openssh: do not allow sftp login for non-admins

Also suggested by @fabianfrz. Not perfect yet as we seem to mix wheel with access and either need to lock down shell access along with it or somehow tag along the shell privilege. Small race in the group setting on the user page. PR: https://forum.opnsense.org/index.php?topic=6994.0
opnsense · Jan 27, 2018 · 2fc86a7 · 2fc86a7
1 parent 1fbbece
commit 2fc86a7
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/etc/inc/plugins.inc.d/openssh.inc b/src/etc/inc/plugins.inc.d/openssh.inc
@@ -157,7 +157,8 @@ function openssh_configure_do($verbose = false, $interface = '')
     $sshconf .= "UseDNS no\n";
     $sshconf .= "X11Forwarding no\n";
     $sshconf .= "PubkeyAuthentication yes\n";
-    $sshconf .= "Subsystem\tsftp\tinternal-sftp\n";
+    $sshconf .= "Subsystem sftp internal-sftp\n";
+    $sshconf .= "AllowGroups wheel\n";
     if (isset($sshcfg['permitrootlogin'])) {
         $sshconf .= "PermitRootLogin yes\n";
     } else {

diff --git a/src/www/system_usermanager.php b/src/www/system_usermanager.php
@@ -361,8 +361,8 @@ function get_user_privdesc(& $user)
                 $a_user[] = $userent;
             }
 
-            local_user_set($userent);
             local_user_set_groups($userent, $pconfig['groups']);
+            local_user_set($userent);
             write_config();
 
             if (!empty($pconfig['chkNewCert'])) {