OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: chemlud on June 03, 2016, 10:38:57 am

Title: No login at console when root disabled?
Post by: chemlud on June 03, 2016, 10:38:57 am
Hi again!

Have here a 16.1.15 i386 full on a notebook, root is disabled, another user is admin on this machine. :-)

Works fine, except that I cannot log in to the console on the notebook monitor when password is activated for log-in. Credentials for the admin user gives me in the console:

"This user is currently not available."

Does not matter if the user is logged in via https or not...

Bug or feature? ;-)
Title: Re: No login at console when root disabled?
Post by: fabian on June 03, 2016, 11:08:22 am
The user needs the shell permission.
Title: Re: No login at console when root disabled?
Post by: chemlud on June 03, 2016, 11:18:09 am
Hi Fabian!

Thanks, that helps a lot! :-D

But when I log in, I get the shell prompt, not the usual 1-9 "shutdown", "reboot", restart Webinterface" menu. Any way to com to this menu in the console?

regards

chemlud
Title: Re: No login at console when root disabled?
Post by: phoenix on June 03, 2016, 11:33:59 am
Is this user a member of the Admin group?
Title: Re: No login at console when root disabled?
Post by: chemlud on June 03, 2016, 11:36:22 am
Yepp, it's the admin, in group admin.
Title: Re: No login at console when root disabled?
Post by: weust on June 03, 2016, 01:24:36 pm
That behaviour is still normal, sadly.
Title: Re: No login at console when root disabled?
Post by: franco on June 04, 2016, 02:48:20 pm
Ad picked this up in a ticket, I've added a longer comment on how to achieve the essence of what is requested without making the system less secure.

Points:

1) we should not clone root accounts as this has no security benefit

2) the non-root users don't work reliably with the root shell as privilege separation is not good enough

3) sudo ;)


[1] https://github.com/opnsense/core/issues/990
Title: Re: No login at console when root disabled?
Post by: weust on June 04, 2016, 05:27:53 pm
But does sudo give you the menu where you can select something like upgrade or assigning interfaces, etc?
Title: Re: No login at console when root disabled?
Post by: franco on June 04, 2016, 05:39:24 pm
Once /usr/local/etc/sudoers is correctly set up (there is no GUI for this...yet), you can do:

# sudo su
Title: Re: No login at console when root disabled?
Post by: chemlud on June 04, 2016, 05:50:44 pm
Hy!

OK, will try! Is there a console in the GUI? Or run from serial console?
Title: Re: No login at console when root disabled?
Post by: weust on June 04, 2016, 06:24:58 pm
Once /usr/local/etc/sudoers is correctly set up (there is no GUI for this...yet), you can do:

# sudo su

Oh, ok. I get what you mean now.
Next I would need LDAP integration as I don't have local accounts except the root account.
A least, last time I tried it didn't work. domain\username or simply username doesn't seem to work like in the webpage.
Title: Re: No login at console when root disabled?
Post by: franco on June 06, 2016, 04:53:02 pm
Something like this would probably be needed for real LDAP-backed accounts:

http://www.padl.com/OSS/pam_ldap.html
Title: Re: No login at console when root disabled?
Post by: weust on June 06, 2016, 06:53:39 pm
If it's possible to create a package for that, then it will really help me.

At work I can log in with my Windows Domain account on SLES servers.
No doubt the same software or something similar.
Works great.
Title: Re: No login at console when root disabled?
Post by: franco on June 06, 2016, 06:55:56 pm
It's there under security/pam_ldap, I can add it to the packages for 16.1.17.
Title: Re: No login at console when root disabled?
Post by: weust on June 06, 2016, 07:48:56 pm
Cool! Will test it then.
Title: Re: No login at console when root disabled?
Post by: franco on June 07, 2016, 08:46:45 am
Snapshot package available :)

# pkg add https://pkg.opnsense.org/snapshots/pam_ldap-1.8.6_3.txz
Title: Re: No login at console when root disabled?
Post by: weust on June 07, 2016, 09:41:31 am
Awesome! Will try it out tonight.

Thanks a lot.
Title: Re: No login at console when root disabled?
Post by: weust on June 07, 2016, 10:38:17 pm
Got the package installed, but finding a useful how to or documentation (that isn't 10+ years old) is damn hard.

After installing it tells you to copy a .dist file to a different name, edit is and create a file to which you add one line.
That's it. No clue on whether that is enough or how to login.
I tried it all. Just the username (as I use on the webconf), domain\username, username@domain.org.

And the usual plain password in a text file. Unbelievable...
Title: Re: No login at console when root disabled?
Post by: chemlud on June 27, 2016, 11:56:00 am
Hi!

Loging in the serial console as  a non-root admin user and then doing

Code: [Select]
su
and your password gives the 0-13 menu options for reboot etc :-D