Config sync username change
The username for the config sync user must be 'admin'.
#1 Updated by Jim Pingle about 7 years ago
Looks like it takes the ID of the first user and uses that for XMLRPC sync, and since the admin user can't be renamed, it's locked to that. We may just need an additional field in the settings for the user ID to sync and default to admin if that's blank.
We might also need some way to test to ensure that the userid given has the xmlrpclibrary page permission.
#4 Updated by Antoine Rodriguez over 2 years ago
The bug is still here in version 2.2 64bit.
The "Remote System Username" field into Firewall->Virtual IP->CARP Settings is not used.
If we create another user and set the user inside that field the CARP is unable to authenticate with it's peer giving the following messages :
- From the destination peer :
pfSense php-fpm: /xmlrpc.php: webConfigurator authentication error for 'admin' from XXX.XXX.XXX.XXX
- From the source peer :
[ An authentication failure occurred while trying to access https://XXX.XXX.XXX.XXX:443 (pfsense.host_firmware_version).]
The only way to do it work is to use the admin user of pfsense.
#6 Updated by Brett Merrick about 2 years ago
- Bug #1971 (Rejected): carp sync username not honored
- Bug #1736 (Closed): Allow other users to be used as authenticator in xmlrpc exchanges
The xmlrpc username is hardcoded to use the username 'admin'.
Inline comments state:
xmlrpc_auth: Handle basic crypt() authentication of an XMLRPC request. This function assumes that $params contains the local system's plaintext password and removes the password from the array before returning it. XXX: Should teach caller to pass username and use it here.
This would involve modification of every piece of code that interacts with an XML_RPC_Message to include/parse the username. This not an insignificant undertaking in terms of coding and testing. Perhaps disproportionate to the value it would add?It seems that this work may overlap or be better encompassed by the following:
- Todo #3734 (New): Update PEAR XML_RPC Client/Server
Some feedback on the value of this option would be useful.
I suspect the sensible interim action would be, as previously suggested, to:
- remove the username option from the sync configuration to prevent confusion.
I would like to proceed with submitting a pull request to mask the username option if there are no further objections/concerns/suggestions?