Re: [pfSense] XMLRPC sync - user/password limitations? And a possible bug regarding 'admin' user

[ED Fochler]

> On 2016, Apr 24, at 7:05 PM, Olivier Mascia  wrote:
> 
> Why is there a box to enter the remote system username, when it is useless 
> and has to be 'admin' anyway?... :)

It seems to be an incomplete feature upgrade, as the admin user has always been 
usable and it was intended to have other users capable of this… but it seems 
the feature never came to completion after the UI update.

I never use the admin account for anything except syncing, so my password there 
is ridiculous and unique to the firewalls.  Web login should be limited to a 
mostly trusted subnet anyway, and ssh can be locked down to keys only.  I 
wouldn’t go limiting the admin account, I would just set an extraordinary 
password and use it only for synching.  

ED.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] XMLRPC sync - user/password limitations? And a possible bug regarding 'admin' user

[Olivier Mascia]

> Le 25 avr. 2016 à 00:34, Olivier Mascia  a écrit :
> 
> /xmlrpc.php: webConfigurator authentication error for 'admin' from 172.16.0.2 
> during sync settings.
> 
> The user setup on the primary firewall is not 'admin'.  So if the secondary 
> attempts to validate the password against 'admin', that could be the issue.


Just re-read once again the Book. OK, I read too fast on those two lines:

"
Set Remote System Username to admin.
Note: This must always be admin, no other user will work!
"

Took them for default example values, while the small comment says this is not 
an exercise.
Why is there a box to enter the remote system username, when it is useless and 
has to be 'admin' anyway?... :)

What privilege limitations can be made to user 'admin', and still get it to 
work for xmlrpc?
I don't like keeping a user named admin, no matter how strong the password 
might be, so I usually disable it and create a new one with all the required 
rights for full administration.

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] XMLRPC sync - user/password limitations? And a possible bug regarding 'admin' user

[Olivier Mascia]

More info.
There indeed must be something wrong with the setting up of the couple 
user/password used by primary to update secondary config.
At least the following log message found on the secondary is suspect:

/xmlrpc.php: webConfigurator authentication error for 'admin' from 172.16.0.2 
during sync settings.

The user setup on the primary firewall is not 'admin'.  So if the secondary 
attempts to validate the password against 'admin', that could be the issue.

I will try by re-opening access for the admin user (on both for good measure), 
but would love not to have to do that in the future. Or... what exact 
minimalist access rights are needed for the default 'admin' user to be able to 
receive configuration updates through XMLRPC?  I could restrict that 'admin' 
user to only that, as a temporary workaround.

Though, it looks like there is another issue. To test get sure you have a 
second user with full admin rights for backup in case it works this works for 
you, while it fails on me. Edit the 'admin' user, remove all pages access and 
membership in the admins groups. Logoff, logon using admin. You have full 
access to any part of the configuration. No restrictions apply.

This is 2.3-REL, I think I did not write that.

-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om

> Le 24 avr. 2016 à 23:40, Olivier Mascia  a écrit :
> 
> Hello,
> 
> Are there limitations (password length for instance, case sensitivity issues 
> on the username) on the user/password used on system_hasync.php page to reach 
> the peer?
> 
> I started setting this up while the peer (secondary) still had admin as 
> username (fresh after setup), and a long complex password. The configuration 
> synchronized, but with a warning about authentication. I first thought: OK 
> this is expected because the primary I'm copying has 'admin' disabled (not 
> allowed to login) and another user name is used as the real admin. I could 
> understand as soon as users had been synced there might be an authentication 
> error, afterwards.
> 
> So I updated on system_hasync.php, but now I keep getting "An authentication 
> failure occurred while trying to access https://;. And the newer settings 
> just don't sync.
> 
> Checked username and password 3 times, looks good while entering it in 
> system_hasync.php and is fine for logging interactively or at the console.
> 
> The alternate username has caps in the name. And the password is longer than 
> usual, but reasonable (>20 chars and <25 chars).
> 
> I'm aware of this: "XMLRPC sync is currently only supported over connections 
> using the same protocol and port as this system - make sure the remote 
> system's port and protocol are set accordingly!" and took care that both are 
> identical.
> 
> A bit puzzled.
> -- 
> Meilleures salutations, Met vriendelijke groeten, Best Regards,
> Olivier Mascia, integral.be/om
> 
> 
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] HA: XMLRPC sync - user/password limitations?

[Olivier Mascia]

Hello,

Are there limitations (password length for instance, case sensitivity issues on 
the username) on the user/password used on system_hasync.php page to reach the 
peer?

I started setting this up while the peer (secondary) still had admin as 
username (fresh after setup), and a long complex password. The configuration 
synchronized, but with a warning about authentication. I first thought: OK this 
is expected because the primary I'm copying has 'admin' disabled (not allowed 
to login) and another user name is used as the real admin. I could understand 
as soon as users had been synced there might be an authentication error, 
afterwards.

So I updated on system_hasync.php, but now I keep getting "An authentication 
failure occurred while trying to access https://;. And the newer settings 
just don't sync.

Checked username and password 3 times, looks good while entering it in 
system_hasync.php and is fine for logging interactively or at the console.

The alternate username has caps in the name. And the password is longer than 
usual, but reasonable (>20 chars and <25 chars).

I'm aware of this: "XMLRPC sync is currently only supported over connections 
using the same protocol and port as this system - make sure the remote system's 
port and protocol are set accordingly!" and took care that both are identical.

A bit puzzled.
-- 
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

[pfSense] transparent squid proxy

[Volker Kuhlmann]

I am finding that the transparent web proxy does not work - or to be
more precise, the transparent part works, the proxy part does not.

What IP filter rules do I have to add, and which must I not add?

My understanding of "transparent proxy" is that TCP connections to ports
80, 443 are forcefully routed through squid.

Also, if squid is not running I don't want it to be bypassed, I want the
connection to fail, so I am alerted to the problem. When squid is
stopped all connections seem to be passed though.

If I explicitly tell wget to use http://pfsense:3128 as proxy the
request does go through squid/squidguard. However I'd also like this to
be enforced.

pfsense 2.2.6, squid3

Thanks muchly,

Volker

-- 
Volker Kuhlmann is list0570 with the domain in header.
http://volker.top.geek.nz/  Please do not CC list postings to me.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold