[pfSense] HA: XMLRPC sync - user/password limitations?

Discussion:

Olivier Mascia

2016-04-24 21:40:00 UTC

Hello,

Are there limitations (password length for instance, case sensitivity issues on the username) on the user/password used on system_hasync.php page to reach the peer?

I started setting this up while the peer (secondary) still had admin as username (fresh after setup), and a long complex password. The configuration synchronized, but with a warning about authentication. I first thought: OK this is expected because the primary I'm copying has 'admin' disabled (not allowed to login) and another user name is used as the real admin. I could understand as soon as users had been synced there might be an authentication error, afterwards.

So I updated on system_hasync.php, but now I keep getting "An authentication failure occurred while trying to access https://....". And the newer settings just don't sync.

Checked username and password 3 times, looks good while entering it in system_hasync.php and is fine for logging interactively or at the console.

The alternate username has caps in the name. And the password is longer than usual, but reasonable (>20 chars and <25 chars).

I'm aware of this: "XMLRPC sync is currently only supported over connections using the same protocol and port as this system - make sure the remote system's port and protocol are set accordingly!" and took care that both are identical.

A bit puzzled.

--
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om

Olivier Mascia

2016-04-24 22:34:15 UTC

Permalink

More info.
There indeed must be something wrong with the setting up of the couple user/password used by primary to update secondary config.
At least the following log message found on the secondary is suspect:

/xmlrpc.php: webConfigurator authentication error for 'admin' from 172.16.0.2 during sync settings.

The user setup on the primary firewall is not 'admin'. So if the secondary attempts to validate the password against 'admin', that could be the issue.

I will try by re-opening access for the admin user (on both for good measure), but would love not to have to do that in the future. Or... what exact minimalist access rights are needed for the default 'admin' user to be able to receive configuration updates through XMLRPC? I could restrict that 'admin' user to only that, as a temporary workaround.

Though, it looks like there is another issue. To test get sure you have a second user with full admin rights for backup in case it works this works for you, while it fails on me. Edit the 'admin' user, remove all pages access and membership in the admins groups. Logoff, logon using admin. You have full access to any part of the configuration. No restrictions apply.

This is 2.3-REL, I think I did not write that.
--
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om

Post by Olivier Mascia
Hello,
Are there limitations (password length for instance, case sensitivity issues on the username) on the user/password used on system_hasync.php page to reach the peer?
I started setting this up while the peer (secondary) still had admin as username (fresh after setup), and a long complex password. The configuration synchronized, but with a warning about authentication. I first thought: OK this is expected because the primary I'm copying has 'admin' disabled (not allowed to login) and another user name is used as the real admin. I could understand as soon as users had been synced there might be an authentication error, afterwards.
So I updated on system_hasync.php, but now I keep getting "An authentication failure occurred while trying to access https://....". And the newer settings just don't sync.
Checked username and password 3 times, looks good while entering it in system_hasync.php and is fine for logging interactively or at the console.
The alternate username has caps in the name. And the password is longer than usual, but reasonable (>20 chars and <25 chars).
I'm aware of this: "XMLRPC sync is currently only supported over connections using the same protocol and port as this system - make sure the remote system's port and protocol are set accordingly!" and took care that both are identical.
A bit puzzled.
--
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Olivier Mascia

2016-04-24 23:05:16 UTC

Permalink

Post by Olivier Mascia
/xmlrpc.php: webConfigurator authentication error for 'admin' from 172.16.0.2 during sync settings.
The user setup on the primary firewall is not 'admin'. So if the secondary attempts to validate the password against 'admin', that could be the issue.

Just re-read once again the Book. OK, I read too fast on those two lines:

"
Set Remote System Username to admin.
Note: This must always be admin, no other user will work!
"

Took them for default example values, while the small comment says this is not an exercise.
Why is there a box to enter the remote system username, when it is useless and has to be 'admin' anyway?... :)

What privilege limitations can be made to user 'admin', and still get it to work for xmlrpc?
I don't like keeping a user named admin, no matter how strong the password might be, so I usually disable it and create a new one with all the required rights for full administration.

--
Meilleures salutations, Met vriendelijke groeten, Best Regards,
Olivier Mascia, integral.be/om

ED Fochler

2016-04-24 23:54:41 UTC

Permalink

Post by Olivier Mascia
Why is there a box to enter the remote system username, when it is useless and has to be 'admin' anyway?... :)

It seems to be an incomplete feature upgrade, as the admin user has always been usable and it was intended to have other users capable of this… but it seems the feature never came to completion after the UI update.

I never use the admin account for anything except syncing, so my password there is ridiculous and unique to the firewalls. Web login should be limited to a mostly trusted subnet anyway, and ssh can be locked down to keys only. I wouldn’t go limiting the admin account, I would just set an extraordinary password and use it only for synching.

ED.

Steve Yates

2016-04-25 03:21:43 UTC

Permalink

I posted about that when I discovered it a year ago. It seems silly to have a field that is ignored and something else used instead. Is that still in 2.3 that way? It seems like it would be easy to change that from a field to the word "admin."
--
Steve Yates
ITS, Inc.

-----Original Message-----
From: List [mailto:list-***@lists.pfsense.org] On Behalf Of Olivier Mascia
Sent: Sunday, April 24, 2016 6:05 PM
To: pfSense Support and Discussion Mailing List <***@lists.pfsense.org>
Subject: Re: [pfSense] XMLRPC sync - user/password limitations? And a possible bug regarding 'admin' user

--
Meilleures salutations, Met vriendelijke groeten, Best Regards, Olivier Mascia, integral.be/om

_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

ED Fochler

2016-04-25 04:04:44 UTC

Permalink

Yep, still that way in 2.3 release.

Post by Steve Yates
I posted about that when I discovered it a year ago. It seems silly to have a field that is ignored and something else used instead. Is that still in 2.3 that way? It seems like it would be easy to change that from a field to the word "admin."
--
Steve Yates
ITS, Inc.