[SOLVED] Unable to add user with shell access

[bcjenkins]

I have added a user, ssh key, admin privileges, and shell access via the web gui. The user is not being allowed to login with the following error:

NO LOGINS: System going down at 10:32


pam_nologin: pam_sm_acct_mgmt: Administrator refusing you: /var/run/nologin

Connection closed by

I ssh into the firewall with root and I am able to see that my new user is not added to the group I created for SSH, nor wheel. I do see that the auth key is there along with the proper shell /bin/csh.

Is there something else needed?

--bcj

[franco]

Funky. Workaround is:

# rm /var/run/nologin

Will need to see why this pops up now before designing a permanent fix.

[franco]

Looks like getting rid of clearing out /var/run at boot up caused this file to linger in the directory. shutdown seems to add the file, but doesn't remove it or the system has no chance to remove it. I don't know which it is, but it's not what the manual says. Will add a delete of the file on boot up for now, but I don't like it. I know little about that FreeBSD utility to give a definitive answer at this point.

[bcjenkins]

Thanks, I will try this out.

[franco]

A workaround is in place for 15.7.2, but I need to take this to FreeBSD.

https://github.com/opnsense/core/issues/245

[bcjenkins]

I can confirm the workaround works, but there is still an issue with proper group membership.

/etc/inc/auth.inc contains:

Code: [Select]

/* admins access gives wheely rights */
if (userHasPrivilege($user, 'page-all')) {
$user_group = 'wheel';
}
However my user is only in admins and the custom group I set up for ssh_users. The user is not able to sudo as a result.

[franco]

If that's the case then there is something wrong with the groups -> rights mappings. If you assign shell access directly to the user, does it work then?

[bcjenkins]

The ssh works, I am in the right groups and can now connect. What I can't do is sudo commands. I am trying to not rely on the root logon for anything.

There isn't a /etc/sudoers file (is that what's needed on BSD?) I did add my user to wheel manually and it didn't have any effect.

[franco]

`su' works out of the box, that's what wheel is for originally. `sudo' is a port, so the config file is under /usr/local/etc/sudoers. In any case, you should rather use `visudo' to edit the config.

Last piece of the puzzle: the standard sudo config is not to allow it for wheel. We do not configure sudo. Pick the appropriate authentication level yourself.

At some point we'll add it to the GUI, but the standard will always be off by default.