easier to code for.
I am going with a full on NOC and helpdesk and changing my company to only higher-end engineers. I need to create them an admin user on each and every firewall and then be able to regularly change the password because pfSense doesn't have MFA.
Sure, I could join it to a domain but the port forwarding needed for that and the work needed per firewall would far, far exceed just adding a user and calling it a day. Unless there is a cloud SSO service that would be cost effective and a way to implement that quickly on hundreds of firewalls.
-
@phlmike said in Remote SSH Admin user creation and password reset:
because pfSense doesn't have MFA.
You sure? ;)
https://forum.netgate.com/topic/135424/solved-two-factor-authentication-for-admin-login
-
@johnpoz
Can that be done remotely on 300+ firewalls in mere minutes each? -
@phlmike said in Remote SSH Admin user creation and password reset:
Can that be done remotely on 300+ firewalls in mere minutes each?
No ;) I don't think so heheh
But it does support it was my point..
-
@johnpoz
Hence why people have asked for native MFA in the past. I understand from older posts than Jim was against it on principal. However we have cybersecurity insurance carriers now that require token based MFA on everything, regardless if it is only reachable by a single laptop in the world protected by Ethan Hunt of the IMF. -
@phlmike said in Remote SSH Admin user creation and password reset:
if it is only reachable by a single laptop in the world protected by Ethan Hunt of the IMF.
haha - good one ;)
-
-
I'm not opposed to MFA on the firewall if it can be done natively, the problem is a number of MFA solutions require something like RADIUS on the backend or to contact third parties for validation.
Something like Google Authenticator isn't terribly difficult to implement natively, but it would take some work to integrate properly, and you'd still need to manage things individually.
With that many firewalls a central authentication source makes a lot more sense, like running a tunnel back to a central location and then have them all hit an LDAP or RADIUS server with an MFA config. You could do it without a tunnel but IMO it wouldn't be very secure.
As for repeating that for n firewalls in a timely manner, that may be a little trickier but no less tricky than managing remote users on that many firewalls via scripting.
-
Is it possible to create a user on pfSense via SSH? Obviously for my immediate need.