OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 15.7 Legacy Series »
  • [SOLVED] Unable to add user with shell access
« previous next »
  • Print
Pages: [1]

Author Topic: [SOLVED] Unable to add user with shell access  (Read 12208 times)

bcjenkins

  • Newbie
  • *
  • Posts: 24
  • Karma: 6
    • View Profile
[SOLVED] Unable to add user with shell access
« on: July 08, 2015, 03:24:35 pm »
I have added a user, ssh key, admin privileges, and shell access via the web gui. The user is not being allowed to login with the following error:
Quote
NO LOGINS: System going down at 10:32


pam_nologin: pam_sm_acct_mgmt: Administrator refusing you: /var/run/nologin

Connection closed by

I ssh into the firewall with root and I am able to see that my new user is not added to the group I created for SSH, nor wheel. I do see that the auth key is there along with the proper shell /bin/csh.

Is there something else needed?

--bcj
« Last Edit: July 10, 2015, 10:31:51 pm by franco »
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13692
  • Karma: 1176
    • View Profile
Re: [BUG] - Unable to add user with shell access
« Reply #1 on: July 08, 2015, 04:24:39 pm »
Funky. Workaround is:

# rm /var/run/nologin

Will need to see why this pops up now before designing a permanent fix.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13692
  • Karma: 1176
    • View Profile
Re: [BUG] - Unable to add user with shell access
« Reply #2 on: July 08, 2015, 06:24:49 pm »
Looks like getting rid of clearing out /var/run at boot up caused this file to linger in the directory. shutdown seems to add the file, but doesn't remove it or the system has no chance to remove it. I don't know which it is, but it's not what the manual says. Will add a delete of the file on boot up for now, but I don't like it. I know little about that FreeBSD utility to give a definitive answer at this point.
« Last Edit: July 08, 2015, 06:28:38 pm by franco »
Logged

bcjenkins

  • Newbie
  • *
  • Posts: 24
  • Karma: 6
    • View Profile
Re: [WORKAROUND] Unable to add user with shell access
« Reply #3 on: July 09, 2015, 03:07:08 am »
Thanks, I will try this out.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13692
  • Karma: 1176
    • View Profile
Re: [WORKAROUND] Unable to add user with shell access
« Reply #4 on: July 09, 2015, 07:09:04 am »
A workaround is in place for 15.7.2, but I need to take this to FreeBSD.

https://github.com/opnsense/core/issues/245
Logged

bcjenkins

  • Newbie
  • *
  • Posts: 24
  • Karma: 6
    • View Profile
Re: [WORKAROUND] Unable to add user with shell access
« Reply #5 on: July 10, 2015, 02:27:55 pm »
I can confirm the workaround works, but there is still an issue with proper group membership.

/etc/inc/auth.inc contains:
Code: [Select]
/* admins access gives wheely rights */
if (userHasPrivilege($user, 'page-all')) {
$user_group = 'wheel';
}

However my user is only in admins and the custom group I set up for ssh_users. The user is not able to sudo as a result.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13692
  • Karma: 1176
    • View Profile
Re: [WORKAROUND] Unable to add user with shell access
« Reply #6 on: July 10, 2015, 04:20:44 pm »
If that's the case then there is something wrong with the groups -> rights mappings. If you assign shell access directly to the user, does it work then?
Logged

bcjenkins

  • Newbie
  • *
  • Posts: 24
  • Karma: 6
    • View Profile
Re: [WORKAROUND] Unable to add user with shell access
« Reply #7 on: July 10, 2015, 09:37:36 pm »
The ssh works, I am in the right groups and can now connect. What I can't do is sudo commands. I am trying to not rely on the root logon for anything.

There isn't a /etc/sudoers file (is that what's needed on BSD?) I did add my user to wheel manually and it didn't have any effect.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13692
  • Karma: 1176
    • View Profile
Re: [WORKAROUND] Unable to add user with shell access
« Reply #8 on: July 10, 2015, 10:31:20 pm »
`su' works out of the box, that's what wheel is for originally. `sudo' is a port, so the config file is under /usr/local/etc/sudoers. In any case, you should rather use `visudo' to edit the config.

Last piece of the puzzle: the standard sudo config is not to allow it for wheel. We do not configure sudo. Pick the appropriate authentication level yourself. :)

At some point we'll add it to the GUI, but the standard will always be off by default.
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 15.7 Legacy Series »
  • [SOLVED] Unable to add user with shell access
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2