OPNsense Forum

English Forums => 18.7 Legacy Series => Topic started by: z0rk on November 03, 2018, 11:23:05 pm

Title: [SOLVED] Can't su; but user is member of wheel and admin
Post by: z0rk on November 03, 2018, 11:23:05 pm
OPNsense 18.7.6-amd64
FreeBSD 11.1-RELEASE-p15
LibreSSL 2.7.4

ssh to opnsense; authenticate via key; then:

$ groups my.username
wheel admins
$ su
Password:
su: Sorry
$ su
Password:
su: Sorry
$

Just to be sure the password is correct, I've changed it for 'root' in the GUI. Still no go. What gives?  :'(
Title: Re: Can't su; but user is member of wheel and admin
Post by: fabian on November 04, 2018, 07:50:51 am
can you try sudo, su does not care about the groups - it asks you for the password of the target user.
Title: Re: Can't su; but user is member of wheel and admin
Post by: z0rk on November 04, 2018, 06:07:28 pm
Sorry, I am not sure what you're suggesting. I am not trying to use sudo, I am trying to switch user to 'root', so I can access the same options I get when logged in at the console:

0)     Logout                              7)      Ping host
1)     Assign interfaces                   8)      Shell
2)     Set interface(s) IP address         9)      pfTop
3)     Reset the root password             10)     Filter logs
4)     Reset to factory defaults           11)     Restart web interface
5)     Reboot system                       12)     Upgrade from console
6)     Halt system                         13)     Restore a configuration

Maybe I misunderstood you? Thanks Cheers
Title: Re: Can't su; but user is member of wheel and admin
Post by: franco on November 04, 2018, 06:57:02 pm
z0rk is correct, wheel is needed for su to work for root:

     PAM is used to set   the policy su(1) will use.  In particular, by default
     only users   in the ``wheel'' group can switch to UID 0 (``root'').   This
     group requirement may be changed by modifying the ``pam_group'' section
     of   /etc/pam.d/su.   See pam_group(8) for details on   how to modify this
     setting.

via https://www.freebsd.org/cgi/man.cgi?su

Check your password for typos or special characters as keyboard layouts may differ.

When you have integrated authentication, the password for root follows the web GUI settings, so TOTP, LDAP, etc. works too. This is true for su, ssh et. al. when the "disable integrated authentication" setting is off, which is the default.

In a nutshell, it's the same password that you use to *log in* root on the web GUI, minus encoding issues / keyboard mapping differences mentioned earlier.


Cheers,
Franco
Title: Re: Can't su; but user is member of wheel and admin
Post by: z0rk on November 04, 2018, 07:42:31 pm
Hey Franco
I did change the password for 'root' to only include upper / lower case characters and numbers.
I've got TOTP enabled for the user account that I use to connect via ssh, but not for 'root'. I don't use 'root' to log in to the web GUI only my user account. So effectively I can' 'su' because TOTP is not enabled for 'root'?
Title: Re: Can't su; but user is member of wheel and admin
Post by: franco on November 04, 2018, 09:41:05 pm
Yep, enable checkbox for "Disable integrated authentication" and it'll work as you would expect. :)


Cheers,
Franco
Title: Re: Can't su; but user is member of wheel and admin
Post by: franco on November 04, 2018, 09:47:11 pm
PS: Unless you use 2FA for SSH login of course. Then you're kinda stuck.