New user for SSH access

Started by hushcoden, August 23, 2020, 07:13:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 23, 2020, 07:13:52 PM
I set up a new user for SSH access and was wondering what the different login shell options mean.

Tia.
August 23, 2020, 07:29:03 PM #1
nologin is the standard shell which means the user can't log in. If you select any other shell the user is able to generally log into the system (not just SSH into it). The FreeBSD standard is csh, sh is a portable alternative or you can manually install bash/zsh and select that if the user is accustomed to it.

This may still be confusing as to why "nologin" is useful. In UNIX terms it means the user is only used for local work (automated tasks or indirect login) so that there is no need to make the user more insecure by adding an option for it to login.


Cheers,
Franco
August 23, 2020, 07:54:40 PM #2
Gotcha, thanks !
January 09, 2021, 08:34:52 PM #3
Can I assign the same shell as the root user, that is opnsense-shell ?
January 09, 2021, 09:02:11 PM #4
No, the root user is required for opnsense-shell to do privileged operations.

Instead configure sudo for your user and just use

# sudo su

to reach root's opnsense-shell.


Cheers,
Franco
January 09, 2021, 09:55:54 PM #5
Not sure how to configure sudo, if I run the command I get:
Code Select
gongo@hush:~ % sudo su

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password:
gongo is not in the sudoers file.  This incident will be reported.
gongo@hush:~ %
January 09, 2021, 10:11:20 PM #6
Sorry, I think I get it  8)

System --> Settings --> Administration --> Authentication --> no password
January 11, 2021, 03:03:11 PM #7
I'd say that not requesting a password might be convenient, but certainly not safe.
In fact, the way I read it, sudo was more complaining about the fact that the user gongo isn't allowed to use sudo.
In the sudoers file (usually /etc/sudoers, at least on linux systems) you can define which users are allowed to use sudo in the first place, and furthermore if they are allowed to acquire superuser privileges.

As an example (since I don't have a sudoers file on my opnsense box),an excerpt of the contents of my ubuntu sudoers file:

Code Select

Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# User privilege specification
root ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL


This basically means that any user of the sudo and admin group can gain root privileges.

So you might have to add your user gongo to the admin group.

HTH

Ronald
January 11, 2021, 07:45:21 PM #8
Hi Roland,

It really depends on the security model and whether you have admins and regular users on the box. Note that you can also enable 2FA for console (the default is to use whatever the GUI uses).

https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Auth/system.pam#L13

In OPNsense only wheel group (or another manually specified group) is allowed sudo access, either with (their own) passwords or none.

https://github.com/opnsense/core/blob/master/src/opnsense/service/templates/OPNsense/Auth/sudoers


Cheers,
Franco
Print
Go Up Pages1
User actions