pfSense bricks (WebGui + SSH)
-
Hi guys,
A few weeks ago I reported an issue that, with other issues involved (DNS), also had other components to it, namely bricking pfSense. My original post was this: Having issues with pfSense
So now I am having zero problems in regards of routing, DNS or whatever.
However, yesterday I was renewing my LE certificates using DNS Manual and I came across a "Call hook error" - detailed on this post and it seems you have to hit renew more than once, even tho the error will always show you'll get it working... that has passed, but I noticed this issue when accessing via SSH to see the logs.So now here's the thing:
Am I not able to ssh using my ldap user. If I try to do that, the pfSense bricks and I DO HAVE TO go on console and restart php-fpm and webConfigurator, that fixes it.
The issue is not about failing auth - like introducing a wrong password. I would like to leave this clear.SSH with LDAP user bricks pfSense. If I "ssh ldapuser@pfsense.url" its enough. Web authentication works perfectly tho. However, if for some reason it can't communicate properly with my LDAP server and the WebGui fails to authenticate against LDAP, it bricks as well. (tested by blocking pfSense firewall IP on the LDAP server fw)
Both ssh and webgui access is only from inside the network, its all closed to the outside. The LDAP server is external, but its been providing for Gitlab, email, and many other tools and access to many systems without an issue.
Any clue why this happens?
-
I think your definition of 'brick' differs significantly from mine since I assume you can still ping it, it still hands out DHCP, still routes traffic etc in that state? It hangs php though by the sounds of it.
Can you auth against the LDAP server in Diag > Auth in the webgui?
What errors do you see in the system log after it fails?
What errors do you see in the LDAP server log?
Steve
-
Hi Stephen.
When I can't access something via SSH (using local user) I can't say it's just PHP. Using LDAP user via SSH is what triggers it.
When something is performing residual operation, yet it can't be accessed, to me is bricked. But let's call this is semantics and move on.Web auth, as mentioned previously, worked flawlessly using LDAP, as is working now, and on the Diag > Auth the results are as expected.
I didn't find any errors on the LDAP server log, and, from what I remember - I didn't go thoroughly thru the logs on pfSense - no errors jumped at sight. I was more concerned about renewing the certificate that day.
I can do it again later, please direct me at which pfsense logs I should look at for errors on this specifically.
Thank you for your feedback sorry for taking a while to get back at this.
-
pfSense doesn't configure SSH to perform LDAP authentication. You are being locked out by sshguard because it's an invalid login attempt. It thinks you are attacking the firewall.
Check the logs to confirm it.
-
Hi @jimp thanks for your reply.
I haven't done it yet since I have to say I am in no hurry to repeat this, but I will do it with time and confirm this is the case.
Another question in this regard... considering a scenario where access is done via Kerberos/SSSD and access is controlled via RBAC or HBAC, how can I integrate this with pfSense?
Let's imagine I have an environment where I want users from some group network-admins to be able to SSH to pfSense, but I don't want to give them the local admin user... what would be the correct approach?
-
pfSense doesn't support anything like that currently. Only local users can login via ssh/shell.
-
Ok @jimp thanks for the feedback. I do hope you can add that to the roadmap, I'm sure it would be useful for many.
Best regards.
