OPNsense Forum
English Forums => General Discussion => Topic started by: 127.0.0.1 on September 11, 2020, 01:35:05 pm
-
I have an Opnsense firewall configured for OpenVPN VPN access with the users configured for 2FA. All is working as expected.
Previously the root account was disabled (I didn't set up the appliance so it was done by someone else) I am now trying to enable the root account again to be used in emergency situation only.
- I re-enabled the root account again under 'system | access | users'
- I have reset the password to one I know.
- Under 'Systems | Settings | Administration' I have made sure that ' Permit root user login ' is checked.
I still don't seem to be able to login with the root account via the administration GUI. The error is:
'Wrong username or password'
Any suggestions?
Thanks
-
I have an Opnsense firewall configured for OpenVPN VPN access with the users configured for 2FA.
I'm guessing MFA is enabled for all users on the network. Meaning, it has also been enabled and required for the root account as well.
Try to create the missing factor authentication for the root account.
-
Hello ""127.0.0.1",
where you able to test the root access via the Tester?
"System: Access: Tester"
I would also suggest to check if there was any expiration date set on the root account.
Good Luck,
-
If you are trying to get Root working via SSH, then check that Root has all Effective Privileges in user management (just add all of them).
-
Thanks for all the responses.
@fmustafa
I have tried to use the Tester as suggested "System: Access: Tester" When I test root with local DB I get auth successful so the password is definitely correct. If I try log in as root via SSH or the GUI It says incorrect details.
@errored out
I don't think it's setup for 2FA for the root user because under the root user profile it shows nothing in the GUI section for 'OTP Seed'
Saying that I found this article which mentions : "System ‣ Settings ‣ Administration, section Authentication you should change this to your newly added authentication server to make sure no local user can gain access without 2FA"
https://docs.opnsense.org/manual/how-tos/two_factor.html
I assume that applies to the root account also? Is there a way to not have root as 2FA? (To only be used in case of emergency if there is a problem with 2FA)
Thanks
-
Root is not allowed to ssh by default (and there is a reason).
In my firewall I created an unprivileged , non-administrator user that was allowed to ssh only.
Then I added a sudo rule that allows that unprivileged user to switch to another more privileged user and that second user has a sudo rule that allows it to switch to root.
If you decide to allow root directly over ssh , verify the login shell for it . By default it is '/sbin/nologin' which obviously prevents logins.
Edit: Check system -> settings -> administration -> Login Group to control which group can reach over ssh.
-
I high recommend you use MFA for admin accounts especially the root account and do not configure them for user/pass only.
If anything that would the exact opposite of what IT Admins would want / set. As that would allow a large security weakness in your system with the highest of rights.Also, I have not read users experiencing issues with the MFA on here. I think it was added to version 17 or 18 and has been still been included / used.
With that said, I know you can. I now remember I had this split authentication before. I'm a little fuzzy on the specifics, so I'll give you what I remember/believe.
1. Systems>Access>Servers. Add / configure all authentication (servers) methods you want to use.
2. System>Settings>Admin>Auth. In the drop-down, select the Servers you want to use for authentication.
Accounts configured with passwords only will authenticate against the "Local DB". Accounts you want to use a different method / server e.g. MFA, would need to have those parts of the user account configured (including in the users FW account or elsewhere depending on the method you selected).
-
Many thanks for the answers. SSH and the admin port are locked down and not accessible from external so there is less of a risk. It's good to know there are options but I will probably leave it on 2FA for now then.
Thanks