OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Prevent SFTP login
« previous next »
  • Print
Pages: 1 [2]

Author Topic: Prevent SFTP login  (Read 4150 times)

fabian

  • Hero Member
  • *****
  • Posts: 2438
  • Karma: 171
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Prevent SFTP login
« Reply #15 on: January 29, 2018, 05:39:03 pm »
sounds good. but I would hardcode "wheel" to prevent a lockout of root and a user may add additional groups.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 10319
  • Karma: 804
    • View Profile
Re: Prevent SFTP login
« Reply #16 on: January 29, 2018, 05:41:55 pm »
That should make sure of it?

https://github.com/opnsense/core/blob/master/src/etc/rc.subr.d/recover#L34

And all GUI groups are added to the system, so that should all play out as it should.


Cheers,
Franco
Logged

fabian

  • Hero Member
  • *****
  • Posts: 2438
  • Karma: 171
  • OPNsense Contributor (Language, VPN, Proxy, etc.)
    • View Profile
    • Personal Homepage
Re: Prevent SFTP login
« Reply #17 on: January 29, 2018, 06:07:43 pm »
I mean the sshd_config setting should be "AllowdGroups wheel custom_group1 custom_group2" where the default is "admin" as the first custom group so it is as hardened as possible and it will be hard to lockout root without changing the code.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 10319
  • Karma: 804
    • View Profile
Re: Prevent SFTP login
« Reply #18 on: January 29, 2018, 06:15:43 pm »
Good point, sure.

But we have to do stuffing in that case:

Setting is on, e.g. "admins":

AllowedGroups wheel admins

(does not support multi-select)

Settings is off:

#AllowedGroups nope

(not restricted as it is now)


Cheers,
Franco
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 10319
  • Karma: 804
    • View Profile
Re: Prevent SFTP login
« Reply #19 on: January 31, 2018, 10:21:06 pm »
As discussed.... https://github.com/opnsense/core/commit/4cdfe13bc

I don't think this will hit 18.1.1, but 18.1.2 is likely.


Cheers,
Franco
Logged

namezero111111

  • Jr. Member
  • **
  • Posts: 93
  • Karma: 10
    • View Profile
Re: Prevent SFTP login
« Reply #20 on: February 01, 2018, 02:54:22 pm »
Awesome; I'm excited about the response :}
Logged

  • Print
Pages: 1 [2]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 18.1 Legacy Series »
  • Prevent SFTP login
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2021 All rights reserved
  • SMF 2.0.17 | SMF © 2019, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2