SSH for User in admins group does not work

[jke]

Hi everyone,

i've added a User, selected the default "admins" group, selected a shell (/bin/sh) and pasted a SSH key for the user.
Then i've gone to Settings -> Administration.
Under secure shell, i enabled it, selected "wheel, admins" for Login Groups and gone to the Authentication section, where i also selected "wheel, admins" and ask password for sudo.

But when i try to connect to the appliance via SSH to the new user, i get a "Permission denied (publickey)".

I've also tried it with other SSH keys, but it won't work, so i think it is something i messed up with the settings.
Do i forget anything obvious?

Thanks for your help in advance!

[patient0]

Looks quite ok, I never changed anything in the 'Authentication' section so I can't comment on that part.

pasted a SSH key for the user

On the client you want to log in from, you created an SSH key? Did you copy the public key (<key name>.pub in ~/.ssh/) of the client SSH key into the users 'Authorized Keys' field?

[jke]

On the client you want to log in from, you created an SSH key? Did you copy the public key (<key name>.pub in ~/.ssh/) of the client SSH key into the users 'Authorized Keys' field?

Yes, thats just, what i did.
I also tried with the keys, working for the root user, but that didn't change anything. For root it works, for the new user it doesn't.
I've done this setup in the past. But it was some time ago, so i don't remember the exact steps to get it working.
I thought the steps i've gone through, were everything i need to do.

[patient0]

That really should work, yes. I created a user, added it to the admin group and pasted the public key in the field.
In the end you got one line starting with 'ssh-ed25519' or 'ssh-rsa' in that field, yes?

What OPNsense version are you using?

[jke]

In the end you got one line starting with 'ssh-ed25519' or 'ssh-rsa' in that field, yes?

What OPNsense version are you using?

Yes, i use ed25519 and the (single) line starts with ssh-ed25519
I first thought the comment in the end of the line is the problem, but that is also not the case.
I removed it and it doesnt work, and the keys of the admin user do have comments, and they work.

The OPNsense version is the latest (OPNsense 25.1.4_1-amd64)

[jke]

I just tested it with a new user.
There it works. Do you know of any restrictions in naming users?
The user "test" works just fine, with the same setup, but the original user "github-runner" does not work.

[patient0]

In the end you got one line starting with 'ssh-ed25519' or 'ssh-rsa' in that field, yes?

What OPNsense version are you using?

Yes, i use ed25519 and the (single) line starts with ssh-ed25519
I first thought the comment in the end of the line is the problem, but that is also not the case.
I removed it and it doesnt work, and the keys of the admin user do have comments, and they work.

The OPNsense version is the latest (OPNsense 25.1.4_1-amd64)

Does the user on the client have multiple SSH keys and it may uses another one? You can run 'ssh -v <the user>@opnsense'? That will tell you all the keys it tries.

[patient0]

The user "test" works just fine, with the same setup, but the original user "github-runner" does not work.

I created a user named github-runner and it works for me.

[jke]

Okay, thank you very much for your help.
I guess i found the cause of the Problem, but as of right now, not a solution.
The system was before a "plain" FreeBSD-System, where i had already created the user "github-runner".
There i ran the opnsense-bootstrap script, which i thought, would clean up the system.
But I just found out, the users do not seem to be cleaned correctly.

The must be some sort of conflicts, when creating a user with the same name.

I will clean up every evidence of the "user artifacts" and try again.

[jke]

Update: I can't find any more evidence of the user (deleted home directory/zfs dataset and the lines with reference in /etc/passwd, /etc/groups, /etc/master.passwd, /usr/local/etc/sudoers), but it still doesn't work.
I think i will setup a clean system again and use the backup of the right now existing appliance.

Or do you maybe have any other idea, where anything else could be, that interferes with the OPNsense setup?
find / -name and grep -r / -e had no more results (only log entries)

[Patrick M. Hausen]

Did you use "vipw" or "pw" to remove the user from master.passwd and friends? Because there's a database generated from the plain text file in BSD. "vipw" takes care of rebuilding that.

[jke]

Did you use "vipw" or "pw" to remove the user from master.passwd and friends? Because there's a database generated from the plain text file in BSD. "vipw" takes care of rebuilding that.

I just found out about this :)
And when i did i tried it, but the problem sadly persists.

[patient0]

And when i did i tried it, but the problem sadly persists.

Did you remove and recreate the user in OPNsense after you removed it from the system?

[Patrick M. Hausen]

Try "id <user>" on OPNsense and "ssh -v ..." from the external system to get more debug info.

[jke]

And when i did i tried it, but the problem sadly persists.

Did you remove and recreate the user in OPNsense after you removed it from the system?

Yes, a few times