Author Topic: Prevent SFTP login (Read 5786 times)

fabian · « **Reply #15 on:** January 29, 2018, 05:39:03 pm »

sounds good. but I would hardcode "wheel" to prevent a lockout of root and a user may add additional groups.

franco · « **Reply #16 on:** January 29, 2018, 05:41:55 pm »

That should make sure of it?

https://github.com/opnsense/core/blob/master/src/etc/rc.subr.d/recover#L34

And all GUI groups are added to the system, so that should all play out as it should.

Cheers,
Franco

fabian · « **Reply #17 on:** January 29, 2018, 06:07:43 pm »

I mean the sshd_config setting should be "AllowdGroups wheel custom_group1 custom_group2" where the default is "admin" as the first custom group so it is as hardened as possible and it will be hard to lockout root without changing the code.

franco · « **Reply #18 on:** January 29, 2018, 06:15:43 pm »

Good point, sure.

But we have to do stuffing in that case:

Setting is on, e.g. "admins":

AllowedGroups wheel admins

(does not support multi-select)

Settings is off:

#AllowedGroups nope

(not restricted as it is now)

Cheers,
Franco

franco · « **Reply #19 on:** January 31, 2018, 10:21:06 pm »

As discussed.... https://github.com/opnsense/core/commit/4cdfe13bc

I don't think this will hit 18.1.1, but 18.1.2 is likely.

Cheers,
Franco

namezero111111 · « **Reply #20 on:** February 01, 2018, 02:54:22 pm »

Awesome; I'm excited about the response :}

Author Topic: Prevent SFTP login (Read 5786 times)

fabian

Re: Prevent SFTP login

franco

Re: Prevent SFTP login

fabian

Re: Prevent SFTP login

franco

Re: Prevent SFTP login

franco

Re: Prevent SFTP login

namezero111111

Re: Prevent SFTP login