pfSense

1) Select "Password protect the console menu" from System->Advanced, Admin and press Save. The console now prompts for login in real time.
2) Reboot to confirm the setting is preserved - yep, all good - the console prompts for login at the end of the boot output.
3) Upgrade to latest snapshot.
4) Console is no longer password protected. (but config.xml has <disableconsolemenu/> correctly in it)
5) Reboot (any number of times) - console is never password protected.
6) Go to System->Advanced, Admin and press Save. Now the password protect is implemented.

The underlying cause seems to be that pfsense-utils.inc/setup_serial_port() is only called by config.lib.inc/reset_factory_defaults() and directly from system_advanced_admin.php

setup_serial_port() modifies /etc/ttys to implement the required settings on the appropriate tty entry/s.

On a nanoBSD upgrade, that needs to be done to the new /etc/ttys on the new slice. But there does not seem to be any code that does it during or after the upgrade. I looked on 2.1.5 also, and it looks like there is nothing there either and that an upgrade from an earlier version to 2.1.5 might have this same issue.

I do not know about a full upgrade - perhaps /etc/ttys will be overwritten by the upgrade file, or perhaps it will be left in place and thus will work.

I made this very high priority because it effects a user-selected security setting.

Forum topic: https://forum.pfsense.org/index.php?topic=85624.0