My pfsense failed an audit by securitymetrics.com
-
Assuming pfsense is still using lighttpd as the webserver, you can configure what ciphers it speaks. http://redmine.lighttpd.net/projects/lighttpd/wiki/Docs:SSL
If you look at the PCI DSS Compliance section that shows some higher security ciphers. You can configure lighttpd to only use those. This is of course besides the sensible advice above about restricting access to the web interface. But should you ever see this issue on another lighttpd server you can see how to correct it :).
-
Tried setting up SSH Authorized Key but it does not seem to work.
I pasted the following from the Public Key File created using puttygen:
–-- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20100303"
AAAAB3NzaC1yc2EAAAABJQAAAIEAiNNMQ8KAZQhyRdek5p/anBZpBiBCsiF3BzGb
vDhGtCC+oFj7/jJsmLcPmUcxQp/L5Gz0fBzQUEcd1AZK3gTG/pEHzE8x2PU5iqSX
+LBbHIDQZuz461iiMwnL9Xu8I9T2+B7i3KX/t34SvubWYPvP6ZO/Q/+Rdmbwmmsb
GZ2FC1U=
---- END SSH2 PUBLIC KEY ----I was still able to connect via SSH without the need of any private key. Also disable passord login for secure shell. Still getting prompt for username password and able to login.
-
Try omitting the begin, end, and comment lines.
-
Like this:
AAAAB3NzaC1yc2EAAAABJQAAAIEAiNNMQ8KAZQhyRdek5p/anBZpBiBCsiF3BzGb
vDhGtCC+oFj7/jJsmLcPmUcxQp/L5Gz0fBzQUEcd1AZK3gTG/pEHzE8x2PU5iqSX
+LBbHIDQZuz461iiMwnL9Xu8I9T2+B7i3KX/t34SvubWYPvP6ZO/Q/+Rdmbwmmsb
GZ2FC1U=or
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiNNMQ8KAZQhyRdek5p/anBZpBiBCsiF3BzGb
vDhGtCC+oFj7/jJsmLcPmUcxQp/L5Gz0fBzQUEcd1AZK3gTG/pEHzE8x2PU5iqSX
+LBbHIDQZuz461iiMwnL9Xu8I9T2+B7i3KX/t34SvubWYPvP6ZO/Q/+Rdmbwmmsb
GZ2FC1U= -
Like the second one. That's what I do…
-
When I use the one with ssh-rsa I get connection refused. When I go to auth in putty and select the private.pkk file and try to open the connection I get connection error.
-
Did you get your key by opening puttygen and loading your private key there?
-
I generate public key and copy then export private key. Right?
-
You can use puttygen to generate a pair and then copy the key from the top of the window which says "Public key for pasting into OpenSSH authorized_keys file:"…
-
Here is a new example:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBb5HVQf5Nbdu6+bC2dE2bM1ZNC/7USV/jJRcRNtBSu9plZCEAz4BRwCkMiuHlFNHT+FO6fjcdg9Jzb/csZ8SyVP9wY0iSDYeDd9eY5N04LceCGb2AxqrL24a09BftVSlQnXvbsPaume+fKgVVMo6NCDoUhPI917PUyIlNZ8YBD9w== rsa-key-20100303
I pasted this into System:Advanced:Secure Shell:Authorized Keys. Saved.
Then open Putty and loaded session with internal pfsense IP. Clicked on Auth in Putty and browsed to the Private.pkk file which I downloaded from puttygen.
Fail. ???
-
Yep. That sounds about right. Are you running 1.2.3 also?
-
1.2.3-RELEASE
built on Mon Dec 7 20:21:30 EST 2009 -
Should I remove: rsa-key-20100303 from the end of the key?
-
Nope. I have that, too….
Please check when logged in that the key is really there....
cat .ssh/authorized_keys
-
you mean check via winscp?
-
No. Login via putty and ssh. And then do that command in /root
-
Seems to be going from Bad to worse.
I deleted the key and unchecked the box disabling password for SSH. No when I connect I get:
Disconnected: No Supported authentication methods available.
-
Use your console to connect to the box…
-
ok. Disables SSH and enabled and now I am back in.
cat: .ssh/authorized_keys: No such file or directory
-
Ok. So I repasted info and connected with private ket and got the following:
login as: root
Server refused our key
Using keyboard-interactive authentication.
Password:Though I was able to get through….