SSH admin password should be the same as web admin right?

yannb · Aug 18, 2020, 11:16 PM

Just want to double check… when you want to SSH like ssh admin@192.168.1.1 the password should be the same as the web admin login right?

When it asks me for the password and I paste it in, I just get a "connection closed" message.

It's not a huge issue 'cause I just added my SSH key via the web admin instead but I'm just curious what could be the problem…

Gertjan · Aug 19, 2020, 7:27 AM

@yannb said in SSH admin password should be the same as web admin right?:

I paste it in, I just get a "connection closed" message.

paste somewhere else, in the middle of a set of "xxxxxxxxxxxxxx" and check if there aren't any surrounding spaces or other white chars.

pasting just works fine - just tried it. Works.

Btw : past your cert password, never your admin pfSense password, that method of login should b disabled right after initial GUI setup.

Gertjan · Aug 19, 2020, 9:20 AM

@yannb said in SSH admin password should be the same as web admin right?:

I paste it in, I just get a "connection closed" message.

paste somewhere else, in the middle of a set of "xxxxxxxxxxxxxx" and check if there aren't any surrounding spaces or other white chars.

pasting just works fine - just tried it. Works.

Btw : past your cert password, never your admin pfSense password, that method of login should b disabled right after initial GUI setup.

edit : wtf : echo mode is on ?

yannb · Aug 19, 2020, 4:58 PM

@Gertjan cert password? The whole point of a SSH cert is not to use a password… Once you have a cert added it doesn't ask for a password. I'm probably misunderstanding what you mean.

that method of login should b disabled right after initial GUI setup

I think I read in the docs that you can only log in via password from the LAN… This is for my home setup so it should be safe enough in theory no?

Thanks!

Gertjan · Aug 20, 2020, 6:53 AM

@yannb said in SSH admin password should be the same as web admin right?:

you have a cert added it doesn't ask for a password

It's a choice.
Cert can be baked without a password.
Normally, I add one in. (dono why any more, it's just a reflex)

@yannb said in SSH admin password should be the same as web admin right?:

log in via password from the LAN

By adding a "SSH in" firewall rule on any interface, you could login from any interface.
But for WAN this would be considered as a security risk.
Other interface : the choice is up to you.
On LAN : disable the default anti-lockout rule, make a new one that specifies your (source) IP adresses and only your device can login.
Etc etc.

noplan · Aug 20, 2020, 6:52 AM

@Gertjan
phuuu glad i'm not alone with that reflex ;)

nbctcp · Aug 22, 2020, 12:36 PM

I don't have problem with pfsense 2.4.5
my ssh admin password is the same as gui

ssh admin@10.0.1.81

Password for admin@pfSense.ngtrain.com:
pfSense - Netgate Device ID: 3433882c484aeebf8e40

*** Welcome to pfSense 2.4.5-RELEASE-p1 (amd64) on pfSense ***

WAN (wan) -> vtnet0 -> v4: 10.0.1.81/24
LAN (lan) -> vtnet1 -> v4: 192.168.1.1/24

Logout (SSH only) 9) pfTop
Assign Interfaces 10) Filter Logs
Set interface(s) IP address 11) Restart webConfigurator
Reset webConfigurator password 12) PHP shell + pfSense tools
Reset to factory defaults 13) Update from console
Reboot system 14) Disable Secure Shell (sshd)
Halt system 15) Restore recent configuration
Ping host 16) Restart PHP-FPM
Shell

Enter an option:

AKEGEC · Aug 22, 2020, 4:49 PM

Hi all, the password is the same.

@Gertjan said in SSH admin password should be the same as web admin right?:

@yannb said in SSH admin password should be the same as web admin right?:

you have a cert added it doesn't ask for a password

It's a choice.
Cert can be baked without a password.
Normally, I add one in. (dono why any more, it's just a reflex)

@yannb said in SSH admin password should be the same as web admin right?:

log in via password from the LAN

By adding a "SSH in" firewall rule on any interface, you could login from any interface.
But for WAN this would be considered as a security risk.
Other interface : the choice is up to you.
On LAN : disable the default anti-lockout rule, make a new one that specifies your (source) IP adresses and only your device can login.
Etc etc.

nbctcp · Aug 23, 2020, 5:37 AM

Could pfsense using port knocking like linux did?
I mean telnet other port 3x then it will open port 22

AKEGEC · Aug 23, 2020, 5:37 AM

@nbctcp port 8*** maybe?

stephenw10 · Aug 23, 2020, 11:06 AM

No, there is no port knocking in pfSense. Currently at least.

Steve

Gertjan · Aug 24, 2020, 5:31 AM

@nbctcp said in SSH admin password should be the same as web admin right?:

Could pfsense using port knocking like linux did?
I mean telnet other port 3x then it will open port 22

Way back - like last century, I used such a method to gain access to private resources, while published on public networks.
It worked well.

These days we have (Open)VPN ;)