New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot grant non-admin shell access any more after #2154 #2655

Closed
pv2b opened this Issue Aug 20, 2018 · 7 comments

Comments

Projects
None yet
3 participants
@pv2b
Contributor

pv2b commented Aug 20, 2018

#2154 has changed how shell access is granted. In my use case I wanted to grant a non-admin user ssh access to the firewall.

This does not seem to be possible any more, either I put the user in "admins" and permit SSH, or the user cannot log in through SSH.

This pops up in system.log: Aug 20 13:52:51 XXX-XXXXXX-XXXX sshd[xxxxx]: error: PAM: authentication error for illegal user xxxxxxxx from xxx.xxx.xxx.xxx

@AdSchellevis

This comment has been minimized.

Show comment
Hide comment
@AdSchellevis

AdSchellevis Aug 20, 2018

Member

@pv2b just to be sure, what did you configure in "Login Group"?

The release notes do have a mention about this, but it's easy to overlook,

SSH access can be set for an arbitrary group as well under System: Administration for non-members of "admins" group. However, in both cases only SCP works due to a request in the forum to be more proactive regarding yielding of shell access rights. If you want a user to gain true SSH access you need to change their shell from "nologin" to an installed shell in their respective settings.

Member

AdSchellevis commented Aug 20, 2018

@pv2b just to be sure, what did you configure in "Login Group"?

The release notes do have a mention about this, but it's easy to overlook,

SSH access can be set for an arbitrary group as well under System: Administration for non-members of "admins" group. However, in both cases only SCP works due to a request in the forum to be more proactive regarding yielding of shell access rights. If you want a user to gain true SSH access you need to change their shell from "nologin" to an installed shell in their respective settings.

@pv2b

This comment has been minimized.

Show comment
Hide comment
@pv2b

pv2b Aug 20, 2018

Contributor

I did see this in the release notes but to me this is cryptic to the point of not being understand what is said.

SSH access can be set for an arbitrary group as well under System: Administration for non-members of "admins" group.

How? The appropriate path is System: Settings: Administration, but under "Login Group" only "wheel" or "wheel, admins" are possible to pick.

The "wheel" group is not accessible through the WebUI, I'm guessing this is the underlying FreeBSD group that permits root access(?).

Contributor

pv2b commented Aug 20, 2018

I did see this in the release notes but to me this is cryptic to the point of not being understand what is said.

SSH access can be set for an arbitrary group as well under System: Administration for non-members of "admins" group.

How? The appropriate path is System: Settings: Administration, but under "Login Group" only "wheel" or "wheel, admins" are possible to pick.

The "wheel" group is not accessible through the WebUI, I'm guessing this is the underlying FreeBSD group that permits root access(?).

@pv2b

This comment has been minimized.

Show comment
Hide comment
@pv2b

pv2b Aug 20, 2018

Contributor

To clarify, in my case, login group is set to "wheel" which still somehow seems to permit my user to log in even if I just add him to the admin group confused

Contributor

pv2b commented Aug 20, 2018

To clarify, in my case, login group is set to "wheel" which still somehow seems to permit my user to log in even if I just add him to the admin group confused

@fichtner

This comment has been minimized.

Show comment
Hide comment
@fichtner

fichtner Aug 20, 2018

Member

Wheel is always preselected for clarity. You can choose a second arbitrary group if you create one. The admin group has right page-all which gives wheel access to users directly. Since we don’t handle wheel from the gui it’s a bit hard to follow but not unreasonable.

Member

fichtner commented Aug 20, 2018

Wheel is always preselected for clarity. You can choose a second arbitrary group if you create one. The admin group has right page-all which gives wheel access to users directly. Since we don’t handle wheel from the gui it’s a bit hard to follow but not unreasonable.

@fichtner fichtner closed this Aug 20, 2018

@fichtner

This comment has been minimized.

Show comment
Hide comment
@fichtner

fichtner Aug 20, 2018

Member

PS: also set an user shell for each user as stated in the same notes.

Member

fichtner commented Aug 20, 2018

PS: also set an user shell for each user as stated in the same notes.

@pv2b

This comment has been minimized.

Show comment
Hide comment
@pv2b

pv2b Aug 20, 2018

Contributor

That doesn't seem to explain why I am able to log in to the device when "wheel" has been selected as the user group, but I do get to log in as soon as I add the user to the admins group.

Contributor

pv2b commented Aug 20, 2018

That doesn't seem to explain why I am able to log in to the device when "wheel" has been selected as the user group, but I do get to log in as soon as I add the user to the admins group.

@fichtner

This comment has been minimized.

Show comment
Hide comment
@fichtner

fichtner Aug 20, 2018

Member
Member

fichtner commented Aug 20, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment