Question/ security concern with Pfsense 2 and console



  • Hi,
    I have just see a thing that really bugs me with pfsense 2 (current release 2.0-BETA4 (i386) built on Wed Dec 15 07:49:38 EST 2010)

    It seems that I juste have to plug a monitor and and keyboard and then at the console press the '8' key to have full root access to the pfsense box…
    I have to fully tested this but assuming I am root without asking any password then I could reconfigure PFsense, change settings, reboot  and so one... it seems to me a major security concern.

    Can you explain this behaviour?
    Thanks



  • System > Advanced > Password protect the console menu



  • Thanks! I can breath again ;-)
    I have checked the help link to learn more about this option but there are not too much informations. Am I too impatient and the doc will be posted at some time? :-)

    A big thanks for the quick reply



  • Due to the beta-status of 2.0 the doc is not complete. But it will be completed. 1.2-release not even has a documentation, there is a book too. So please be patient, it will be cleared all.


  • Rebel Alliance Developer Netgate

    There is not much to learn about the option, it does exactly what it says: It password protects the console menu. :)

    Though I would also call your attention to this:
    http://doc.pfsense.org/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Forgotten_Password_with_Locked_Console

    If you really don't trust users that much you really need some kind of locked cage to hold such equipment in, or keep it in a locked datacenter room.

    Controlling physical access is key if you are really worried that someone would hook up a keyboard and monitor that shouldn't be doing that.



  • jimp is correct.  This feature is more security theater than security.  If the attacker has physical access to your hardware, the fact that the console has a password prompt is entirely trivial to bypass.


Locked