Messages

I've created a test user with default shell /usr/local/bin/bash
While doing that I noticed that bash was not in /etc/shells. I think that's odd. Anyway, I added bash manually.


Tested a login via SSH to confirm that the user has bash as the login shell. :thumbs_up:

Rebooted.

Found that the test user nolonger exists on the system.  :(
Found that /etc/shells has forgotten about /usr/local/bin/bash   :-\

PS: User shell can be manipulated here temporarily... https://github.com/opnsense/core/blob/c14000892b603a70c931aca44db01021e49d12d8/src/etc/inc/auth.inc#L442

I don't feel confident enough to start mucking about that deep in the code. ;D

Have you tried to add a separate user from the command line? It may be that it is flushed on reboot, but I'm not entirely sure.

I'll try that too as a test. I'm not keen on creating users that I don't need/use. They get forgotten about and become a security risk. I'll run some tests this week and will let you know.

[dnsmasq]

More concerning, though, I checked the contents of /usr/local/etc/unbound/unbound.conf and none of my selected options were unchecked in the config file. So, now I am wondering if I am even looking at the right place. Is the config file used at all, are these options passed in the command line at startup, or is there another config file I should be inspecting?

I had a similar "problem" trying to understand the implementation of dnsmasq. None of its config files seemed to reflect the settings I had selected in the GUI. I then noticed (using ps aux I think) that the options I selected in the GUI are being passed directly to dnsmasq as command options.
I haven't had time to experiment with unbound but I'm guessing the same may be happening there.

For dnsmasq I just added an extra option in the GUI under Dnsmasq > Settings > Advanced : conf-dir=/usr/local/etc/dnsmasq.d/,*.conf. This allows me to add any additonal options I want in a separate file.

Hope this helps.

[ssh-copy-id]

Yes. I transfer the SSH key using ssh-copy-id so it should end up in ~/.ssh/authorized_keys

Do it via the GUI: In Access -> Users you can paste the public key file into the text field. This will work.

Cool. Didn't realize that. I'll give it a try.

[ssh-copy-id]

This may be related but I don't consider this a problem: I also noticed that I needed to renew my SSH authorisation.

SSH keys must be stored in the user configuration.
Please note that this may change in the future.

Yes. I transfer the SSH key using ssh-copy-id so it should end up in ~/.ssh/authorized_keys

Is there a way to prevent the login-shell from reverting to the installer default?

No, this is the expected behaviour. System users are managed by OPNsense and that is the reason why any manual change will not survive.
Shell settings must be added to the user in the GUI (legacy) system (needs some programming).

OK.  :-\

[bash]

I've installed bash and set the login-shell of my administrative user (admin) to it thusly:

Code Select Expand


sudo sh
chsh -s /usr/local/bin/bash admin


This works great. However, after a reboot the login-shell has changed back to /bin/csh.

This may be related but I don't consider this a problem: I also noticed that I needed to renew my SSH authorisation.

Is there a way to prevent the login-shell from reverting to the installer default?

I've decided to create /etc/rc.conf and add

Code Select Expand

nfs_client_enable="YES"
to it.

This works and NFS mounts can be mounted after

Code Select Expand

service nfsclient start

[/etc/fstab]

I would like to be able to mount an NFS share from one of the Debian-servers (boson) on my LAN. I've added a line to /etc/fstab:

Code Select Expand


boson:/srv/array1/rbin/firebin  /home/admin/bin   nfs   rw   0   0


According to the "Hardened BSD Handbook" (https://hardenedbsd.org/~shawn/hbsd_handbook/book.html#network-nfs) I should also activate the NFS-client. This should be done in /etc/rc.conf.

On OPNsense: I assume I should create a file in /usr/local/rc.d containing

Code Select Expand

nfs_client_enable="YES" which should override one of these settings:

Code Select Expand


$ cat /etc/defaults/rc.conf |grep nfs
netfs_types="nfs:NFS smbfs:SMB" # Net filesystems.
nfs_client_enable="NO" # This host is an NFS client (or NO).
nfs_access_cache="60" # Client cache timeout in seconds
nfs_server_enable="NO" # This host is an NFS server (or NO).
nfs_server_flags="-u -t" # Flags to nfsd (if enabled).
nfs_server_managegids="NO" # The NFS server maps gids for AUTH_SYS (or NO).
nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO).
nfs_bufpackets="" # bufspace (in packets) for client
nfsv4_server_enable="NO" # Enable support for NFSv4
nfscbd_enable="NO" # NFSv4 client side callback daemon
nfscbd_flags="" # Flags for nfscbd
nfsuserd_enable="NO" # NFSv4 user/group name mapping daemon
nfsuserd_flags="" # Flags for nfsuserd


Is that correct? Or should I create /etc/rc.conf  itself?

OK

Code Select Expand

% time sudo pkg update -f
Updating OPNsense repository catalogue...
Fetching meta.txz: 100%    1 KiB   1.5kB/s    00:01
Fetching packagesite.txz: 100%  126 KiB 128.8kB/s    00:01
Processing entries: 100%
OPNsense repository update completed. 462 packages processed.
All repositories are up to date.
0.271u 0.085s 0:00.52 67.3% 382+14709k 4+275io 7pf+0w

Code Select Expand

% ping6 -c4 pkg.opnsense.org
PING6(56=40+8+8 bytes) 2001:985:509c:1:20e:c4ff:fed0:9f95 --> 2001:1af8:4900:a01d:1200::2
16 bytes from 2001:1af8:4900:a01d:1200::2, icmp_seq=0 hlim=57 time=6.060 ms
16 bytes from 2001:1af8:4900:a01d:1200::2, icmp_seq=1 hlim=57 time=5.629 ms
16 bytes from 2001:1af8:4900:a01d:1200::2, icmp_seq=2 hlim=57 time=7.547 ms
16 bytes from 2001:1af8:4900:a01d:1200::2, icmp_seq=3 hlim=57 time=5.814 ms

--- pkg.opnsense.org ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.629/6.263/7.547/0.757 ms

Doesn't look problematic.

UPDATE: After a reboot the 'problem' has now disappeared.

Already tried that

Code Select Expand


% sudo opnsense-code src
fatal: Not a git repository (or any of the parent directories): .git

Which surprised me as it does exist.

But where would you advice me to get the kernel sources from?

Code Select Expand

===>  lsof-4.90.q,8 requires kernel sources.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/sysutils/lsof

% sudo opnsense-code tools

Did that.

Code Select Expand


% sudo opnsense-code tools
remote: Counting objects: 1, done.
remote: Total 1 (delta 0), reused 1 (delta 0), pack-reused 0
Unpacking objects: 100% (1/1), done.
From https://github.com/opnsense/tools
   8db0e61..f7ff6ea  master     -> origin/master
Updating 8db0e61..f7ff6ea
Fast-forward
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)


Code Select Expand


% cd /usr/ports/sysutils/tree
% sudo make install
/!\ WARNING /!\

Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.

===>  License GPLv2 accepted by the user
===>   tree-1.7.0 depends on file: /usr/local/sbin/pkg - found
=> tree-1.7.0.tgz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch ftp://mama.indstate.edu/linux/tree/tree-1.7.0.tgz
tree-1.7.0.tgz                                100% of   45 kB  197 kBps 00m00s
===> Fetching all distfiles required by tree-1.7.0 for building
===>  Extracting for tree-1.7.0
=> SHA256 Checksum OK for tree-1.7.0.tgz.
===>  Patching for tree-1.7.0
===>  Applying FreeBSD patches for tree-1.7.0
===>   tree-1.7.0 depends on executable: gmake - not found
/!\ WARNING /!\

Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.

===>  License GPLv3 accepted by the user
===>   gmake-4.2.1_1 depends on file: /usr/local/sbin/pkg - found
=> make-4.2.1.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch http://ftpmirror.gnu.org/make/make-4.2.1.tar.bz2
make-4.2.1.tar.bz2                            100% of 1374 kB 7565 kBps 00m00s
===> Fetching all distfiles required by gmake-4.2.1_1 for building
===>  Extracting for gmake-4.2.1_1
=> SHA256 Checksum OK for make-4.2.1.tar.bz2.
===>  Patching for gmake-4.2.1_1
===>  Applying FreeBSD patches for gmake-4.2.1_1
===>  Configuring for gmake-4.2.1_1
configure: loading site script /usr/ports/Templates/config.site
checking for a BSD-compatible install... /usr/bin/install -c
:
:
: blablabla building stuff blablabla
:
:
gmake[1]: Leaving directory '/usr/obj/usr/ports/sysutils/tree/work/tree-1.7.0'
===>  Staging for tree-1.7.0
===>   Generating temporary packing list
install  -s -m 555 /usr/obj/usr/ports/sysutils/tree/work/tree-1.7.0/tree /usr/obj/usr/ports/sysutils/tree/work/stage/usr/local/bin
install  -m 444 /usr/obj/usr/ports/sysutils/tree/work/tree-1.7.0/doc/*.1 /usr/obj/usr/ports/sysutils/tree/work/stage/usr/local/man/man1
install  -m 0644 /usr/obj/usr/ports/sysutils/tree/work/tree-1.7.0/CHANGES /usr/obj/usr/ports/sysutils/tree/work/tree-1.7.0/README /usr/obj/usr/ports/sysutils/tree/work/stage/usr/local/share/doc/tree
====> Compressing man pages (compress-man)
===>  Installing for tree-1.7.0
===>  Checking if tree already installed
===>   Registering installation for tree-1.7.0
Installing tree-1.7.0...
% tree -dL 1 /
/
|-- bin
|-- boot
|-- conf
|-- dev
|-- etc
|-- home
|-- lib
|-- libexec
|-- media
|-- mnt
|-- proc
|-- rescue
|-- root
|-- sbin
|-- tmp
|-- usr
`-- var

17 directories


:)
The error has turned into a warning and the build works fine. Seems to have worked.

Thanks.

I enabled System > Settings > General : Prefer IPv4 over IPv6
and
re-enabled Firewall > Settings > Advanced : Allow IPv6

Clicking [Update] on System > Firmware > Update : now first returns an error "Firmware status check was aborted internally. Please try again." when the page is opened and with every next click it succeeds "There are no updates available on the selected mirror.". Until I close and re-open the Update page.