Read Only pfSense integration option

[craibo]

Read Only PFsense Integration access option

Currently to use the integration it is required that "god" access is provided to the HA device connecting.
As any HA device has multiple integrations (supported and custom) and it being publicly accessible, there is a fairly high degree of Unauthorized access risk.

I'm hoping there is a way I can pull all the stats without the need to provide any access to modify the pfsense configuration?

Thank you

[travisghansen]

At a fundamental level the api used (xmlrpc) is god. There is no way around it unless/until pfsense has a proper api with fine-grained permissions.

I am aware of non-standard apis like faux-api but find the security implications of that worse than using the supported/bulit-in xmlrpc api.

In short, the api is currently all or nothing :(

[rmcanuck]

Revisiting this, I noticed a post that the user credentials were stored in plain text. Is that still the case and if so could they be encrypted?

[travisghansen]

The credentials are stored the same as every other integration (core or plugin). Yes they are stored in a yaml file on disk unencrypted.

[rmcanuck]

With the impact of providing admin rights to a firewall, and then saving the passwords in plain text, it seems there should be a better way.  Is there some way for you to lead the charge to better security? I’m not sure what’s possible but I noticed a few users with the same concern. Thank you!RobertOn Jul 15, 2023, at 11:37 PM, Travis Glenn Hansen ***@***.***> wrote: The credentials are stored the same as every other integration (core or plugin). Yes they are stored in a yaml file on disk unencrypted. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: ***@***.***>

[travisghansen]

Unfortunately both making a proper api in pfsense and solving the credential problem in hass are both beyond the scope of what I have time for currently :(

People have asked for a sane api in pfsense for ages.

The trouble with encrypting the creds in the file is that the decryption key would also meed to be stored in the config as well (or another file on the fs) which defeats the purpose. You could use something like ecryptfs to encrypt the whole fs where the config resides requiring a key to be input at startup time of the os/machine.

[craibo]

I did a bit of digging and think I may have found a way to limit the permissions scope made available to HA by pfSense.
This pfsense-api by @jaredhendrickson13 adds an XML API to pfSense that is protected using a user credentials. Meaning you can have a limited access user that HA uses to access the pfSense via the API.

There is obviously a little more configuration required on the pfSense side to get it working but would be far more secure. Considering the skill levels of users managing pfSense firewalls the additional setup should not be a problem.

I understand @travisghansen you don't have the time for this but would it be something I can try and look into and get your review feedback on the changes? I'm hoping the API's exposed are in the same format as the integration you are currently using. This would mean simply swapping the url that the API is calling (obviously, this just sounds too easy to be true but lets see)

[travisghansen]

I considered faux-api when I started the project but ultimately stayed away for 2 primary reasons:

1. ease of setup. Having it work ootb is important
2. The inherent security risks associated with 3rd party api software (both for this app and in general for the firewall). It just introduces some major unknowns vs the known of the current scenario.

Truth be told many of the features of the integration would be unlikely achievable via any api (even the built-in that I am using is being used in an extreme fashion).

Having said that I do recognize the risks and am happy to review any ideas in principle. I don’t love the current scenario, I just like the other options less for various reasons :)

[raidflex]

Has there been any progress on read only access? I would really love to get dashboards for pfsense, but giving home assistant the ability to change settings on a firewall is just a bad idea.