unable to login via ssh with non-root user

[srich]

Hello,
  I am able to login via ssh as root using password for login.  I have created a group with super-user privileges and a member user with super-user privileges for testing purposes.  The tester via the webgui indicates a successful login attempt, but when I login, I receive a message of the form: 'NO LOGINS: System going down at 22:15 / Administrator refusing you: /var/run/login'  When I login as root, I can switch user to the account I created.  The .login file for my user indicates it is using csh for its login script. as I had setup via the webgui. My intent is to eventually have normal users be able to sftp to and from the machine, but am unable to do so now because of this limitation.  Has anyone experienced this issue prerviously, and does anyone know of a fix or what I have done incorrectly to create the issue?
Thanks in advance.

[srich]

I made a typo in my original post.  I m only able to login via SSH as root, and not as any other user including a user with super-user privileges.  I am running version 21.1.4.  If anyone has any insight into what I might be doing incorrectly, please let me know.
Thanks

[franco]

Hi srich,

You need to assign a shell to this user in their settings.


Cheers,
Franco

[srich]

Hello,
  I did assign csh, yet I still have the problem.  The user's home directory has a  .cshrc file and a .login file indicating that the shell is set correctly (I think), but I still get the issue. 
Thanks

[scot]

Did you set a login group in System>Settings>Administration>Secure Shell.

Create a group, add the user to the group and allow that and wheel to login.

Alternatively you can use the admins group, and just set Wheel,Admins

[srich]

I included the group in login groups for secure shell originally.  The etc/passwd file includes the user with the appropriate home directory and shell; however, above that there is the following entry:
'sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin'  Could this be overriding any users which are listed after that?

[scot]

That is normal. Should not affect anything.

Just make sure the account in question that you setup is correct.

To recap

Create a user account. Create a group account (ie: sshaccess)

Edit user account to have a shell (personally i just use /bin/sh). Add user to group in same page. Add the authorized key if you have one.

Go to System>Settings>Administration>Secure Shell

set the access to wheel,sshaccess

If you arent using key authentication (you should). Check the box to allow password logins. Save.

[srich]

I did all of the above, and still have the issue.  I know that I setup the group and the users correctly becasue I can see the appropriate entries in /etc/passwd (for the shell) and /usr/local/etc/ssh/sshd for the group.  Something else seems to be amiss

[scot]

Is the shell listed next to the user account name in /etc/passwd
IE:

Code: [Select]

cat /etc/passwd | grep username

username:*:uid:gid::/home/username:/bin/sh
And similar in /etc/group

Code: [Select]

cat /etc/group | grep username

groupname:*:gid:username1,username2

I just changed my user to use /bin/csh over /bin/sh. It still works. FWIW i am on 21.1.4 OpenSSL as of today. 21.1.3_3 previously. Orignally installed/upgrade from 20.7

[srich]

etc/group:
family:*:2000:scott,testuser
etc/passwd:
testuser:*:2001:65534:Test User:/home/testuser:/bin/csh

/usr/local/etc/ssh/sshd:
AllowGroups wheel family

Both user scott and user testuser encounter the same issue.

[scot]

So if you run

Code: [Select]

cat /etc/group | grep scott
What is the output

same for

Code: [Select]

cat /etc/group | grep testuser

Also is PasswordAuthentication set to yes or no in /usr/local/etc/ssh/sshd_config?

[srich]

They are the same:

family:*:2000:scott,testuser

[srich]

password authentication is set to yes:

/usr/local/etc/ssh/sshd_config:
AllowGroups wheel family
PermitRootLogin yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes

[Patrick M. Hausen]

OPNsense uses its on PAM module and stores users in a separate database. You did create all settings through the UI, right? Adding a user manually to password and group files won't work.

[srich]

I did everything through the UI per the instructions on the site.  I just verified the settings after the fact.