18.7.4 - Unable to login via ssh - must be root - disconnected by user

[miksib]

Hi,
I'm running a fresh install of OPNsense 18.7.4-amd64
I'm not able to connect to it via ssh for the user mik using his certificate while logging as root (also with the same certificate) it works normally (I get the banner and the initial menù).
User mik only the banner (as you can see below) and the connection immediately is closed (by client-side according to the sshd...)
User mik is a member of wheel and admin group while, has the opnsense-shell as login shell (the same as root)
In the privileges, I can't find anything useful to grant access..
What I'm missing or doing wrong ?
thank you !

The settings are the following
      System -> Settings -> Administration

        Secure Shell Server       X Enable Secure Shell
        Root Login             X Permit root user login
        Authentication Method      Permit password login
Here what I get trying to login

      mik@air:~/.ssh$ ssh -i id_rsa mik@10.1.1.206
      Last login: Wed Oct 17 22:18:15 2018 from 10.1.1.111
      ----------------------------------------------
      |      Hello, this is OPNsense 18.7                      |         @@@@@@@@@@@@@@@
      |                                                                    |        @@@@         @@@@
      | Website:   https://opnsense.org/                      |         @@@\\\   ///@@@
      | Handbook:   https://docs.opnsense.org/       |       ))))))))   ((((((((
      | Forums:   https://forum.opnsense.org/             |         @@@///   \\\@@@
      | Lists:   https://lists.opnsense.org/                 |        @@@@         @@@@
      | Code:      https://github.com/opnsense      |         @@@@@@@@@@@@@@@
      ----------------------------------------------
      Must be root.
      Connection to 10.1.1.206 closed.
      mik@air:~/.ssh$

And here a piece of the general log

      In System -> Log Files -> General

            Oct 17 22:18:16    sshd[36461]: Received disconnect from 10.1.1.111 port 59230:11: disconnected by user
            Oct 17 22:18:12    sshd[36082]: Accepted publickey for mik from 10.1.1.111 port 59230 ssh2: RSA SHA256:DWtI/7Wh
            Oct 17 22:17:52    sshd[32743]: Connection closed by 10.1.1.111 port 59228 [preauth]
            Oct 17 22:17:47    sshd[32350]: Connection closed by 10.1.1.111 port 59226 [preauth]
            Oct 17 22:17:43    sshd[27197]: Server listening on 0.0.0.0 port 2

The tail of the connection attempt using    mik@air:~/.ssh$ ssh -vvv -i id_rsa mik@10.1.1.206

         
         ...
         debug1: Sending env LC_TIME = it_IT.UTF-8
         debug2: channel 0: request env confirm 0
         debug3: send packet: type 98
         debug1: Sending env LC_NAME = it_IT.UTF-8
         debug2: channel 0: request env confirm 0
         debug3: send packet: type 98
         debug3: Ignored env XAUTHORITY
         debug3: Ignored env COLORTERM
         debug3: Ignored env _
         debug2: channel 0: request shell confirm 1
         debug3: send packet: type 98
         debug2: callback done
         debug2: channel 0: open confirm rwindow 0 rmax 32768
         debug3: receive packet: type 99
         debug2: channel_input_status_confirm: type 99 id 0
         debug2: PTY allocation request accepted on channel 0
         debug2: channel 0: rcvd adjust 2097152
         debug3: receive packet: type 99
         debug2: channel_input_status_confirm: type 99 id 0
         debug2: shell request accepted on channel 0
         Last login: Wed Oct 17 22:58:18 2018 from 10.1.1.111
         ----------------------------------------------
         |      Hello, this is OPNsense 18.7          |         @@@@@@@@@@@@@@@
         |                                            |        @@@@         @@@@
         | Website:   https://opnsense.org/        |         @@@\\\   ///@@@
         | Handbook:   https://docs.opnsense.org/   |       ))))))))   ((((((((
         | Forums:   https://forum.opnsense.org/  |         @@@///   \\\@@@
         | Lists:   https://lists.opnsense.org/  |        @@@@         @@@@
         | Code:      https://github.com/opnsense  |         @@@@@@@@@@@@@@@
         ----------------------------------------------
         debug3: receive packet: type 96
         debug2: channel 0: rcvd eof
         debug2: channel 0: output open -> drain
         debug3: receive packet: type 98
         debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
         debug3: receive packet: type 98
         debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
         debug2: channel 0: rcvd eow
         debug2: channel 0: close_read
         debug2: channel 0: input open -> closed
         debug3: receive packet: type 97
         debug2: channel 0: rcvd close
         debug3: channel 0: will not send data after close
         Must be root.
         debug3: channel 0: will not send data after close
         debug2: channel 0: obuf empty
         debug2: channel 0: close_write
         debug2: channel 0: output drain -> closed
         debug2: channel 0: almost dead
         debug2: channel 0: gc: notify user
         debug2: channel 0: gc: user detached
         debug2: channel 0: send close
         debug3: send packet: type 97
         debug2: channel 0: is dead
         debug2: channel 0: garbage collecting
         debug1: channel 0: free: client-session, nchannels 1
         debug3: channel 0: status: The following connections are open:
           #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

         debug3: send packet: type 1
         Connection to 10.1.1.206 closed.
         Transferred: sent 3480, received 3584 bytes, in 0.1 seconds
         Bytes per second: sent 53650.8, received 55254.1
         debug1: Exit status 1
         mik@air:~$

[franco]

Hi there,

opnsense-shell is indeed only for the root user. All other users need to use

# su

(root password)

or

# sudo su

(user password if set)

to reach the root shell menu.

It wouldn't work anyway without root, you need full access over the system.


Cheers,
Franco

[miksib]

Thank you, Franco, I was misunderstanding how easy can be.
Good evening.

[franco]

Hi again,

It's actually a bug that opnsense-shell can be selected for the non-root users and it will be fixed in 18.7.7.

A refactor was not done cleanly. Sorry for the inconvenience.

https://github.com/opnsense/core/commit/bf403ca01cd


Cheers,
Franco