SSH + Plink + Pfsense 2.6.0 = Security Risk

DeLorean

Since i start using pfsense since 2015, i have used Plink (commandline tool) through SSH for remote shutdown of my firewall at night (saving on electricity costs).
My computer runs at shutdown a batchfile with the Plink command,
this work fine for years, but since i last week updated to Pfsense 2.6.0 it doesn't work like i want it.
I received "Access denied" error messages etc....
After some digging, i discovered the problem.
The Plink command for shutting down use the Root (admin) user to run the shutdown command. But for security reasons, i always disable the Admin user in the user manager WebGUI, and used a second user login with admin rights to do and configure everything i want in Pfsense. Even WinSCP works fine when the admin user is disabled.
But with version 2.6.0 , Plink only works when the admin user is enabled.
This brings up in my opinion, a big security risk, while in "what's new in 2.6.0" this change is stated as a bug fix -> Fixed: Deny SSH access for admin and root users when the admin GUI account is disabled https://redmine.pfsense.org/issues/12346

So my question is , is there a way to get this working like it was before ?
I don't want to have the admin user enabled all the time.

Thanks in advance

Grtz
DeLorean

jimp

It was a larger risk before when root was left enabled with credentials for a disabled GUI account.

Install the sudo package and grant access to your ssh user for whichever commands they need to run, and then ssh in with the custom account and run them using sudo.

DeLorean

@jimp

Thank you for the quick reply.
I installed Sudo, and configured it as described, but still "Access denied" error messaga
after typing the correct Root/Admin password.
I have tried with the box "no password" enabled and disabled, and with the shutdown location,
and with ALL for allowing all commands.

Grtz
DeLorean

jimp

You do not use the root/admin account with sudo, only your custom account.

For a custom account named myuser with access to sudo it would be:

plink -ssh -p <port> -pw <password> myuser@192.168.1.1 "/usr/local/bin/sudo /sbin/shutdown -p now"

If you let that user run the command in sudo without a password it should work without manual intervention.

DeLorean

@jimp said in SSH + Plink + Pfsense 2.6.0 = Security Risk:

You do not use the root/admin account with sudo, only your custom account.

For a custom account named myuser with access to sudo it would be:

plink -ssh -p <port> -pw <password> myuser@192.168.1.1 "/usr/local/bin/sudo /sbin/shutdown -p now"

If you let that user run the command in sudo without a password it should work without manual intervention.

Hi Jimp,

I'm almost there , but after getting access granted, the command keeps waiting untill i press return.
When i run this script manually, i have time to press return,if i don't press enter, pfsense don't shut off.
But when Windows use this script at shuts down, i don't have the time to press enter,
before this message is already disappeared and Windows is further shutting off.
Any ideas about this bypassing pressing enter ?

Before, i never had to interact with Plink, never seen this type of question to interact ,only when i did a pfsense update, or clean install,
it ask if i want to update the SSH keys by Yes/No and then asking the password of root user.
The next shutdown went then completely without interactions.

Grtz
DeLorean

NogBadTheBad

@delorean Create a cron task maybe?

DeLorean

@nogbadthebad said in SSH + Plink + Pfsense 2.6.0 = Security Risk:

@delorean Create a cron task maybe?

Thanks, but a shutdown at specific time each day is not an option.
I want to shutdown my pfsense firewall at the moment i shutdown my regular computer,
and this is not each at the same time.
This computer is also off during day when i'm not at home.
My pfsense gets started by this computer by a Wake On Lan command at startup.

Grtz
DeLorean

jimp

What specific privileges did you grant the user that you're using to connect with SSH?

I haven't seen a prompt like that before, it may be something in how plink is authenticating.

You'd be better off configuring and using SSH keys (via putty agent, for example) than passing a password on the prompt anyhow.

DeLorean

@jimp said in SSH + Plink + Pfsense 2.6.0 = Security Risk:

I haven't seen a prompt like that before, it may be something in how plink is authenticating.

I got it working again.
The inial problem consists of 2 problems.

1. By default, Plink could only work when the admin account was enabled,
   but this was resolved by installing Sudo
2. The second problem of asking to press return at the end op the Plink command,
   after getting access granted, was caused by Plink itself.

When i first encountered the Plink malfunction problem after the Pfsense update to version 2.6.0 ,
my thought was, that maybe my Plink was not compatible anymore, so i downloaded and install
the latest Plink version (0.76)
But in fact it's Plink itself that caused the second problem.
After some Googling with the "Access granted. press return to begin session" message,
i discovered that this is caused since Plink version 0.71 and beyond.
My old version of Plink was apparently before 0.71 , i have now installed the latest version (0.70)
that don't have this extra need for interaction and now everything works back fully automatic.
I know that using a old version of Plink is also a security risk, but SSH access from the WAN side is blocked,
and can only be used from my internal network.
The admin user is also disabled for login, like it was before.

Big thank you to Jimp and nogbadthebad for the help.

Grtz
DeLorean