Hello,
I am able to login via ssh as root using password for login. I have created a group with super-user privileges and a member user with super-user privileges for testing purposes. The tester via the webgui indicates a successful login attempt, but when I login, I receive a message of the form: 'NO LOGINS: System going down at 22:15 / Administrator refusing you: /var/run/login' When I login as root, I can switch user to the account I created. The .login file for my user indicates it is using csh for its login script. as I had setup via the webgui. My intent is to eventually have normal users be able to sftp to and from the machine, but am unable to do so now because of this limitation. Has anyone experienced this issue prerviously, and does anyone know of a fix or what I have done incorrectly to create the issue?
Thanks in advance.
I made a typo in my original post. I m only able to login via SSH as root, and not as any other user including a user with super-user privileges. I am running version 21.1.4. If anyone has any insight into what I might be doing incorrectly, please let me know.
Thanks
Hi srich,
You need to assign a shell to this user in their settings.
Cheers,
Franco
Hello,
I did assign csh, yet I still have the problem. The user's home directory has a .cshrc file and a .login file indicating that the shell is set correctly (I think), but I still get the issue.
Thanks
Did you set a login group in System>Settings>Administration>Secure Shell.
Create a group, add the user to the group and allow that and wheel to login.
Alternatively you can use the admins group, and just set Wheel,Admins
I included the group in login groups for secure shell originally. The etc/passwd file includes the user with the appropriate home directory and shell; however, above that there is the following entry:
'sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin' Could this be overriding any users which are listed after that?
That is normal. Should not affect anything.
Just make sure the account in question that you setup is correct.
To recap
Create a user account. Create a group account (ie: sshaccess)
Edit user account to have a shell (personally i just use /bin/sh). Add user to group in same page. Add the authorized key if you have one.
Go to System>Settings>Administration>Secure Shell
set the access to wheel,sshaccess
If you arent using key authentication (you should). Check the box to allow password logins. Save.
I did all of the above, and still have the issue. I know that I setup the group and the users correctly becasue I can see the appropriate entries in /etc/passwd (for the shell) and /usr/local/etc/ssh/sshd for the group. Something else seems to be amiss
Is the shell listed next to the user account name in /etc/passwd
IE:
cat /etc/passwd | grep username
username:*:uid:gid::/home/username:/bin/sh
And similar in /etc/group
cat /etc/group | grep username
groupname:*:gid:username1,username2
I just changed my user to use /bin/csh over /bin/sh. It still works. FWIW i am on 21.1.4 OpenSSL as of today. 21.1.3_3 previously. Orignally installed/upgrade from 20.7
etc/group:
family:*:2000:scott,testuser
etc/passwd:
testuser:*:2001:65534:Test User:/home/testuser:/bin/csh
/usr/local/etc/ssh/sshd:
AllowGroups wheel family
Both user scott and user testuser encounter the same issue.
So if you run
cat /etc/group | grep scott
What is the output
same for
cat /etc/group | grep testuser
Also is PasswordAuthentication set to yes or no in /usr/local/etc/ssh/sshd_config?
They are the same:
family:*:2000:scott,testuser
password authentication is set to yes:
/usr/local/etc/ssh/sshd_config:
AllowGroups wheel family
PermitRootLogin yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
OPNsense uses its on PAM module and stores users in a separate database. You did create all settings through the UI, right? Adding a user manually to password and group files won't work.
I did everything through the UI per the instructions on the site. I just verified the settings after the fact.
I just tried the process again--I created a new user, new group, and gave the group login privileges via SSH--all via the GUI, but to no avail. Having the root user logged onto the console or logged off does not affect the behavior either. Is there some other manner in which I can provide sftp access to a group over my LAN (protected interface).
Thanks for any advise anyone can profer.
OK, got me ...
I am the author of this small Vagrant project and I can assure you, you can login as the "vagrant" user to this OPNsense instance just fine:
https://github.com/punktDe/vagrant-opnsense
So let's see, what I configured ... see screenshots, please.
This works. Definitely:
$ vagrant ssh
----------------------------------------------
| Hello, this is OPNsense 21.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
You can often get answers to your questions about FreeBSD by searching in the
FreeBSD mailing list archives at
http://freebsd.markmail.org
$ id
uid=1001(vagrant) gid=0(wheel) groups=0(wheel),1999(admins)
$ pwd
/usr/home/vagrant
HTH,
Patrick