No login at console when root disabled?

chemlud · June 03, 2016, 10:38:57 AM

Hi again!

Have here a 16.1.15 i386 full on a notebook, root is disabled, another user is admin on this machine. :-)

Works fine, except that I cannot log in to the console on the notebook monitor when password is activated for log-in. Credentials for the admin user gives me in the console:

"This user is currently not available."

Does not matter if the user is logged in via https or not...

Bug or feature? ;-)

fabian · June 03, 2016, 11:08:22 AM

The user needs the shell permission.

chemlud · June 03, 2016, 11:18:09 AM

Hi Fabian!

Thanks, that helps a lot! :-D

But when I log in, I get the shell prompt, not the usual 1-9 "shutdown", "reboot", restart Webinterface" menu. Any way to com to this menu in the console?

regards

chemlud

phoenix · June 03, 2016, 11:33:59 AM

Is this user a member of the Admin group?

chemlud · June 03, 2016, 11:36:22 AM

Yepp, it's the admin, in group admin.

weust · June 03, 2016, 01:24:36 PM

That behaviour is still normal, sadly.

franco · June 04, 2016, 02:48:20 PM

Ad picked this up in a ticket, I've added a longer comment on how to achieve the essence of what is requested without making the system less secure.

Points:

1) we should not clone root accounts as this has no security benefit

2) the non-root users don't work reliably with the root shell as privilege separation is not good enough

3) sudo ;)

[1] https://github.com/opnsense/core/issues/990

weust · June 04, 2016, 05:27:53 PM

But does sudo give you the menu where you can select something like upgrade or assigning interfaces, etc?

franco · June 04, 2016, 05:39:24 PM

Once /usr/local/etc/sudoers is correctly set up (there is no GUI for this...yet), you can do:

# sudo su

chemlud · June 04, 2016, 05:50:44 PM

Hy!

OK, will try! Is there a console in the GUI? Or run from serial console?

weust · June 04, 2016, 06:24:58 PM

Quote from: franco on June 04, 2016, 05:39:24 PM
Once /usr/local/etc/sudoers is correctly set up (there is no GUI for this...yet), you can do:

# sudo su

Oh, ok. I get what you mean now.
Next I would need LDAP integration as I don't have local accounts except the root account.
A least, last time I tried it didn't work. domain\username or simply username doesn't seem to work like in the webpage.

franco · June 06, 2016, 04:53:02 PM

Something like this would probably be needed for real LDAP-backed accounts:

http://www.padl.com/OSS/pam_ldap.html

weust · June 06, 2016, 06:53:39 PM

If it's possible to create a package for that, then it will really help me.

At work I can log in with my Windows Domain account on SLES servers.
No doubt the same software or something similar.
Works great.

franco · June 06, 2016, 06:55:56 PM

It's there under security/pam_ldap, I can add it to the packages for 16.1.17.

weust · June 06, 2016, 07:48:56 PM

Cool! Will test it then.

No login at console when root disabled?

chemlud

June 03, 2016, 10:38:57 AM

fabian

June 03, 2016, 11:08:22 AM #1

chemlud

June 03, 2016, 11:18:09 AM #2

phoenix

June 03, 2016, 11:33:59 AM #3

chemlud

June 03, 2016, 11:36:22 AM #4

weust

June 03, 2016, 01:24:36 PM #5

franco

June 04, 2016, 02:48:20 PM #6

weust

June 04, 2016, 05:27:53 PM #7

franco

June 04, 2016, 05:39:24 PM #8

chemlud

June 04, 2016, 05:50:44 PM #9

weust

June 04, 2016, 06:24:58 PM #10

franco

June 06, 2016, 04:53:02 PM #11

weust

June 06, 2016, 06:53:39 PM #12

franco

June 06, 2016, 06:55:56 PM #13

weust

June 06, 2016, 07:48:56 PM #14