Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Make upgrade clobbering custom root authorized keys
« previous
next »
Print
Pages: [
1
]
Author
Topic: Make upgrade clobbering custom root authorized keys (Read 3643 times)
NOYB
Jr. Member
Posts: 75
Karma: 6
Make upgrade clobbering custom root authorized keys
«
on:
December 16, 2017, 10:29:25 am »
Running make upgrade clobbers custom /root/.ssh/authorized_keys. Reverts it back to some default.
Would not have though /root would need to be modified.
Is this intended necessary behavior or a bug?
How to prevent and keep the customized authorized keys?
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Make upgrade clobbering custom root authorized keys
«
Reply #1 on:
December 16, 2017, 10:41:03 am »
Hi NOYB,
The pseudo-root account "admin" was merged into the "root" account for clarity. That means the root user will be rewritten according to its user settings, so simply add the authorized keys from the GUI and they will persist.
Cheers,
Franco
Logged
NOYB
Jr. Member
Posts: 75
Karma: 6
Re: Make upgrade clobbering custom root authorized keys
«
Reply #2 on:
December 16, 2017, 11:03:52 am »
Okay thanks. But to me that seems more confusing.
To me root is the system, well root. By system I mean the OS level. And not to be used as an application account. Even though an application account may be given root privileges.
Wish you would reconsider their being merged.
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Make upgrade clobbering custom root authorized keys
«
Reply #3 on:
December 16, 2017, 11:25:05 am »
For the purpose of root access through a service operated by the GUI alone, I don't believe out-of-band authorized key management is a secure approach.
Historic context, note the date:
https://github.com/opnsense/core/commit/93397f8
Being able to operate the root user from the GUI makes sense at the very least for resetting and storing the password consistently, not by mere chance linked to "admin". From the GUI, you can scramble the root password or disable root. You can control SSH access to permit root login, all things that would look strange if we cannot restore a consistent system state with the config.xml.
Further improvements have been made with regard to being able to restore an arbitrary admin user acting as root using sudo subsequently, accessing the root menu via "sudo su" and so forth. With the advent of 2FA, even the root account can be used with 2FA from the console or SSH through integrated authentication. It's really cool and flexible and consistently executed: if there are errors, it's a password typo or user setting getting in the way.
Not trying to convince you. I'm only giving you the progression here in the 36 months since that particular commit.
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Make upgrade clobbering custom root authorized keys
«
Reply #4 on:
December 16, 2017, 11:38:19 am »
PS: There is also ~/.ssh/authorized_keys2 as long as OpenSSH continues to support it.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Make upgrade clobbering custom root authorized keys