Hi all,
I want to offer my users the opportunity to change their password, so through "System: Access: Users: System Privileges" I gave them the "System: User Password Manager" permission. This is intended for VPN password changing every 90 days, so the users are able to change their password without admin intervention.
Is it safe to give out this kind of permission? (Access to the OPNsense GUI is allowed only via LAN.)
Many thanks in advance.
Yes, but it is unclear to me how you want to enforce that password change rule with a local database.
The users are not forced to the GUI where they are forced to change their password, because they use the password to connect to the VPN first.
And if it is a remote database you can't change it from the web GUI. ;)
Cheers,
Franco
Many thanks for your reply. I would not enforce password changing to my users, I'll just suggest changing the password every 90 days via OPNsense GUI when they are connected to LAN (yes I'll use the local database of OPNsense). I've tested it now, it's even possible to change user's password when connected through the VPN, without loosing connection.
Right, that is no problem then.
You just got to be careful about the reneg-sec default of 3600 seconds that might disconnect you some time after password change since OpenVPN uses the old password to renegotiate.
It's a similar problem to using OTP with OpenVPN.
Cheers,
Franco