Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Group TOTP Privileges
« previous
next »
Print
Pages: [
1
]
Author
Topic: Group TOTP Privileges (Read 2511 times)
alfred
Newbie
Posts: 1
Karma: 0
Group TOTP Privileges
«
on:
November 12, 2020, 10:16:56 am »
Hi all,
I am trying to configure OpenVPN for non-admin users to access LAN resources.
Creating a new group (System: Access: Groups) and assigning "System: User Password Manager" privileges will allow users to log in and change their own password.
Is there a privilege that allows users to view their own OTP QR code or seed? These are non-admin users and should only be able to view their own codes.
Any feedback would be much appreciated.
Cheers,
Logged
clarknova
Full Member
Posts: 101
Karma: 6
Re: Group TOTP Privileges
«
Reply #1 on:
July 16, 2021, 05:13:45 pm »
I just ran into this on 21.1.8 too. Steps to recreate:
Create an OpenVPN user following this procedure:
https://docs.opnsense.org/manual/how-tos/sslvpn_client.html
Edit the user's Effective Privileges to allow only "System: User Manager" so they can log in and obtain their OTP QR code
Log out as root and back in as the new user
Add user to admins group and click Save
The new user has now given himself access to all pages and full admin privileges on OPNsense. Even before adding himself to the admin group, he is able to edit other users, including the root user. This is unacceptable and forces the administrator to employ longer workarounds to giving QR codes to OpenVPN users. Is there a plan to fix this?
Logged
clarknova
Full Member
Posts: 101
Karma: 6
Re: Group TOTP Privileges
«
Reply #2 on:
July 16, 2021, 06:08:52 pm »
I spoke to soon. The correct way to do this is outlined here:
https://forum.opnsense.org/index.php?topic=23444.0
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Virtual private networks
»
Group TOTP Privileges