Use sed to update existing faskey value

[billz]

Addresses #588. @bluewavenet thanks

[bluewavenet]

@billz This only works if you already have the option in the config file ie it changes an existing option value. The default config does not have it set, so it fails.

[bluewavenet]

@billz I have fixed this with commit https://github.com/openNDS/openNDS/pull/590/commits/26496b4f76624f789dcd59ca88481857782ef3d7 This uses a different approach allowing someone to use "1234567890" if they really wanted to. All reference to "1234567890" is removed and there is no longer a default value. Any value actually set by the user is used.

The documentation has been updated.

Thanks for finding the issue and your efforts in resolving.

[billz]

@bluewavenet excellent! looks like a good solution. cheers

[bluewavenet]

@billz It would be excellent if you could compile and test on your system ;-)

[billz]

Compiled v10.2.1beta branch and installed on Debian 12.

config opennds
    option debuglevel '3'
    option gatewayinterface 'wlan0'
    option fasport '2080'
    option faspath '/fas/fas-aes.php'
    option faskey 'c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646'
    option fas_secure_enabled '2'

service output:

opennds[473578]: option faskey is [ c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646 ]
--snip--
opennds[473578]: nftables command [ add rule ip nds_filter ndsNET ip daddr disabled tcp dport 2080 counter accept ], iteration [ 3 ]return code [ 1 ]
opennds[473578]: Executing command: nft add rule ip nds_filter ndsNET ip daddr disabled tcp dport 2080 counter accept
opennds[476075]: Error: Could not resolve hostname: Name or service not known
opennds[476075]: add rule ip nds_filter ndsNET ip daddr disabled tcp dport 2080 counter accept
opennds[476075]:                                        ^^^^^^^^
--snip--
opennds[473578]: Error initializing firewall rules! Cleaning up
opennds[473578]: Destroying our nftables entries
opennds[473578]: Exiting because of error initializing firewall rules

Above seems unrelated to the faskey change. I could investigate a bit further tomorrow.

[bluewavenet]

@billz c775e7b757ede630cd0aa1113bd102661ab38829ca52a6422ab782862f268646

Yikes! That is meant as an example of what it would look like, not what you are supposed to use. That was the whole point of the security issue of having "1234567890" as the default.

This is what you should do:

1. do not add faskey option to config
2. start openNDS, it will generate a sha256 64 character hash string and write it to the config.
3. Read faskey from the config and copy it into the fas script.

:-D

opennds[476075]: add rule ip nds_filter ndsNET ip daddr disabled tcp dport 2080 counter accept
opennds[476075]:                                        ^^^^^^^^

This happens when openNDS cannot determine the ip address for the rule and is usually a config option error. You have not shown the full config file - have you disabled gatewayfqdn?

[billz]

Yikes! That is meant as an example of what it would look like, not what you are supposed to use. That was the whole point of the security issue of having "1234567890" as the default.

Noted. In this case, confirmed that excluding faskey from the config does indeed generate a secure 64-char hash.

This happens when openNDS cannot determine the ip address for the rule and is usually a config option error. You have not shown the full config file - have you disabled gatewayfqdn?

I have shown the full config file, using grep -v '^\s*#' /etc/config/opennds | grep -v '^\s*$'.
gatewayfqdn is not disabled. The config states that the default value is status.client.

I've specified this value manually:

config opennds
    option debuglevel '3'
    option gatewayinterface 'wlan0'
    option gatewayfqdn status.client
    option fasport '2080'
    option faspath '/fas/fas-aes.php'
    option fas_secure_enabled '2'

nftables error persists on startup, as above. glad to provide any other details.

[bluewavenet]

@billz Best to open this as a new issue rather than discuss it here!

[billz]

Agreed, will do so shortly. Thanks