OPNsense Forum

English Forums => General Discussion => Topic started by: wimopn on February 20, 2019, 11:56:19 am

Title: toor loginshell + value of pw
Post by: wimopn on February 20, 2019, 11:56:19 am

I've got opnsense 19.1.1, 

1) toor loginshell
Most technical users have /usr/sbin/nologin as a loginshell: in my understanding this very save.
I see on my install that the toor user has a missing loginshell: Is there something missing ?
Code: [Select]
toor:*:0:0::0:0:Bourne-again Superuser:/root:
2) PW value
In the old unix's it was possible to force an "illegal" password in the passwd file so that no real password would match the encrypted string. How can i check this for al the "technical" users , or do i just set the value with chpass ?
The encrypted strings are stored in spwd.db => is there a simple tool to read this ?

Keep up the good work with OPNsense !!

Best Regards,


I know toor is a netbsd thing, and having a super user with another login shell can be a safety measure ...

Title: Re: toor loginshell + value of pw
Post by: franco on February 20, 2019, 08:34:28 pm
Hi Wim,

Good questions... regarding toor it seems to be a historic remnant..


Looking at your other question “*” is the magic value you ask about. toor has it set as well.

Standard users are there and match up with FreeBSD. We could harden them by removing, but we’re not aware of any potential loop holes with these present users. Also system users will not be accepted to be created as opnsense users so there is no problematic interaction between them.


Title: Re: toor loginshell + value of pw
Post by: wimopn on February 20, 2019, 11:29:25 pm
Hi Franco,

I'm just protecting myself from  logins with putty at port 22. (I know.. even on the LAN i should use another port, and on the wan this port is blocked by the default rules)

In the (very old) passwd layout, before the shadow thingy, i could very quickly check if the pw was '*'  : (no login possible), or a real password, or (heaven forbids !) an empty password...

Now with spwd.db , with the tool  chpw i allways see an '*' in the password field , even if i do the command as root. In the man pages i read that one should see the encrypted string when this command is executed as root. i do not see the encrypted string, even if i try this for a user that has a normal password (for example my own user ...)

So the question is  : How do i check that all the defined users in the passwd are properly locked ... There are 34 users => 31 of them are "technical users (isn't scripting fun   ;D )
Code: [Select]

# cat /etc/passwd |cut -f 1 -d ":" | grep -v -e root -e wim -e "^#" | xargs echo -n ; echo
toor installer daemon operator bin tty kmem games news man sshd smmsp mailnull bind unbound
proxy _pflogd _dhcp uucp pop auditdistd www _ypldap hast nobody _flowd dhcpd ntopng squid

This is just asking. I think the OPNSense guys are doing a great job and  cannot know about each package and which users are created on the system by installing the packages that are already checked by the Freebsd guys.

Is there a security check script that inspects a running system for know problems like this ? I suppose you check this when prepping a new distro ?

Best regards,