Group TOTP Privileges

Started by alfred, November 12, 2020, 10:16:56 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 12, 2020, 10:16:56 AM
Hi all,

I am trying to configure OpenVPN for non-admin users to access LAN resources.

Creating a new group (System: Access: Groups) and assigning "System: User Password Manager" privileges will allow users to log in and change their own password.

Is there a privilege that allows users to view their own OTP QR code or seed? These are non-admin users and should only be able to view their own codes.

Any feedback would be much appreciated.

Cheers,

July 16, 2021, 05:13:45 PM #1
I just ran into this on 21.1.8 too. Steps to recreate:


  • Create an OpenVPN user following this procedure: https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
  • Edit the user's Effective Privileges to allow only "System: User Manager" so they can log in and obtain their OTP QR code
  • Log out as root and back in as the new user
  • Add user to admins group and click Save

The new user has now given himself access to all pages and full admin privileges on OPNsense. Even before adding himself to the admin group, he is able to edit other users, including the root user. This is unacceptable and forces the administrator to employ longer workarounds to giving QR codes to OpenVPN users. Is there a plan to fix this?
July 16, 2021, 06:08:52 PM #2
I spoke to soon. The correct way to do this is outlined here:

https://forum.opnsense.org/index.php?topic=23444.0
Print
Go Up Pages1
User actions