Changing config values for RANCID

mamawe

Hi all,

I'm currently adapting some scripts to get the pfSense configuration saved with RANCID.
As usual in RANCID the credentials will not be stored in the repository.

At the moment the script replaces the bcrypt-hash value with the string "removed" like this:

<?xml version="1.0"?>
 <pfsense>
        <version>19.1</version>
@@ -42,7 +41,7 @@
                        <descr><![CDATA[System Administrator]]></descr>
                        <scope>system</scope>
                        <groupname>admins</groupname>
-                       <bcrypt-hash>$2y$10$0QLHcRIyQ8PN98wXcw09re6wHIVVXo990E4VT4C0Nj4qWmA.LkwvK</bcrypt-hash>
+                       <bcrypt-hash>removed</bcrypt-hash>
                        <uid>0</uid>
                        <priv>user-shell-access</priv>
                        <expires></expires>
@@ -53,7 +52,7 @@
                </user>
                <user>
                        <scope>user</scope>
-                       <bcrypt-hash>$2y$10$AQ5eUdYMgqIiVLfsOz6X2eHE5bHdgBQAjIhFOh728r1vsik84jZka</bcrypt-hash>
+                       <bcrypt-hash>removed</bcrypt-hash>
                        <descr><![CDATA[RANCID]]></descr>
                        <name>rancid</name>
                        <expires></expires>

I'm not sure here what would be better with regard to restoring the configuration from RANCID: to replace the hash with the string "removed" or to omit <bcrypt-hash>...</bcrypt-hash> completely.

What do you think?

Kind regards,
Mathias

stephenw10

Are you asking what is the better option to restore with? Like how does pfSense handle an invalid hash vs a missing hash?

Steve

mamawe

@stephenw10 said in Changing config values for RANCID:

Are you asking what is the better option to restore with? Like how does pfSense handle an invalid hash vs a missing hash?

Yes, that's what I wanted to know.

Mathias

stephenw10

Not something that should ever happen so... it's unclear! Try it and see on something that doesn't matter if it fails.

Steve

mamawe

@stephenw10 said in Changing config values for RANCID:

Not something that should ever happen so... it's unclear! Try it and see on something that doesn't matter if it fails.

I tried it on a test VM and found the following out:

Web access and SSH with password fails with both methods. One would need access to the console to restore access.
SSH access works with Authorized SSH Keys when the configuration is restored containing <bcrypt-hash>removed</bcrypt-hash>, but not when this line is missing.
To get web access I can login via SSH with authorized keys as admin and select 3) Reset webConfigurator password. After that I would have to restart the machine (reroot would suffice) and then I can login to the webConfigurator and set the passwords.

So I will save the configuration with <bcrypt-hash>removed</bcrypt-hash>.

Is there a way to set an arbitrary webConfigurator password from SSH instead of resetting it to the default password?

Mathias

stephenw10

If you choose php shell from the menu you can run playback changepassword and set any password.

Or from the cli pfSsh.php playback changepassword

Steve

mamawe

@stephenw10 Thanks, that's exactly what I want.

Kind regards,
Mathias