[SOLVED] Unable to add user with shell access

Started by bcjenkins, July 08, 2015, 03:24:35 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 08, 2015, 03:24:35 PM Last Edit: July 10, 2015, 10:31:51 PM by franco
I have added a user, ssh key, admin privileges, and shell access via the web gui. The user is not being allowed to login with the following error:
QuoteNO LOGINS: System going down at 10:32


pam_nologin: pam_sm_acct_mgmt: Administrator refusing you: /var/run/nologin

Connection closed by

I ssh into the firewall with root and I am able to see that my new user is not added to the group I created for SSH, nor wheel. I do see that the auth key is there along with the proper shell /bin/csh.

Is there something else needed?

--bcj
July 08, 2015, 04:24:39 PM #1
Funky. Workaround is:

# rm /var/run/nologin

Will need to see why this pops up now before designing a permanent fix.
July 08, 2015, 06:24:49 PM #2 Last Edit: July 08, 2015, 06:28:38 PM by franco
Looks like getting rid of clearing out /var/run at boot up caused this file to linger in the directory. shutdown seems to add the file, but doesn't remove it or the system has no chance to remove it. I don't know which it is, but it's not what the manual says. Will add a delete of the file on boot up for now, but I don't like it. I know little about that FreeBSD utility to give a definitive answer at this point.
July 09, 2015, 03:07:08 AM #3
Thanks, I will try this out.
July 09, 2015, 07:09:04 AM #4
A workaround is in place for 15.7.2, but I need to take this to FreeBSD.

https://github.com/opnsense/core/issues/245
July 10, 2015, 02:27:55 PM #5
I can confirm the workaround works, but there is still an issue with proper group membership.

/etc/inc/auth.inc contains:
Code Select
/* admins access gives wheely rights */
if (userHasPrivilege($user, 'page-all')) {
$user_group = 'wheel';
}

However my user is only in admins and the custom group I set up for ssh_users. The user is not able to sudo as a result.
July 10, 2015, 04:20:44 PM #6
If that's the case then there is something wrong with the groups -> rights mappings. If you assign shell access directly to the user, does it work then?
July 10, 2015, 09:37:36 PM #7
The ssh works, I am in the right groups and can now connect. What I can't do is sudo commands. I am trying to not rely on the root logon for anything.

There isn't a /etc/sudoers file (is that what's needed on BSD?) I did add my user to wheel manually and it didn't have any effect.
July 10, 2015, 10:31:20 PM #8
`su' works out of the box, that's what wheel is for originally. `sudo' is a port, so the config file is under /usr/local/etc/sudoers. In any case, you should rather use `visudo' to edit the config.

Last piece of the puzzle: the standard sudo config is not to allow it for wheel. We do not configure sudo. Pick the appropriate authentication level yourself. :)

At some point we'll add it to the GUI, but the standard will always be off by default.
Print
Go Up Pages1
User actions