User and Password Management - CE 2.6.0

WvdW

Hi Gertjan,

I am a long term Linux admin and well aware of best practices when it comes to user/password/key management.
To answer your points:

• Yes, I am already using keys only for SSH access
• root cannot login via SSH
• I am already using sudo for root privileges elevation for admin2
• I use the webUI for the majority of actions but the playback scripts and shell access is there for a reason - so that you are able to administer pfSense even if you don't have webUI access and/or to make system changes which are not possible in the webUI.

All of the above is however irrelevant as it doesn't answer my primary question i.e. how do you change the root password? There must be a way to do this and you should be able to do this from time to time. I just don't understand why it's been made so complicated.

Werner

Gertjan

@wvdw said in User and Password Management - CE 2.6.0:

Yes, I am already using keys only for SSH access

Ok, so no more need to specify a user when logging in.

@wvdw said in User and Password Management - CE 2.6.0:

root cannot login via SSH

Right.
I didn't test, but this :

still needs to be setup in the client SSH (Putty in my case) so the correct key gets chosen.
( something like that ).

@wvdw said in User and Password Management - CE 2.6.0:

I am already using sudo for root privileges elevation for admin2

Why do you think you need a second or another admin ?
pfSense is based on a main stream OS, FreeBSD. But as I said above, its not some multi user account device. There's an "admin", and that is used for maintenance tasks.
From what is know, even if you declare another user also as a member of the admin group, it's still not the main 'admin' ( == root) so this can / could give issues.

@wvdw said in User and Password Management - CE 2.6.0:

have webUI access and/or to make system changes which are not possible in the webUI.

That's ok.
Just keep in mind that pfSense is GUI driven. Known command line commands can't over ride settings that are handled by the GUI.

@wvdw said in User and Password Management - CE 2.6.0:

how do you change the root password?

admin password : As said, I just did that, see above, previous post.

I just went down to the basement, used the 'terminal' (console) access, and had to use the new password I changed in the GUI.

@wvdw said in User and Password Management - CE 2.6.0:

There must be a way to do this and you should be able to do this from time to time. I just don't understand why it's been made so complicated.

Complicated ? Use the GUI to change the password ;)

WvdW

@Gertjan: admin does not equal root. These are two totally distinct and separate users in the local users table on freebsd (cat /etc/passwd). They therefore each have their own password. The webGUI initially just sets both these users with the same password.

admin = the initial main administrative user to manage the system through the webUI
root = the original (and only) super user on the system

admin has just been added to the admins user group (cat /etc/group) which has been assigned some elevated system privileges.

If you read through the best practices documentation for securing pfSense then you will quickly see there is a clear recommendation to disable the standard admin user and add a new user with a different username that has also been added to the admins group to manage the system instead of using admin.

And no, changing the admin password in the webGUI does not also change the root password.

My question remains: how do you change the root password?

PS: I use a Linux workstation so I don't have to set or configure anything in Putty

Gertjan

@wvdw said in User and Password Management - CE 2.6.0:

If you read through the best practices documentation for securing pfSense

Interesting. I might have to read that one.
You have a link ?

@wvdw said in User and Password Management - CE 2.6.0:

I use a Linux workstation

I've nothing like that.
But I do use a Debian based web mail dns etc server (real old school bare bone) for more then a decade.
No GUI (no webmin, X or the like). Just me, SSH client and nano.

'workstation' was a word I used when I was hammering on a Sun Sparc something using Solaris, if memory info is still correct ;) Also known as the pizza box.

stephenw10

Hmm, that's not the expected behaviour. And it's not what I see here, so far.

I assume you changed the admin password in the GUI via the user manager?

Did you try logging in as root before you secured the console or disabled it?

Or via ssh?

Did you actually set the password and disable the account in one step? It could be the password was not changed for either admin or root.

Steve

WvdW

@stephenw10 I think you may be on to something there...

Yes, I changed the admin password in the webGUI. I did both in one step so I see where you are going with this... because I disabled the user it might have ignored the other changes like the new password.

I will re-enable admin and try to log in with both the old and new passwords to see which one is applicable. If it never changed the password then I can assume my statement above is true. I will then first do a password change, save the changes and then do a disable and save again to see what the impact is.

If it indeed did drop the password change because of the disable in the same step then it might be worth revising the script or at least putting a notice in the UI to make people aware of this.

Yes, I logged in with root before and after securing the console.

Based on your statement and that it is not inline with expected behaviour can I then also assume that changing the admin password in the webUI will always change it for both admin and root users? Disabling admin however has no further impact on root.

Werner

WvdW

@stephenw10 : Okay did some quick testing and the following is true:

• Disabling admin must be done as a standalone step. All other changes made during the same step are ignored
• Changing the password for the admin user changes it for both admin and root
• You can still change the password for admin even if it is currently disabled. So this seems to be the correct (only?) way of updating a root password even if you are not using the admin user.

All of the above is obviously done through the webGUI.

Thanks for the pointer as that helped resolve the query :)

Werner

stephenw10

Hmm, that's an interesting edge case. Since, as you say, you can still change the password on a disabled account, it seems unexpected that changing the account status would prevent setting a password.
Let me open something...

stephenw10

Mmm, are you able to test a 2.7 snapshot?

I can't replicate that issue there it may already be fixed.

Steve

WvdW

@stephenw10 Sure I can grab it and put on a test box but it will take a day or so. I will post back here as soon as I have an answer.