HA Machines primary and secondary have same auto backup key.
-
@reberhar So I generated a new key pair with ssh-keygen, copied it into /etc/ssh set the permissions, and rebooted the server. The key for autobackup did not change. The next think I will try is to edit the config file.
The info icon says that the autobackup key is based on the firewall ssh key. I wonder how they mangle it and if there is some sort of consistency check. It seems like this must happen on install, but this puzzles me, because I have begun new machines with a config.xml file from a different machine and it always gave me a new autoconfig key.
I guess the real question is how do I get netgate to establish a new auto backup key. Just changing the ssh key pair does not appear to be enough. The two CARP machines do have different Netgate IDs.
Is this a possible security risk? I mean I can recover the config backup material with this autobackup key from either machine. I suppose it is not but there does seem to be something to think about. The danger is restoring a config to the wrong machine.
-
You need to have the backup pass key also. If you already have the full config to recover that from you already have access anyway.
-
@stephenw10 The problem is that the primary and secondary both use the same auto backup repository with the same key. I am trying to stop that from happening. e.g. If the primary does a backup, it appears in the secondary's list and can then be applied to the secondary. That would be a disaster.
The Auto backup key is based on one of the security key pairs. There are two sets of keys in the /etc/ssh. One is the host key and the other is the ssh key, I think. Their sizes are quite different. I have tried replacing the host key pair without result, i.e. no new autobackup key. I am trying to research how to replace the other key which must be the ssh key, but that pair is only a hundred or so bytes each. A standard SSL keygen produces a much larger key set. I am trying to learn what I am looking at and how I need to tweak it.
We are always challenged and learning in what we do.
-
In recent pfSense versions the SSH key is stored in the config and the ACB key uses that. If you restore the Primary config into the Secondary you will end up with the same key on both nodes and the problems that causes. If you need to do that you should remove the sshdata section from the config before importing it. The secondary will then generate a new key when ssh is enabled.
-
Awesome - that is something I can easily do!
Thanks so much!
-
Just to be clear there are more things that need to be changed in the primary config before it can be used as in the secondary. But if that's how you initially created the the secondary node then it could have ended up with the same key.
However you should be able to remove the sshdata section from the existing secondary config, and remove the ssh keys from /etc/ssh and then restore the config again to generate a new ssh key set.Steve
-
@stephenw10 Concerning the secondary with the ... original nonprimary before HA configuration. Of course I could have done it from scratch, but when you have an already running complex system with 5 wans it would have been a daunting task.
I followed carefully, the instructions in the manual, and then the multiwan instructions. We have only one lan on no DMZ. I have other functioning HA installs to fall back on to check configuration. Then I added other firewall rules that I was aware of that help in management over our tunnel system. I think the OPEN_VPN, SQUID and DNS are properly configured. I often wonder if I should use the CARP VIPs in SQUID but the instructions don't call for it.
Could I have missed something, or is there something I don't know about? Of course. I don't have the hubris to think I control all these things.
The one problem I had was pfBlocker's CARP VIP. I had to make that an IP Alias, which works ok.
If you have some suggestions I am open.
-
@reberhar Notices
SSH KeyGenpfSense has started creating missing SSH keys. SSH Startup will be delayed. Please note that reloading the filter rules and changes will be delayed until this operation is completed. @ 2023-07-03 16:36:40SSH Startup
pfSense has completed creating your SSH keys. SSH is now started. @ 2023-07-03 16:36:42Thanks Stephen.
-
So it created a new key set and ACB now has a new identity for the Secondary?
-
@stephenw10 Yes it does.
I was willing to try this, but after many years of computers, I wanted to do my due diligence first. I used to do PDP8s. I learned to be careful about deleting things.
