OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 16.1 Legacy Series »
  • No login at console when root disabled?
« previous next »
  • Print
Pages: [1] 2

Author Topic: No login at console when root disabled?  (Read 9131 times)

chemlud

  • Hero Member
  • *****
  • Posts: 2047
  • Karma: 93
    • View Profile
No login at console when root disabled?
« on: June 03, 2016, 10:38:57 am »
Hi again!

Have here a 16.1.15 i386 full on a notebook, root is disabled, another user is admin on this machine. :-)

Works fine, except that I cannot log in to the console on the notebook monitor when password is activated for log-in. Credentials for the admin user gives me in the console:

"This user is currently not available."

Does not matter if the user is logged in via https or not...

Bug or feature? ;-)
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

fabian

  • Hero Member
  • *****
  • Posts: 2768
  • Karma: 199
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: No login at console when root disabled?
« Reply #1 on: June 03, 2016, 11:08:22 am »
The user needs the shell permission.
Logged

chemlud

  • Hero Member
  • *****
  • Posts: 2047
  • Karma: 93
    • View Profile
Re: No login at console when root disabled?
« Reply #2 on: June 03, 2016, 11:18:09 am »
Hi Fabian!

Thanks, that helps a lot! :-D

But when I log in, I get the shell prompt, not the usual 1-9 "shutdown", "reboot", restart Webinterface" menu. Any way to com to this menu in the console?

regards

chemlud
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

phoenix

  • Hero Member
  • *****
  • Posts: 506
  • Karma: 55
    • View Profile
Re: No login at console when root disabled?
« Reply #3 on: June 03, 2016, 11:33:59 am »
Is this user a member of the Admin group?
Logged
Regards


Bill

chemlud

  • Hero Member
  • *****
  • Posts: 2047
  • Karma: 93
    • View Profile
Re: No login at console when root disabled?
« Reply #4 on: June 03, 2016, 11:36:22 am »
Yepp, it's the admin, in group admin.
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

weust

  • Hero Member
  • *****
  • Posts: 644
  • Karma: 57
    • View Profile
Re: No login at console when root disabled?
« Reply #5 on: June 03, 2016, 01:24:36 pm »
That behaviour is still normal, sadly.
Logged
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: No login at console when root disabled?
« Reply #6 on: June 04, 2016, 02:48:20 pm »
Ad picked this up in a ticket, I've added a longer comment on how to achieve the essence of what is requested without making the system less secure.

Points:

1) we should not clone root accounts as this has no security benefit

2) the non-root users don't work reliably with the root shell as privilege separation is not good enough

3) sudo ;)


[1] https://github.com/opnsense/core/issues/990
Logged

weust

  • Hero Member
  • *****
  • Posts: 644
  • Karma: 57
    • View Profile
Re: No login at console when root disabled?
« Reply #7 on: June 04, 2016, 05:27:53 pm »
But does sudo give you the menu where you can select something like upgrade or assigning interfaces, etc?
Logged
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: No login at console when root disabled?
« Reply #8 on: June 04, 2016, 05:39:24 pm »
Once /usr/local/etc/sudoers is correctly set up (there is no GUI for this...yet), you can do:

# sudo su
Logged

chemlud

  • Hero Member
  • *****
  • Posts: 2047
  • Karma: 93
    • View Profile
Re: No login at console when root disabled?
« Reply #9 on: June 04, 2016, 05:50:44 pm »
Hy!

OK, will try! Is there a console in the GUI? Or run from serial console?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

weust

  • Hero Member
  • *****
  • Posts: 644
  • Karma: 57
    • View Profile
Re: No login at console when root disabled?
« Reply #10 on: June 04, 2016, 06:24:58 pm »
Quote from: franco on June 04, 2016, 05:39:24 pm
Once /usr/local/etc/sudoers is correctly set up (there is no GUI for this...yet), you can do:

# sudo su

Oh, ok. I get what you mean now.
Next I would need LDAP integration as I don't have local accounts except the root account.
A least, last time I tried it didn't work. domain\username or simply username doesn't seem to work like in the webpage.
Logged
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: No login at console when root disabled?
« Reply #11 on: June 06, 2016, 04:53:02 pm »
Something like this would probably be needed for real LDAP-backed accounts:

http://www.padl.com/OSS/pam_ldap.html
Logged

weust

  • Hero Member
  • *****
  • Posts: 644
  • Karma: 57
    • View Profile
Re: No login at console when root disabled?
« Reply #12 on: June 06, 2016, 06:53:39 pm »
If it's possible to create a package for that, then it will really help me.

At work I can log in with my Windows Domain account on SLES servers.
No doubt the same software or something similar.
Works great.
Logged
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13679
  • Karma: 1176
    • View Profile
Re: No login at console when root disabled?
« Reply #13 on: June 06, 2016, 06:55:56 pm »
It's there under security/pam_ldap, I can add it to the packages for 16.1.17.
Logged

weust

  • Hero Member
  • *****
  • Posts: 644
  • Karma: 57
    • View Profile
Re: No login at console when root disabled?
« Reply #14 on: June 06, 2016, 07:48:56 pm »
Cool! Will test it then.
Logged
Hobbyist at home, sysadmin at work. Sometimes the first is mixed with the second.

  • Print
Pages: [1] 2
« previous next »
  • OPNsense Forum »
  • Archive »
  • 16.1 Legacy Series »
  • No login at console when root disabled?
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2