mwood77
commented
10 months ago That's strange - the mapping must be incorrect. What is the parent xml tag of your username/password?
Closed DanGarion closed 10 months ago
mwood77
commented
10 months ago That's strange - the mapping must be incorrect. What is the parent xml tag of your username/password?
DanGarion
commented
10 months ago I was able to get a console cable and console in and reset the password, so I'm not stuck. :) I did have to get a new console to USB cable since none of my devices has serial ports! hahaha. But here is the important part for you.
pfSense
<?xml version="1.0"?>
<pfsense>
<version>22.9</version>
<lastchange></lastchange>
<system>
<optimization>normal</optimization>
<hostname>XXXXX</hostname>
<domain>XXXXX.lan</domain>
<group>
<name>all</name>
<description><![CDATA[All Users]]></description>
<scope>system</scope>
<gid>1998</gid>
<member>0</member>
</group>
<group>
<name>admins</name>
<description><![CDATA[System Administrators]]></description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>admin</name>
<descr><![CDATA[System Administrator]]></descr>
<scope>system</scope>
<groupname>admins</groupname>
<bcrypt-hash>XXXXX</bcrypt-hash>
<uid>0</uid>
<priv>user-shell-access</priv>
</user>opnsense
<opnsense>
<version>22.9</version>
<config-apply>
<uuid>XXXXXXX</uuid>
</config-apply>
<system>
<optimization>normal</optimization>
<hostname>XXXXX</hostname>
<domain>XXXXX.lan</domain>
<group>
<name>all</name>
<description>All Users</description>
<scope>system</scope>
<gid>1998</gid>
<member>0</member>
</group>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>admin</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<bcrypt-hash>XXXXXXX</bcrypt-hash>
<uid>0</uid>
<priv>user-shell-access</priv>
</user>Thank you for the example xml! I'll have a look at this in the next 24 hours.
If you have opnsense up and running, could you also provide a sanitized output of that including the authorization block? That'll make debugging the fields much easier/faster.
DanGarion
commented
10 months ago Thank you for the example xml! I'll have a look at this in the next 24 hours.
If you have opnsense up and running, could you also provide a sanitized output of that including the authorization block? That'll make debugging the fields much easier/faster.
That might take a while... I haven't changed over to the new device yet. I wanted to limit downtime so I found another device on eBay to change over to. With so many static DHCP I don't want to take down a bunch of devices at my house... ;)
DanGarion
commented
10 months ago I think I see the issue, your converter does the hash, but it doesn't do the password. if that makes sense.
<?xml version="1.0"?>
<opnsense>
<version>22.9</version>
<config-apply>
<uuid>XXXXXX</uuid>
</config-apply>
<system>
<optimization>normal</optimization>
<hostname>XXXX</hostname>
<domain>XXXXX.lan</domain>
<group>
<name>all</name>
<description>All Users</description>
<scope>system</scope>
<gid>1998</gid>
<member>0</member>
</group>
<group>
<name>admins</name>
<description>System Administrators</description>
<scope>system</scope>
<gid>1999</gid>
<member>0</member>
<priv>page-all</priv>
</group>
<user>
<name>root</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<bcrypt-hash>XXXXX</bcrypt-hash>
<uid>0</uid>
<priv>user-shell-access</priv>
**<password>XXXXX</password>**
</user>Yep, you're right. Looks like pfsesnse outputs your password as a bcrypt hash under these tags:
<!-- pfsense -->
<user>
<bcrypt-hash>xxxxxx</bcrypt-hash>
</user><!-- opnsense -->
<user>
<password>xxxxxx</password>
</user>So I'll need to re-map that field during conversion.
mwood77
commented
10 months ago Version 0.1.3 has been released on the site and on docker, which I hope solves that issue. Let me know how it goes.
DanGarion
commented
10 months ago I'll close this issue but I think there is another problem. Someone reported a different issue that I also have run into with accessing System>Admin. I haven't confirmed if they used the conversion tool yet though. I will let you know. https://forum.opnsense.org/index.php?topic=36866.msg180278#msg180278
DanGarion
commented
10 months ago I can't tell you if the backup works, but I can tell you the output is different now (with the same file I used previously).
<?xml version="1.0"?>
<opnsense>
<version>22.9</version>
<config-apply>
<uuid>XXXX</uuid>
</config-apply>
<lastchange></lastchange>
<system>
<hostname>XXXX</hostname>
<domain>XXXX.lan</domain>
<timezone>America/Los_Angeles</timezone>
<language></language>
<user>
<name>admin</name>
<descr>System Administrator</descr>
<scope>system</scope>
<groupname>admins</groupname>
<uid>0</uid>
<priv>user-shell-access</priv>
<password>XXXX</password>
</user>Since you have the same error, can you find the following structure, specifically <sshport> inside the <ssh> parent tag in your pfsense config and share it?
My example pfsense config has it here:
Does this look like yours?
DanGarion
commented
10 months ago This is all I have in my backup for SSH. And now that you say that I see what you mean, I should probably add that port in there... right?
<ssh></ssh>
<serialspeed>115200</serialspeed>
<sshguard_threshold></sshguard_threshold>
<sshguard_blocktime></sshguard_blocktime>
<sshguard_detection_time></sshguard_detection_time>
<sshguard_whitelist></sshguard_whitelist>If you're expecting to use an ssh port, then maybe.
Going off of the linked forum thread, we can see that opnsense is looking for an ssh port here:
That doesn't mean it's necessarily required though.
DanGarion
commented
10 months ago Let me try that... won't hurt me if it doesn't work. :)
DanGarion
commented
10 months ago Well, you rock. That missing port # fixed it. ;)
mwood77
commented
10 months ago Great! So there's no shortcoming to fix on my end?
DanGarion
commented
10 months ago I'm not 100% sure. If you think about it opnsense is erroring out because it isn't being provided a port for SSH... That really seems to be an issue with their system as it appears it expects there to be a port. I didn't have a port in my pfsense config (probably because I never need SSH into it). Your code is just passing along what it was provided.
mwood77
commented
10 months ago (probably because I never need SSH into it)
This is likely the reason why it wasn't provided by pfsense, especially if you've never use it/set it uo. I think we're good then. Thanks for finding the password bug!
apedance
commented
10 months ago Hey there.
After using the latest version of the script - I am not able to import the file at all. With version 0.1.2 I was able to import it - but couldn't login after.
Error message of opnsense:
mwood77
commented
10 months ago Hi @apedance apologies for the slow reply - I only just saw this. There's another open issue right now, do you mind posting there? I suspect your issue may be related to the others. I think the root password encryption methods are different.
Alternatively, in the following structure:
<pfsense>
...
<system>
...
<user>
<sha512-hash></sha512-hash>
</user>Do you have a field named sha512-hash, bcrypt-hash, md5-hash, or something else? The data between those tags will be noticeably long.
I have a fairly basic backup that just has a lot of static DHCP mappings. I used my backup and then restored it to a fresh install of opnsense. After the install was complete the default user/pass no longer worked. I then attempted to use the user/pass from my pfsense backup and that also did not work.
I have checked both the before and after XML and the bcrypt-hash is the same.