[SOLVED] Can't su; but user is member of wheel and admin

[z0rk]

OPNsense 18.7.6-amd64
FreeBSD 11.1-RELEASE-p15
LibreSSL 2.7.4

ssh to opnsense; authenticate via key; then:

$ groups my.username
wheel admins
$ su
Password:
su: Sorry
$ su
Password:
su: Sorry
$

Just to be sure the password is correct, I've changed it for 'root' in the GUI. Still no go. What gives? 

[fabian]

can you try sudo, su does not care about the groups - it asks you for the password of the target user.

[z0rk]

Sorry, I am not sure what you're suggesting. I am not trying to use sudo, I am trying to switch user to 'root', so I can access the same options I get when logged in at the console:

0)     Logout                              7)      Ping host
1)     Assign interfaces                         Shell
2)     Set interface(s) IP address         9)      pfTop
3)     Reset the root password             10)     Filter logs
4)     Reset to factory defaults           11)     Restart web interface
5)     Reboot system                       12)     Upgrade from console
6)     Halt system                         13)     Restore a configuration

Maybe I misunderstood you? Thanks Cheers

[franco]

z0rk is correct, wheel is needed for su to work for root:

     PAM is used to set   the policy su(1) will use.  In particular, by default
     only users   in the ``wheel'' group can switch to UID 0 (``root'').   This
     group requirement may be changed by modifying the ``pam_group'' section
     of   /etc/pam.d/su.   See pam_group(8) for details on   how to modify this
     setting.

via https://www.freebsd.org/cgi/man.cgi?su

Check your password for typos or special characters as keyboard layouts may differ.

When you have integrated authentication, the password for root follows the web GUI settings, so TOTP, LDAP, etc. works too. This is true for su, ssh et. al. when the "disable integrated authentication" setting is off, which is the default.

In a nutshell, it's the same password that you use to *log in* root on the web GUI, minus encoding issues / keyboard mapping differences mentioned earlier.


Cheers,
Franco

[z0rk]

Hey Franco
I did change the password for 'root' to only include upper / lower case characters and numbers.
I've got TOTP enabled for the user account that I use to connect via ssh, but not for 'root'. I don't use 'root' to log in to the web GUI only my user account. So effectively I can' 'su' because TOTP is not enabled for 'root'?

[franco]

Yep, enable checkbox for "Disable integrated authentication" and it'll work as you would expect.


Cheers,
Franco

[franco]

PS: Unless you use 2FA for SSH login of course. Then you're kinda stuck.