Automatic Backups from previous owner
Hi all, I recently bought a pre-owned SG-1100 and it is my first pfSense device. The device came with factory settings (I assume) since I was prompted to run the Setup Wizard the first time I connected.
I have all the basics working so I decided to enable the Auto Configuration Backup, after doing so I can see the last 100 backups made by the previous owner in the Restore tab. I understand these backups are tied to the Device Key which in turn is tied to the SSH public key and this probably means the system wasn't reinstalled but just reset to defaults. I guess this also means the previous owner could see my backup log (not the config itself) if he has saved the Device Key.
Here is my question: Can I just generate new SSH keys and hence a new Device Key and that would be enough to stop the "cross contamination" of backup logs? Or do I have to do a clean install to get new keys?
I know that from a security point of view a clean install is probably the way to go but I doubt the eBay seller is out to get me with a poisoned install.
I'm comfortable with the CLI (if new keys can't be generated via the GUI).
Thanks for your help!
the ssh key files are stored inside /etc/ssh
you can generate new key with
ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N '' ssh-keygen -q -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key
make a backup of the files first ...
reboot and see if the Device key changed, I have never tried
Yes I would clean install that anyway to be sure. You really have no idea what the previous owner may or may not have done.
Also it's always a good idea to have a copy of the reinstall image and to know you can use it.
Open a ticket with us with your NDI to get it: https://go.netgate.com/
@kiokoman For future reference, I generated new keys and as expected the Device Key changed and I could create new backups with a clean log. So now we know that seems to work.
@stephenw10 I will do that now, thanks for the suggestion. I already know I can connect to the console via USB since I decided "I should try that now while it is not an emergency instead of when I break something and the internet stops working"
Thanks to both for your time.