Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - mausy5043

#31
I've created a test user with default shell /usr/local/bin/bash
While doing that I noticed that bash was not in /etc/shells. I think that's odd. Anyway, I added bash manually.


Tested a login via SSH to confirm that the user has bash as the login shell. :thumbs_up:

Rebooted.

Found that the test user nolonger exists on the system.  :(
Found that /etc/shells has forgotten about /usr/local/bin/bash   :-\
#32
Quote from: franco on January 28, 2018, 09:33:47 PM
PS: User shell can be manipulated here temporarily... https://github.com/opnsense/core/blob/c14000892b603a70c931aca44db01021e49d12d8/src/etc/inc/auth.inc#L442

I don't feel confident enough to start mucking about that deep in the code. ;D

#33
Quote from: franco on January 28, 2018, 09:32:40 PM

Have you tried to add a separate user from the command line? It may be that it is flushed on reboot, but I'm not entirely sure.


I'll try that too as a test. I'm not keen on creating users that I don't need/use. They get forgotten about and become a security risk. I'll run some tests this week and will let you know.
#34
Quote from: SecAficionado on January 27, 2018, 11:01:28 PM
More concerning, though, I checked the contents of /usr/local/etc/unbound/unbound.conf and none of my selected options were unchecked in the config file. So, now I am wondering if I am even looking at the right place. Is the config file used at all, are these options passed in the command line at startup, or is there another config file I should be inspecting?

I had a similar "problem" trying to understand the implementation of dnsmasq. None of its config files seemed to reflect the settings I had selected in the GUI. I then noticed (using ps aux I think) that the options I selected in the GUI are being passed directly to dnsmasq as command options.
I haven't had time to experiment with unbound but I'm guessing the same may be happening there.

For dnsmasq I just added an extra option in the GUI under Dnsmasq > Settings > Advanced : conf-dir=/usr/local/etc/dnsmasq.d/,*.conf. This allows me to add any additonal options I want in a separate file.

Hope this helps.
#35
Quote from: fabian on January 28, 2018, 03:41:47 PM
Quote from: mausy5043 on January 28, 2018, 03:38:56 PM
Yes. I transfer the SSH key using ssh-copy-id so it should end up in ~/.ssh/authorized_keys

Do it via the GUI: In Access -> Users you can paste the public key file into the text field. This will work.

Cool. Didn't realize that. I'll give it a try.
#36
Quote from: fabian on January 28, 2018, 03:27:31 PM
Quote from: mausy5043 on January 28, 2018, 02:14:13 PM
This may be related but I don't consider this a problem: I also noticed that I needed to renew my SSH authorisation.
SSH keys must be stored in the user configuration.
Please note that this may change in the future.
Yes. I transfer the SSH key using ssh-copy-id so it should end up in ~/.ssh/authorized_keys

Quote from: fabian on January 28, 2018, 03:27:31 PM
Quote from: mausy5043 on January 28, 2018, 02:14:13 PM
Is there a way to prevent the login-shell from reverting to the installer default?
No, this is the expected behaviour. System users are managed by OPNsense and that is the reason why any manual change will not survive.
Shell settings must be added to the user in the GUI (legacy) system (needs some programming).
OK.  :-\
#37
I've installed bash and set the login-shell of my administrative user (admin) to it thusly:

sudo sh
chsh -s /usr/local/bin/bash admin


This works great. However, after a reboot the login-shell has changed back to /bin/csh.

This may be related but I don't consider this a problem: I also noticed that I needed to renew my SSH authorisation.

Is there a way to prevent the login-shell from reverting to the installer default?
#38
17.7 Legacy Series / Re: Enable NFS client mode
January 27, 2018, 01:21:48 PM
I've decided to create /etc/rc.conf and add
nfs_client_enable="YES"
to it.

This works and NFS mounts can be mounted after
service nfsclient start
#39
17.7 Legacy Series / Enable NFS client mode
January 27, 2018, 11:49:10 AM
I would like to be able to mount an NFS share from one of the Debian-servers (boson) on my LAN. I've added a line to /etc/fstab:


boson:/srv/array1/rbin/firebin  /home/admin/bin   nfs   rw   0   0


According to the "Hardened BSD Handbook" (https://hardenedbsd.org/~shawn/hbsd_handbook/book.html#network-nfs) I should also activate the NFS-client. This should be done in /etc/rc.conf.

On OPNsense: I assume I should create a file in /usr/local/rc.d containing nfs_client_enable="YES" which should override one of these settings:

$ cat /etc/defaults/rc.conf |grep nfs
netfs_types="nfs:NFS smbfs:SMB" # Net filesystems.
nfs_client_enable="NO" # This host is an NFS client (or NO).
nfs_access_cache="60" # Client cache timeout in seconds
nfs_server_enable="NO" # This host is an NFS server (or NO).
nfs_server_flags="-u -t" # Flags to nfsd (if enabled).
nfs_server_managegids="NO" # The NFS server maps gids for AUTH_SYS (or NO).
nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO).
nfs_bufpackets="" # bufspace (in packets) for client
nfsv4_server_enable="NO" # Enable support for NFSv4
nfscbd_enable="NO" # NFSv4 client side callback daemon
nfscbd_flags="" # Flags for nfscbd
nfsuserd_enable="NO" # NFSv4 user/group name mapping daemon
nfsuserd_flags="" # Flags for nfsuserd


Is that correct? Or should I create /etc/rc.conf  itself?
#40
17.7 Legacy Series / Re: Firmware update fails
January 24, 2018, 06:41:51 PM
OK
#41
17.7 Legacy Series / Re: Firmware update fails
January 23, 2018, 07:51:20 PM
% time sudo pkg update -f
Updating OPNsense repository catalogue...
Fetching meta.txz: 100%    1 KiB   1.5kB/s    00:01
Fetching packagesite.txz: 100%  126 KiB 128.8kB/s    00:01
Processing entries: 100%
OPNsense repository update completed. 462 packages processed.
All repositories are up to date.
0.271u 0.085s 0:00.52 67.3% 382+14709k 4+275io 7pf+0w


% ping6 -c4 pkg.opnsense.org
PING6(56=40+8+8 bytes) 2001:985:509c:1:20e:c4ff:fed0:9f95 --> 2001:1af8:4900:a01d:1200::2
16 bytes from 2001:1af8:4900:a01d:1200::2, icmp_seq=0 hlim=57 time=6.060 ms
16 bytes from 2001:1af8:4900:a01d:1200::2, icmp_seq=1 hlim=57 time=5.629 ms
16 bytes from 2001:1af8:4900:a01d:1200::2, icmp_seq=2 hlim=57 time=7.547 ms
16 bytes from 2001:1af8:4900:a01d:1200::2, icmp_seq=3 hlim=57 time=5.814 ms

--- pkg.opnsense.org ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 5.629/6.263/7.547/0.757 ms


Doesn't look problematic.

UPDATE: After a reboot the 'problem' has now disappeared.
#42
17.7 Legacy Series / Re: Can't find packages
January 23, 2018, 07:39:53 PM
Already tried that


% sudo opnsense-code src
fatal: Not a git repository (or any of the parent directories): .git

Which surprised me as it does exist.
#43
17.7 Legacy Series / Re: Can't find packages
January 23, 2018, 06:52:21 PM
But where would you advice me to get the kernel sources from?

===>  lsof-4.90.q,8 requires kernel sources.
*** Error code 1

Stop.
make[1]: stopped in /usr/ports/sysutils/lsof
#44
17.7 Legacy Series / Re: Can't find packages
January 23, 2018, 05:52:31 PM
Quote from: franco on January 22, 2018, 09:40:11 PM
% sudo opnsense-code tools

Did that.

% sudo opnsense-code tools
remote: Counting objects: 1, done.
remote: Total 1 (delta 0), reused 1 (delta 0), pack-reused 0
Unpacking objects: 100% (1/1), done.
From https://github.com/opnsense/tools
   8db0e61..f7ff6ea  master     -> origin/master
Updating 8db0e61..f7ff6ea
Fast-forward
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)



% cd /usr/ports/sysutils/tree
% sudo make install
/!\ WARNING /!\

Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.

===>  License GPLv2 accepted by the user
===>   tree-1.7.0 depends on file: /usr/local/sbin/pkg - found
=> tree-1.7.0.tgz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch ftp://mama.indstate.edu/linux/tree/tree-1.7.0.tgz
tree-1.7.0.tgz                                100% of   45 kB  197 kBps 00m00s
===> Fetching all distfiles required by tree-1.7.0 for building
===>  Extracting for tree-1.7.0
=> SHA256 Checksum OK for tree-1.7.0.tgz.
===>  Patching for tree-1.7.0
===>  Applying FreeBSD patches for tree-1.7.0
===>   tree-1.7.0 depends on executable: gmake - not found
/!\ WARNING /!\

Ports Collection support for your FreeBSD version has ended, and no ports are
guaranteed to build on this system. Please upgrade to a supported release.

===>  License GPLv3 accepted by the user
===>   gmake-4.2.1_1 depends on file: /usr/local/sbin/pkg - found
=> make-4.2.1.tar.bz2 doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch http://ftpmirror.gnu.org/make/make-4.2.1.tar.bz2
make-4.2.1.tar.bz2                            100% of 1374 kB 7565 kBps 00m00s
===> Fetching all distfiles required by gmake-4.2.1_1 for building
===>  Extracting for gmake-4.2.1_1
=> SHA256 Checksum OK for make-4.2.1.tar.bz2.
===>  Patching for gmake-4.2.1_1
===>  Applying FreeBSD patches for gmake-4.2.1_1
===>  Configuring for gmake-4.2.1_1
configure: loading site script /usr/ports/Templates/config.site
checking for a BSD-compatible install... /usr/bin/install -c
:
:
: blablabla building stuff blablabla
:
:
gmake[1]: Leaving directory '/usr/obj/usr/ports/sysutils/tree/work/tree-1.7.0'
===>  Staging for tree-1.7.0
===>   Generating temporary packing list
install  -s -m 555 /usr/obj/usr/ports/sysutils/tree/work/tree-1.7.0/tree /usr/obj/usr/ports/sysutils/tree/work/stage/usr/local/bin
install  -m 444 /usr/obj/usr/ports/sysutils/tree/work/tree-1.7.0/doc/*.1 /usr/obj/usr/ports/sysutils/tree/work/stage/usr/local/man/man1
install  -m 0644 /usr/obj/usr/ports/sysutils/tree/work/tree-1.7.0/CHANGES /usr/obj/usr/ports/sysutils/tree/work/tree-1.7.0/README /usr/obj/usr/ports/sysutils/tree/work/stage/usr/local/share/doc/tree
====> Compressing man pages (compress-man)
===>  Installing for tree-1.7.0
===>  Checking if tree already installed
===>   Registering installation for tree-1.7.0
Installing tree-1.7.0...
% tree -dL 1 /
/
|-- bin
|-- boot
|-- conf
|-- dev
|-- etc
|-- home
|-- lib
|-- libexec
|-- media
|-- mnt
|-- proc
|-- rescue
|-- root
|-- sbin
|-- tmp
|-- usr
`-- var

17 directories


:)
The error has turned into a warning and the build works fine. Seems to have worked.

Thanks.
#45
17.7 Legacy Series / Re: Firmware update fails
January 23, 2018, 05:42:08 PM
I enabled System > Settings > General : Prefer IPv4 over IPv6
and
re-enabled Firewall > Settings > Advanced : Allow IPv6

Clicking [Update] on System > Firmware > Update : now first returns an error "Firmware status check was aborted internally. Please try again." when the page is opened and with every next click it succeeds "There are no updates available on the selected mirror.". Until I close and re-open the Update page.