OPNsense Forum

Archive => 15.7 Legacy Series => Topic started by: bcjenkins on July 08, 2015, 03:24:35 pm

Title: [SOLVED] Unable to add user with shell access
Post by: bcjenkins on July 08, 2015, 03:24:35 pm
I have added a user, ssh key, admin privileges, and shell access via the web gui. The user is not being allowed to login with the following error:
Quote
NO LOGINS: System going down at 10:32


pam_nologin: pam_sm_acct_mgmt: Administrator refusing you: /var/run/nologin

Connection closed by

I ssh into the firewall with root and I am able to see that my new user is not added to the group I created for SSH, nor wheel. I do see that the auth key is there along with the proper shell /bin/csh.

Is there something else needed?

--bcj
Title: Re: [BUG] - Unable to add user with shell access
Post by: franco on July 08, 2015, 04:24:39 pm
Funky. Workaround is:

# rm /var/run/nologin

Will need to see why this pops up now before designing a permanent fix.
Title: Re: [BUG] - Unable to add user with shell access
Post by: franco on July 08, 2015, 06:24:49 pm
Looks like getting rid of clearing out /var/run at boot up caused this file to linger in the directory. shutdown seems to add the file, but doesn't remove it or the system has no chance to remove it. I don't know which it is, but it's not what the manual says. Will add a delete of the file on boot up for now, but I don't like it. I know little about that FreeBSD utility to give a definitive answer at this point.
Title: Re: [WORKAROUND] Unable to add user with shell access
Post by: bcjenkins on July 09, 2015, 03:07:08 am
Thanks, I will try this out.
Title: Re: [WORKAROUND] Unable to add user with shell access
Post by: franco on July 09, 2015, 07:09:04 am
A workaround is in place for 15.7.2, but I need to take this to FreeBSD.

https://github.com/opnsense/core/issues/245
Title: Re: [WORKAROUND] Unable to add user with shell access
Post by: bcjenkins on July 10, 2015, 02:27:55 pm
I can confirm the workaround works, but there is still an issue with proper group membership.

/etc/inc/auth.inc contains:
Code: [Select]
/* admins access gives wheely rights */
if (userHasPrivilege($user, 'page-all')) {
$user_group = 'wheel';
}

However my user is only in admins and the custom group I set up for ssh_users. The user is not able to sudo as a result.
Title: Re: [WORKAROUND] Unable to add user with shell access
Post by: franco on July 10, 2015, 04:20:44 pm
If that's the case then there is something wrong with the groups -> rights mappings. If you assign shell access directly to the user, does it work then?
Title: Re: [WORKAROUND] Unable to add user with shell access
Post by: bcjenkins on July 10, 2015, 09:37:36 pm
The ssh works, I am in the right groups and can now connect. What I can't do is sudo commands. I am trying to not rely on the root logon for anything.

There isn't a /etc/sudoers file (is that what's needed on BSD?) I did add my user to wheel manually and it didn't have any effect.
Title: Re: [WORKAROUND] Unable to add user with shell access
Post by: franco on July 10, 2015, 10:31:20 pm
`su' works out of the box, that's what wheel is for originally. `sudo' is a port, so the config file is under /usr/local/etc/sudoers. In any case, you should rather use `visudo' to edit the config.

Last piece of the puzzle: the standard sudo config is not to allow it for wheel. We do not configure sudo. Pick the appropriate authentication level yourself. :)

At some point we'll add it to the GUI, but the standard will always be off by default.