[SOLVED] Can't su; but user is member of wheel and admin

Started by z0rk, November 03, 2018, 11:23:05 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
November 03, 2018, 11:23:05 PM Last Edit: November 04, 2018, 10:11:36 PM by z0rk
OPNsense 18.7.6-amd64
FreeBSD 11.1-RELEASE-p15
LibreSSL 2.7.4

ssh to opnsense; authenticate via key; then:

$ groups my.username
wheel admins
$ su
Password:
su: Sorry
$ su
Password:
su: Sorry
$

Just to be sure the password is correct, I've changed it for 'root' in the GUI. Still no go. What gives?  :'(
OPNsense 24.7.2
November 04, 2018, 07:50:51 AM #1
can you try sudo, su does not care about the groups - it asks you for the password of the target user.
November 04, 2018, 06:07:28 PM #2
Sorry, I am not sure what you're suggesting. I am not trying to use sudo, I am trying to switch user to 'root', so I can access the same options I get when logged in at the console:

0)     Logout                              7)      Ping host
1)     Assign interfaces                   8)      Shell
2)     Set interface(s) IP address         9)      pfTop
3)     Reset the root password             10)     Filter logs
4)     Reset to factory defaults           11)     Restart web interface
5)     Reboot system                       12)     Upgrade from console
6)     Halt system                         13)     Restore a configuration

Maybe I misunderstood you? Thanks Cheers
OPNsense 24.7.2
November 04, 2018, 06:57:02 PM #3 Last Edit: November 04, 2018, 07:00:43 PM by franco
z0rk is correct, wheel is needed for su to work for root:

     PAM is used to set   the policy su(1) will use.  In particular, by default
     only users   in the ``wheel'' group can switch to UID 0 (``root'').   This
     group requirement may be changed by modifying the ``pam_group'' section
     of   /etc/pam.d/su.   See pam_group(8) for details on   how to modify this
     setting.

via https://www.freebsd.org/cgi/man.cgi?su

Check your password for typos or special characters as keyboard layouts may differ.

When you have integrated authentication, the password for root follows the web GUI settings, so TOTP, LDAP, etc. works too. This is true for su, ssh et. al. when the "disable integrated authentication" setting is off, which is the default.

In a nutshell, it's the same password that you use to *log in* root on the web GUI, minus encoding issues / keyboard mapping differences mentioned earlier.


Cheers,
Franco
November 04, 2018, 07:42:31 PM #4
Hey Franco
I did change the password for 'root' to only include upper / lower case characters and numbers.
I've got TOTP enabled for the user account that I use to connect via ssh, but not for 'root'. I don't use 'root' to log in to the web GUI only my user account. So effectively I can' 'su' because TOTP is not enabled for 'root'?
OPNsense 24.7.2
November 04, 2018, 09:41:05 PM #5
Yep, enable checkbox for "Disable integrated authentication" and it'll work as you would expect. :)


Cheers,
Franco
November 04, 2018, 09:47:11 PM #6
PS: Unless you use 2FA for SSH login of course. Then you're kinda stuck.
Print
Go Up Pages1
User actions