Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote SSH Admin user creation and password reset

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 929 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      PhlMike
      last edited by

      I have a lot of firewalls, hundreds and without central management we need to get creative.

      So I have two options at my disposal which is Power Automate that has website integration to run all firewalls or SSH. SSH is easier to code for.

      I am going with a full on NOC and helpdesk and changing my company to only higher-end engineers. I need to create them an admin user on each and every firewall and then be able to regularly change the password because pfSense doesn't have MFA.

      Sure, I could join it to a domain but the port forwarding needed for that and the work needed per firewall would far, far exceed just adding a user and calling it a day. Unless there is a cloud SSO service that would be cost effective and a way to implement that quickly on hundreds of firewalls.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @PhlMike
        last edited by

        @phlmike said in Remote SSH Admin user creation and password reset:

        because pfSense doesn't have MFA.

        You sure? ;)

        https://forum.netgate.com/topic/135424/solved-two-factor-authentication-for-admin-login

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        P 1 Reply Last reply Reply Quote 0
        • P
          PhlMike @johnpoz
          last edited by

          @johnpoz
          Can that be done remotely on 300+ firewalls in mere minutes each?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @PhlMike
            last edited by

            @phlmike said in Remote SSH Admin user creation and password reset:

            Can that be done remotely on 300+ firewalls in mere minutes each?

            No ;) I don't think so heheh

            But it does support it was my point..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            P 1 Reply Last reply Reply Quote 0
            • P
              PhlMike @johnpoz
              last edited by

              @johnpoz
              Hence why people have asked for native MFA in the past. I understand from older posts than Jim was against it on principal. However we have cybersecurity insurance carriers now that require token based MFA on everything, regardless if it is only reachable by a single laptop in the world protected by Ethan Hunt of the IMF.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @PhlMike
                last edited by

                @phlmike said in Remote SSH Admin user creation and password reset:

                if it is only reachable by a single laptop in the world protected by Ethan Hunt of the IMF.

                haha - good one ;)

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • jimpJ jimp moved this topic from Problems Installing or Upgrading pfSense Software on
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  I'm not opposed to MFA on the firewall if it can be done natively, the problem is a number of MFA solutions require something like RADIUS on the backend or to contact third parties for validation.

                  Something like Google Authenticator isn't terribly difficult to implement natively, but it would take some work to integrate properly, and you'd still need to manage things individually.

                  With that many firewalls a central authentication source makes a lot more sense, like running a tunnel back to a central location and then have them all hit an LDAP or RADIUS server with an MFA config. You could do it without a tunnel but IMO it wouldn't be very secure.

                  As for repeating that for n firewalls in a timely manner, that may be a little trickier but no less tricky than managing remote users on that many firewalls via scripting.

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • P
                    PhlMike
                    last edited by

                    Is it possible to create a user on pfSense via SSH? Obviously for my immediate need.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.