removed “disable integrated authentication” feature

[proctor]

Hi,

what is the idea behind removing this feature?

I used the feature to force Web-GUI login via 2fa, SSH via keys, but allow console login and su for root without 2fa (sudo disabled). So root can't login (directly) at Web-GUI or SSH (no 2fa and no key). After update to 25.x i am not able to "su root".

Thanks for some explanation and ideas to get a similar setup again

[franco]

Hi there,

The feature was a compatibility shim predating the pam_opnsense integration and it was provided until we moved the access management to MVC/API which prompted all sorts of related cleanups and simplifications of UNIX user management (especially not rendering users that are not even allowed shell access).

One of the problems with disabled integrated authentication is that it downgrades password strength through SSH and for the console.  Console is less risk because you need "physical" access, but the game changes in SSH password authentication which should be avoided.

I usually recommend disabling root and using sudo for the separate admin account:

"sudo su" for the root console
"sudo -s" for a root shell

For physical systems in server racks I enable auto console log in so I don't have to deal with this at all. The rack or the server room should provide enough protection.  ;)

One thing that could be considered missing is a more fine-grained authentication matrix for separate facilities such as sshd, sudo and system which is all tied to web GUI authentication at the moment.

The removal commit for reference:

https://github.com/opnsense/core/commit/514f87adb8

 
Cheers,
Franco

[Patrick M. Hausen]

Can we finally have different authentication methods for different users, now?

Use case:

Enforce 2FA for all administrators except root, which keeps password authentication, set an e.g. 40 character password and keep it somewhere safe for emergency access. Like failing time synchronisation.

Kind regards,
Patrick

[proctor]

Hi franco,

thank you for your explanation and I understand the reason for that decision.

One of the problems with disabled integrated authentication is that it downgrades password strength through SSH and for the console.  Console is less risk because you need "physical" access, but the game changes in SSH password authentication which should be avoided.

SSH is limited to ssh-keys, password login is not permitted.

For physical systems in server racks I enable auto console log in so I don't have to deal with this at all. The rack or the server room should provide enough protection.  ;)

My boxes are physical systems but located at customers place, so auto login is obviously no option.

Enforce 2FA for all administrators except root, which keeps password authentication, set an e.g. 40 character password and keep it somewhere safe for emergency access. Like failing time synchronisation.

That would be a nice solution (and root does not need direct remote access gui/ssh).

Additional use case:

Loading a customers configuration in a box without internet connection (no ntp server reachable).

Kind regards,
proctor

[franco]

Disabling root+sudo is straightforward.  There is no need to expose root anywhere (although it's the historic default because it was always pinned to UID 0).

We can consider adding separate authenticator support for system and perhaps sudo and/or sshd but this needs to be considered:

Inheriting settings from web GUI currently set or going out of sync later which can pose a risk of lockout or easy access in the worst case.

I'll look into it in exchange for a ticket on GitHub.


Cheers,
Franco

[Patrick M. Hausen]

My problem is strictly with the UI. I'd like to enforce 2FA for all users but one.