With the activated option "Disable integrated authentication" it is not possible to login at the console and not possible to do su in ssh.
OPNsense version 23.1.11_2
Context:
I have configured 2FA with TOTP and set up a user (not root) with an OTP seed. This user is a member of the group "admins". Additionally I configured SSH public keys for that user. Login to the webgui with 2FA and SSH-login with public key works well. The user 'root' doesn't have either an OTP seed or a public key.
As fallback in case of problems with 2FA, I wanted to login per SSH with key or console. But as soon as I activate "Disable integrated authentication" I can not login to the console and I can not su to root in SSH.
Thanks for any hint!
But if you enable it console and su work? oO
I'm not sure about su (it requires the password of the account you want to move to). I've moved to only using sudo (optionally requiring the password of the account you are currently logged in with).
Cheers,
Franco
If I have enabled 2FA, local database and deactivated "Disable integrated authentication" I can login at the console with the user with and without OTP and also with root and the password.
FreeBSD/amd64 (OPNsense.occami.infra) (ttyu0)
login: root
Password:
Last login: Fri Oct 20 16:29:16 on ttyu0
----------------------------------------------
| Hello, this is OPNsense 23.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
*** OPNsense.occami.infra: OPNsense 23.1.11_2 ***
CFG_Admin_Local (igb0) -> v4: 192.168.1.1/24
LAN_Infra_Local (ix0) ->
LAN_Infra_Radio (vlan01) ->
LAN_Infra_WLAN (vlan02) -> v4: 10.0.1.129/25
LAN_Public_Backup (vlan03) ->
WAN_Public_Access (igb1) -> v4/DHCP4: 192.168.178.25/24
HTTPS: SHA256 5E 99 57 74 85 72 52 90 D3 DF 6B 0C E9 3D F8 B5
6F 3A 8F 7C F6 A7 D0 9A 77 98 B8 99 64 A9 93 E7
SSH: SHA256 8yafIRgFQ21iCl4AJF56oEODquLTyKdEbPBXbtS30gM (ECDSA)
SSH: SHA256 SrrUo+UJhaXi/cZyTFu+cekJLH4OVV+D350hVsuYrXU (ED25519)
SSH: SHA256 JJiT0rGWy4RZ/+rnBIM4oltpRXEBzxBmZ78u4s3nEq4 (RSA)
0) Logout 7) Ping host
1) Assign interfaces 8) Shell
2) Set interface IP address 9) pfTop
3) Reset the root password 10) Firewall log
4) Reset to factory defaults 11) Reload all services
5) Power off system 12) Update from console
6) Reboot system 13) Restore a backup
Enter an option:
Connecting to the device per ssh/pubkey with the user works and I can su to the root:
~]$ ssh admin@192.168.1.1 -p 7016
Last login: Fri Oct 20 12:33:38 2023 from 192.168.1.100
----------------------------------------------
| Hello, this is OPNsense 23.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ $ su
Password:
*** OPNsense.occami.infra: OPNsense 23.1.11_2 ***
CFG_Admin_Local (igb0) -> v4: 192.168.1.1/24
LAN_Infra_Local (ix0) ->
LAN_Infra_Radio (vlan01) ->
LAN_Infra_WLAN (vlan02) -> v4: 10.0.1.129/25
LAN_Public_Backup (vlan03) ->
WAN_Public_Access (igb1) -> v4/DHCP4: 192.168.178.25/24
HTTPS: SHA256 5E 99 57 74 85 72 52 90 D3 DF 6B 0C E9 3D F8 B5
6F 3A 8F 7C F6 A7 D0 9A 77 98 B8 99 64 A9 93 E7
SSH: SHA256 8yafIRgFQ21iCl4AJF56oEODquLTyKdEbPBXbtS30gM (ECDSA)
SSH: SHA256 SrrUo+UJhaXi/cZyTFu+cekJLH4OVV+D350hVsuYrXU (ED25519)
SSH: SHA256 JJiT0rGWy4RZ/+rnBIM4oltpRXEBzxBmZ78u4s3nEq4 (RSA)
0) Logout 7) Ping host
1) Assign interfaces 8) Shell
2) Set interface IP address 9) pfTop
3) Reset the root password 10) Firewall log
4) Reset to factory defaults 11) Reload all services
5) Power off system 12) Update from console
6) Reboot system 13) Restore a backup
Enter an option:
Then I activate "Disable integrated authentication", nothing else is changed. After that I can't login at the console with any account with or without OTP.
FreeBSD/amd64 (OPNsense.occami.infra) (ttyu0)
login: root
Password:
Login incorrect
I still can login per ssh/pubkey, but I can't su to the root.
~]$ ssh admin@192.168.1.1 -p 7016
Last login: Fri Oct 20 16:10:53 2023 from 192.168.1.100
----------------------------------------------
| Hello, this is OPNsense 23.1 | @@@@@@@@@@@@@@@
| | @@@@ @@@@
| Website: https://opnsense.org/ | @@@\\\ ///@@@
| Handbook: https://docs.opnsense.org/ | )))))))) ((((((((
| Forums: https://forum.opnsense.org/ | @@@/// \\\@@@
| Code: https://github.com/opnsense | @@@@ @@@@
| Twitter: https://twitter.com/opnsense | @@@@@@@@@@@@@@@
----------------------------------------------
admin@OPNsense:~ $ su
Password:
su: Sorry
::)
I just did another test. I reset the device to factory defaults. Logon at the console works as expected.
Then I only activated the option "Disable integrated authentication" and I no longer able to login at the console.
Is this an intended behavior?
Thanks, I found I could reproduce this now:
https://github.com/opnsense/core/pull/6954/commits/ed530068e4
# opnsense-patch ed530068e4
Does that help?
Cheers,
Franco
That solved the problem with console login and su for me.
Thanks a lot!
Ok good. Not entirely sure if this will make 23.7.7 this week, but I will try. If not it will require a reapply, but this only concerns going from disable to enabled and back... normal operation is fine.
Cheers,
Franco