Feature #809
closedConfig sync username change
100%
Description
The username for the config sync user must be 'admin'.
Updated by Jim Pingle over 14 years ago
Looks like it takes the ID of the first user and uses that for XMLRPC sync, and since the admin user can't be renamed, it's locked to that. We may just need an additional field in the settings for the user ID to sync and default to admin if that's blank.
We might also need some way to test to ensure that the userid given has the xmlrpclibrary page permission.
Updated by Antoine Rodriguez almost 10 years ago
The bug is still here in version 2.2 64bit.
The "Remote System Username" field into Firewall->Virtual IP->CARP Settings is not used.
If we create another user and set the user inside that field the CARP is unable to authenticate with it's peer giving the following messages :
- From the destination peer :pfSense php-fpm[77914]: /xmlrpc.php: webConfigurator authentication error for 'admin' from XXX.XXX.XXX.XXX
- From the source peer :[ An authentication failure occurred while trying to access https://XXX.XXX.XXX.XXX:443 (pfsense.host_firmware_version).]
The only way to do it work is to use the admin user of pfsense.
Best regards
Updated by Brett Merrick over 9 years ago
- Bug #1971 (Rejected): carp sync username not honored
- Bug #1736 (Closed): Allow other users to be used as authenticator in xmlrpc exchanges
The xmlrpc username is hardcoded to use the username 'admin'.
Inline comments state:
xmlrpc_auth: Handle basic crypt() authentication of an XMLRPC request. This function assumes that
$params[0] contains the local system's plaintext password and removes the password from
the array before returning it.
XXX: Should teach caller to pass username and use it here.
This would involve modification of every piece of code that interacts with an XML_RPC_Message to include/parse the username. This not an insignificant undertaking in terms of coding and testing. Perhaps disproportionate to the value it would add?
It seems that this work may overlap or be better encompassed by the following:- Todo #3734 (New): Update PEAR XML_RPC Client/Server
Some feedback on the value of this option would be useful.
I suspect the sensible interim action would be, as previously suggested, to:
- remove the username option from the sync configuration to prevent confusion.
I would like to proceed with submitting a pull request to mask the username option if there are no further objections/concerns/suggestions?
Updated by Chris Buechler over 9 years ago
yeah that's fine to remove the username field, no point in having it right now. Pull request welcome. Thanks!
Updated by Brett Merrick over 9 years ago
Thanks,
Added to : https://github.com/pfsense/pfsense/pull/1735
Updated by Renato Botelho over 8 years ago
- Assignee set to Renato Botelho
- Target version changed from Future to 2.4.0
Updated by Renato Botelho over 8 years ago
- % Done changed from 0 to 80
When converting code to XML_RPC2 I implemented a usrename parameter on every xmlrpc method. It's just missing privilege check, that I'll take care now
Updated by Renato Botelho over 8 years ago
- Status changed from New to Feedback
- % Done changed from 80 to 100
Applied in changeset fb1234ab7d654f301eafdd4f116038937bc36cf4.
Updated by Jim Pingle about 8 years ago
- Status changed from Feedback to Resolved
Works, can XMLRPC sync so long as the user has the "System - HA node sync" privilege.