Change webGUI password in a 1-line command for scripting?

dylanh724

^ Subject: How to?

I am able to change root/admin in 1 line fine, but for webgui…. can't seem to figure this one out. It should be way easier to change than the root password, but can't find the way ;)

Cheers~

(Related = http://www.reddit.com/r/PFSENSE/comments/2risdw/how_to_change_webgui_password_in_a_1line_command/)

jimp

Changing the password for the GUI admin user resets root also in the shell. Never try to manage the passwords directly in the command line using the OS tools like pw, passwd, etc.

On pfSense 2.2, you can use:

pfSsh.php playback changepassword admin

It will prompt for a new password and confirm it.

dylanh724

I never updated this topic – this was resolved by using a single line of code for SSH logins:

Sudo required with a new account rather than root (root dumps you in PFS shell, which sucks for SSH)

For SSH password change (NOT webgui pword -- that's below later), you can use this:

echo "password" | sudo pw usermod your_user -h 0

(Make sure to login via a new SSH account that gets dumped into regular shell instead of the EXTREMELY restrictive PFS shell sorry, but it is)

As for webGUI pword, need KiTTY, which uses sort of an 'expect' style of scripting, so you can queue up commands with a delay (in combination with the above command – thanks bud):

http://www.9bis.net/kitty/

(Without KiTTY, it can't be done by normal SSH means since the cmd triggers a different, custom shell)

It won't let me modify the subject to SOLVED, maybe because topic is too old? If a mod wants to, that'd be great – probably useful for others.

For webGUI, use this kitty code and adjust to your own needs (this is for a new SSH account with sudo so that it logs into a shell instead of PFS shell -- you can use PFS shell with kitty, if you'd like, but need different code):

(This changes webgui login from admin pw to admin2)

kitty -ssh 192.168.0.1 -l adminssh -pw admin -cmd "sudo pfSsh.php playback changepassword\nadminssh\nadmin2\nadmin2\n\exit"

doktornotor

@dylanh724:

I never updated this topic – this was resolved by using a single line of code for SSH logins:

echo "password" | sudo pw usermod your_user -h 0

Dude, which part of the "Never try to manage the passwords directly in the command line using the OS tools like pw, passwd, etc." advise from the pfSense developer you did not get? Plus why are you suggesting such crap when there's even a CLI way to do the same thing properly (as again hinted above)?

dylanh724

@doktornotor:

@dylanh724:

I never updated this topic – this was resolved by using a single line of code for SSH logins:

echo "password" | sudo pw usermod your_user -h 0

Dude, which part of the "Never try to manage the passwords directly in the command line using the OS tools like pw, passwd, etc." advise from the pfSense developer you did not get? Plus why are you suggesting such crap when there's even a CLI way to do the same thing properly (as again hinted above)?

Know of another way? I don't. People use PFS for different things. I'd like a 1-click change password button that vanilla PFS doesn't offer. The CLI is 100% not script-friendly or I wouldn't have to use kitty.

PFSense is a badass firewall, so the average user is trying to tighten security – but some people (like me) don't even use it for most of it's capabilities. I mostly use it for a custom captive portal that's very local

doktornotor

@dylanh724:

Know of another way? I don't.

Then stop suggesting people to use 300% wrong ways to do things, especially when being told so by the developers. The above is completely broken since it will not update the password stored in config.xml.

heper

@jimp:

Changing the password for the GUI admin user resets root also in the shell. Never try to manage the passwords directly in the command line using the OS tools like pw, passwd, etc.

On pfSense 2.2, you can use:

pfSsh.php playback changepassword admin

It will prompt for a new password and confirm it.

thats the other way ?

dylanh724

@doktornotor:

@dylanh724:

Know of another way? I don't.

Then stop suggesting people to use 300% wrong ways to do things, especially when being told so by the developers. The above is completely broken since it will not update the password stored in config.xml.

Hmm? I did no such thing! I specifically said "THIS only saves SSH new password", and then I said use kitty to use the EXACT cgi script that saves in the xml file. At least read my guide before insulting it -__-

For SSH password change (NOT webgui pword – that's below later),

(then the XML one below)

(This changes webgui login from admin pw to admin2)

Code: [Select]
kitty -ssh 192.168.0.1 -l adminssh -pw admin -cmd "sudo pfSsh.php playback changepassword\nadminssh\nadmin2\nadmin2\n\exit"

To be more specific, look here:

sudo pfSsh.php playback changepassword

KiTTY is 100% exactly the same as the above, just automated

doktornotor

@dylanh724:

Hmm? I did no such thing! I specifically said "THIS only saves SSH new password"

This

echo "password" | sudo pw usermod your_user -h 0

saves no password whatsoever. Passwords are saved in config.xml which you completely bypass by your messing with shell. Period.

rbarreto

Hi

I also need to change to webgui password from a script.

I'm working in one pfsense image to use with OpenStack.

For this reason, i need to change the both password to ssh and webgui. So the user-end may get the password from the retrieve password openstack function.

I'm using bsd-cloudinit[1]

This project was developed using python. In the script, it's already changing the ssh password with:

def set_user_password(self, username, password):
          pw_cmd = "echo " + password + " | pw usermod -n " + username + " -h 0"
          subprocess.check_call(pw_cmd, shell=True)

Therefore i need to integrate it to change the webgui password too.

I also tried to create a script to use the auth.inc, so i can use this api to the python script may to run it:

2.2.6-RELEASE][admin@firewall.novalocal]/root: cat test.php
#!/usr/local/bin/php -f
require("auth.inc");
$admin_user = "admin";
$password = "teste";
local_user_set_password($admin_user, $password);
local_user_set($admin_user);
?>
[2.2.6-RELEASE][admin@firewall.novalocal]/root: php -f test.php

Warning: Illegal string offset 'password' in /etc/inc/auth.inc on line 520

Warning: Illegal string offset 'md5-hash' in /etc/inc/auth.inc on line 521

Warning: Illegal string offset 'nt-hash' in /etc/inc/auth.inc on line 532
[2.2.6-RELEASE][admin@firewall.novalocal]/root:

I kown that this is not the correct way to do, it was just a test. But everything that i tried to do at this time did not work.

I wonder if you guys could help me to figure out a way to change the webgui password from a command line without prompt

Thanks in advance

[1] http://pellaeon.github.io/bsd-cloudinit/

heper

https://github.com/pfsense/pfsense/blob/master/src/etc/phpshellsessions/changepassword

above is the code that runs when using  the CLI developers shell
@jimp:

Changing the password for the GUI admin user resets root also in the shell. Never try to manage the passwords directly in the command line using the OS tools like pw, passwd, etc.

On pfSense 2.2, you can use:

pfSsh.php playback changepassword admin

It will prompt for a new password and confirm it.

enjoy

rbarreto

Hi heper

Thank you for your response.

However, I need to do that with no prompt

I already tried like:

[2.2.6-RELEASE][admin@pfSense.localdomain]/root: ( echo password ; echo password ; echo exit) | pfSsh.php playback changepassword admin

Starting the pfSense developer shell….

Changing password for 'admin'.
New Password: stty: stdin isn't a terminal
stty: stdin isn't a terminal

Confirm New Password: stty: stdin isn't a terminal
stty: stdin isn't a terminal

[2.2.6-RELEASE][admin@pfSense.localdomain]/root:

but no success

Thank you

heper

yes i know.
you'd need to make adjustments to allow for an additional password-argument ( https://github.com/pfsense/pfsense/blob/master/src/etc/phpshellsessions/changepassword#L8-L23 )
also would need to adjust some of the logic below so it stops prompting for a manual input ( https://github.com/pfsense/pfsense/blob/master/src/etc/phpshellsessions/changepassword#L34-L50 )

rbarreto

Yes. Did work.

I comment the stty lines who were not allowing the change:

// If the user does exist, prompt for password
while (empty($password)) {
        echo gettext("New Password") . ": ";
        //exec('/bin/stty -echo');
        $password = trim(fgets($fp));
        //exec('/bin/stty echo');
        echo "\n";
}

// Confirm password
while (empty($confpassword)) {
        echo gettext("Confirm New Password") . ": ";
        //exec('/bin/stty -echo');
        $confpassword = trim(fgets($fp));
        //exec('/bin/stty echo');
        echo "\n";
}

So i got change the password for both ssh and webgui:

[2.2.6-RELEASE][admin@pfSense.localdomain]/root: ( echo admin ; echo password ; echo password ; echo exit ) | pfSsh.php playback changepassword

Starting the pfSense developer shell….

Enter username: Changing password for 'admin'. 
New Password:
Confirm New Password:
[2.2.6-RELEASE][admin@pfSense.localdomain]/root:

Thank you a lot