OPNsense Forum
Archive => 18.7 Legacy Series => Topic started by: s.simma on March 18, 2019, 06:28:08 pm
-
Hallo together,
We have changed our firewall from ipcop to OPNsense 18.1. Everything went smooth. Congratulation to the developers, realy good product.
But after updating to 18.7 following is no longer possible.
In Version 18.1.x
it was possible to "permitopen" ssh traffic to LAN ip's by use of the following settings:
1. create a user in OPNsense e.g. servicessh
2. do not assign this user to "Member Of"
3. under "Authorized keys" enter a list with users who have direct ssh access from outside to their workstations in the company.
permitopen="10.0.5.24:3389",no-pty,command="/bin/false" ssh-rsa .......t5eTCBiypz56eyQ............== rsa-key-20180708
......
......
......
4. Create a correseponding rule WANaddress (8022) -> LAN
------------------------------------------------------------
now in 18.7.x
there is a new field "shell login"
and whatever you select there (/sbin/noligin,/bin/csh,....) the above mentioned functionality is no longer possible.
And as we need this, i had to go back to 18.1.13.
Has anybody an idea how this can be done in 18.7 ?
I would realy appreciate any help.
-
Hi there,
Not sure if this is our change or from a newer version of OpenSSH. I don't know that functionality... What are you trying to achieve with this?
Cheers,
Franco
-
Hallo franco,
Thank's for your answer.
What we do since many years is to build ssh tunnels on our firewall to local werkstations. (A certain Authentication key gives access to a certain computer in the local network)
Inside this tunnel remote users (all with the samme user name, e.g. "servicessh") access their local computers from home by use of RDP. This is supported by all linux dispributions.
With oder words an ssh tunnel is not created based on the user name but on the Authentication key.
In the Authorized key file you have to enter one line per key and ip.
e.g.
permitopen="<my workstation-ip>:3389",no-pty,command="/bin/false" ssh-rsa <Authentication key>
....
....
....
for more details:
https://www.freebsd.org/cgi/man.cgi?sshd(8)
AUTHENTICATION
The difference between 18.1 and 18.7 must be in the configuration of ssh users or the ssh-server.
After additional search i have seen there is another additional field in 18.7/19.1 (Settings-> Administration-> "Login Group")
Maybe the problem is: if there is a user (in my case user:servicessh) which is not assigned to a group here, no ssh tunneling is possible at all.
I think the big difference between the 18.1 and 18.7/19.1 is:
18.1: If a user was not assigned to an OPNsense group (things have been handled by the operating system)
18.7: If a user is not assigned to the new "Login group", SSH login for this user is disabled by OPNsense at all.
There is a Login Group: WHEEL ?
But it is not possible to assign a user to this group. I think it would work, if i could assign a user to this WHEEL group --but how ?
regards
siegi
-
I'll try the following:
1. create a usergroup "service"
2. assign my remote "service-user" to this usergroup with (/bin/sh)
3. Assign "wheel, <new usergroup> to the ssh login group
I think this could solve my problem
But i have to wait for the weekend.
-
Hi siegi,
Ah, I see. Yes, you need the group assignment to be able to get a real shell regardless of what is in the authorized file, otherwise it's only SCP access. It should work with an arbitrary group for your "pass-through" users and assigning it there.
Thanks for explaining and looking into it. Happy to hear your results next week. :)
Cheers,
Franco
-
Yes, that solves the problem.
-
Yay, thanks for the feedback. \o/
Cheers,
Franco