Re: [pfSense] XMLRPC sync - user/password limitations? And a possible bug regarding 'admin' user
> On 2016, Apr 24, at 7:05 PM, Olivier Masciawrote: > > Why is there a box to enter the remote system username, when it is useless > and has to be 'admin' anyway?... :) It seems to be an incomplete feature upgrade, as the admin user has always been usable and it was intended to have other users capable of this… but it seems the feature never came to completion after the UI update. I never use the admin account for anything except syncing, so my password there is ridiculous and unique to the firewalls. Web login should be limited to a mostly trusted subnet anyway, and ssh can be locked down to keys only. I wouldn’t go limiting the admin account, I would just set an extraordinary password and use it only for synching. ED. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] XMLRPC sync - user/password limitations? And a possible bug regarding 'admin' user
> Le 25 avr. 2016 à 00:34, Olivier Masciaa écrit : > > /xmlrpc.php: webConfigurator authentication error for 'admin' from 172.16.0.2 > during sync settings. > > The user setup on the primary firewall is not 'admin'. So if the secondary > attempts to validate the password against 'admin', that could be the issue. Just re-read once again the Book. OK, I read too fast on those two lines: " Set Remote System Username to admin. Note: This must always be admin, no other user will work! " Took them for default example values, while the small comment says this is not an exercise. Why is there a box to enter the remote system username, when it is useless and has to be 'admin' anyway?... :) What privilege limitations can be made to user 'admin', and still get it to work for xmlrpc? I don't like keeping a user named admin, no matter how strong the password might be, so I usually disable it and create a new one with all the required rights for full administration. -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] XMLRPC sync - user/password limitations? And a possible bug regarding 'admin' user
More info. There indeed must be something wrong with the setting up of the couple user/password used by primary to update secondary config. At least the following log message found on the secondary is suspect: /xmlrpc.php: webConfigurator authentication error for 'admin' from 172.16.0.2 during sync settings. The user setup on the primary firewall is not 'admin'. So if the secondary attempts to validate the password against 'admin', that could be the issue. I will try by re-opening access for the admin user (on both for good measure), but would love not to have to do that in the future. Or... what exact minimalist access rights are needed for the default 'admin' user to be able to receive configuration updates through XMLRPC? I could restrict that 'admin' user to only that, as a temporary workaround. Though, it looks like there is another issue. To test get sure you have a second user with full admin rights for backup in case it works this works for you, while it fails on me. Edit the 'admin' user, remove all pages access and membership in the admins groups. Logoff, logon using admin. You have full access to any part of the configuration. No restrictions apply. This is 2.3-REL, I think I did not write that. -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om > Le 24 avr. 2016 à 23:40, Olivier Masciaa écrit : > > Hello, > > Are there limitations (password length for instance, case sensitivity issues > on the username) on the user/password used on system_hasync.php page to reach > the peer? > > I started setting this up while the peer (secondary) still had admin as > username (fresh after setup), and a long complex password. The configuration > synchronized, but with a warning about authentication. I first thought: OK > this is expected because the primary I'm copying has 'admin' disabled (not > allowed to login) and another user name is used as the real admin. I could > understand as soon as users had been synced there might be an authentication > error, afterwards. > > So I updated on system_hasync.php, but now I keep getting "An authentication > failure occurred while trying to access https://;. And the newer settings > just don't sync. > > Checked username and password 3 times, looks good while entering it in > system_hasync.php and is fine for logging interactively or at the console. > > The alternate username has caps in the name. And the password is longer than > usual, but reasonable (>20 chars and <25 chars). > > I'm aware of this: "XMLRPC sync is currently only supported over connections > using the same protocol and port as this system - make sure the remote > system's port and protocol are set accordingly!" and took care that both are > identical. > > A bit puzzled. > -- > Meilleures salutations, Met vriendelijke groeten, Best Regards, > Olivier Mascia, integral.be/om > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] HA: XMLRPC sync - user/password limitations?
Hello, Are there limitations (password length for instance, case sensitivity issues on the username) on the user/password used on system_hasync.php page to reach the peer? I started setting this up while the peer (secondary) still had admin as username (fresh after setup), and a long complex password. The configuration synchronized, but with a warning about authentication. I first thought: OK this is expected because the primary I'm copying has 'admin' disabled (not allowed to login) and another user name is used as the real admin. I could understand as soon as users had been synced there might be an authentication error, afterwards. So I updated on system_hasync.php, but now I keep getting "An authentication failure occurred while trying to access https://;. And the newer settings just don't sync. Checked username and password 3 times, looks good while entering it in system_hasync.php and is fine for logging interactively or at the console. The alternate username has caps in the name. And the password is longer than usual, but reasonable (>20 chars and <25 chars). I'm aware of this: "XMLRPC sync is currently only supported over connections using the same protocol and port as this system - make sure the remote system's port and protocol are set accordingly!" and took care that both are identical. A bit puzzled. -- Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] transparent squid proxy
I am finding that the transparent web proxy does not work - or to be more precise, the transparent part works, the proxy part does not. What IP filter rules do I have to add, and which must I not add? My understanding of "transparent proxy" is that TCP connections to ports 80, 443 are forcefully routed through squid. Also, if squid is not running I don't want it to be bypassed, I want the connection to fail, so I am alerted to the problem. When squid is stopped all connections seem to be passed though. If I explicitly tell wget to use http://pfsense:3128 as proxy the request does go through squid/squidguard. However I'd also like this to be enforced. pfsense 2.2.6, squid3 Thanks muchly, Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.top.geek.nz/ Please do not CC list postings to me. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold