Investigating how did I locked myself out of pfsense
-
Check the config diffs for each change in the history. See if it's actually setting a different password somewhere.
Also I assume you were able to access the login screen still? Just unable to login successfully there?
-
@stephenw10 Hey and thanks for the suggestion.
Unfortunately the default limiter of 30 that I had left had already rotated so I no longer can do these cross-checks directly on pfsense. Luckily, in the heat of the situation back then I downloaded 3 configs around the "Unknown" changes.
The
bcrypt-hash
values from the 3 versions were different. That got me worried additionally, because neither of them had the same values as my current hash value. This was unexpected, because when I did the PW reset, I pasted the same old password. So, I expected the same hash value. I have it-tools installed locally so I was able to cross check my password against the two set of hash values - success. I guess what happened is that every time PW reset/change is done, the hash is salted. Or at least that would explani the difference.Now for the real problem. I grabbed the three hash values, and cross-checked them versus the OpenVPN user PW that I set that day - again, success. What happened was that I resetted my admin account PW, instead of my VPN user PW (that was not vanilla VPN setup. I had that an year ago, I just disabled it and now re-enabled it).
TL;DR: Wrong account PW reset.
-
Ah, OK so you think you just set the wrong account rather than some backend bug?
-
That would be the simplest solution, yes. The two account fields are next to each other, so it's completely possible that I clicked on the admin account menu, instead of my VPN user. That, plus the fact that I compared the
bcrypt-hash
from the admin account, with the password value from my own VPN account, and they matched. I really do think what happened was a simple user error.I think the last piece of the puzzle would be someone to confirm whether the
b-crypt-hash
value is supposed to be different every time one changes account password, even if the new password is the same as the old one. -
bcrypt includes salting so I'd expect a different hash every time it is generated even from the same password.
-
That settles is then. The only thing that's bugging me, is that 30 row config history doesn't include the password change for my admin account.
I just changed my admin password (again, to my old password) and the following entry was populated in the config history
This is not visible in my previous history, and the simplest explination again would be rotation. I may have done that change before the earliest visible event (10:09:36). Are you aware of changing the admin PW from the web interface gets logged anywhere? That would solve it.
-
I'd certainly expect it to be shown like that because you are editing the admin user. The page is correctly setup to pass a config change string so it is logged.
'Unknown' is shown when a page/script does not pass a string back to the config write.
-
Thanks. Is that event logged somewhere? I pulled all the logs from
/var/log
so if its logged, I could find the exact event. -
I see unknown when you make changes to packages sometimes.
-
Okay, as expected, this event is tracked in the
system.log
. After resetting the admin password today, I checked and can confirm that event is recorded there. Unfortunately I couldn't find such event in my previous logs. Log retention is not a problem since thesystem.log
goes back to Oct'24.That really doesn't make sense, because at some point I had different admin password. The hash proves it (I compared one of the hashes from my admin password with the password of my other VPN user. This is where I accidentally changed the admin PW instead of my VPN user PW; so, for a short period of time my admin password had the password of my VPN user). At the end there may be a backend bug here. I had a different admin password at some point and I'm not seeing any notable events at least in the
system.log