Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Changing config values for RANCID

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 2 Posters 814 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mamawe
      last edited by

      Hi all,

      I'm currently adapting some scripts to get the pfSense configuration saved with RANCID.
      As usual in RANCID the credentials will not be stored in the repository.

      At the moment the script replaces the bcrypt-hash value with the string "removed" like this:

      <?xml version="1.0"?>
       <pfsense>
              <version>19.1</version>
      @@ -42,7 +41,7 @@
                              <descr><![CDATA[System Administrator]]></descr>
                              <scope>system</scope>
                              <groupname>admins</groupname>
      -                       <bcrypt-hash>$2y$10$0QLHcRIyQ8PN98wXcw09re6wHIVVXo990E4VT4C0Nj4qWmA.LkwvK</bcrypt-hash>
      +                       <bcrypt-hash>removed</bcrypt-hash>
                              <uid>0</uid>
                              <priv>user-shell-access</priv>
                              <expires></expires>
      @@ -53,7 +52,7 @@
                      </user>
                      <user>
                              <scope>user</scope>
      -                       <bcrypt-hash>$2y$10$AQ5eUdYMgqIiVLfsOz6X2eHE5bHdgBQAjIhFOh728r1vsik84jZka</bcrypt-hash>
      +                       <bcrypt-hash>removed</bcrypt-hash>
                              <descr><![CDATA[RANCID]]></descr>
                              <name>rancid</name>
                              <expires></expires>
      

      I'm not sure here what would be better with regard to restoring the configuration from RANCID: to replace the hash with the string "removed" or to omit <bcrypt-hash>...</bcrypt-hash> completely.

      What do you think?

      Kind regards,
      Mathias

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Are you asking what is the better option to restore with? Like how does pfSense handle an invalid hash vs a missing hash?

        Steve

        M 1 Reply Last reply Reply Quote 0
        • M
          mamawe @stephenw10
          last edited by

          @stephenw10 said in Changing config values for RANCID:

          Are you asking what is the better option to restore with? Like how does pfSense handle an invalid hash vs a missing hash?

          Yes, that's what I wanted to know.

          Mathias

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Not something that should ever happen so... it's unclear! Try it and see on something that doesn't matter if it fails.

            Steve

            M 1 Reply Last reply Reply Quote 0
            • M
              mamawe @stephenw10
              last edited by

              @stephenw10 said in Changing config values for RANCID:

              Not something that should ever happen so... it's unclear! Try it and see on something that doesn't matter if it fails.

              I tried it on a test VM and found the following out:

              1. Web access and SSH with password fails with both methods. One would need access to the console to restore access.

              2. SSH access works with Authorized SSH Keys when the configuration is restored containing <bcrypt-hash>removed</bcrypt-hash>, but not when this line is missing.

              3. To get web access I can login via SSH with authorized keys as admin and select 3) Reset webConfigurator password. After that I would have to restart the machine (reroot would suffice) and then I can login to the webConfigurator and set the passwords.

              So I will save the configuration with <bcrypt-hash>removed</bcrypt-hash>.

              Is there a way to set an arbitrary webConfigurator password from SSH instead of resetting it to the default password?

              Mathias

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                If you choose php shell from the menu you can run playback changepassword and set any password.

                Or from the cli pfSsh.php playback changepassword

                Steve

                M 1 Reply Last reply Reply Quote 1
                • M
                  mamawe @stephenw10
                  last edited by

                  @stephenw10 Thanks, that's exactly what I want.

                  Kind regards,
                  Mathias

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.