User account - need permission to run scripts via SSH
-
Did you try just connecting as root? In pfSense root and admin are effectively the same account but root is required for sftp for example.
Steve
-
@stephenw10 I did try connecting as root, and I'm able to do what I want manually, but the problem is the menu appears when connect as root, and therefore I can't just SSH in and run a single command. I have to get past that menu first.
@JKnott Thank you for the correction, and sorry for my ignorance. I'm of course happy to do whatever research I need in order to figure this out. I guess the main question I have is this: is there a privilege I can give to a user account that will get me passed the "Unable to open /cf/conf/config.xml for writing in write_config()" error? Or is that simply not possible?
-
But did you actually try it? There is a difference between those usernames:
steve@steve-MMLP7AP-00 ~ $ ssh admin@8860.stevew.lan "uname -a" FreeBSD steve@steve-MMLP7AP-00 ~ $ ssh root@8860.stevew.lan "uname -a" FreeBSD 8860.stevew.lan 12.0-RELEASE-p10 FreeBSD 12.0-RELEASE-p10 8bad71faaf5(factory-RELENG_2_5) pfSense amd64Steve
-
You need to install the sudo package and use the
sudocommand to run shell commands as root.But like @stevew demonstrated you should be able to run single commands using the root account.
$ ssh root@192.168.223.1 cat /var/etc/ipsec/ipsec.conf Password for root@fw-223: # This file is automatically generated. Do not edit config setup uniqueids = yes <snip> -
@stephenw10 Yes, I tried... am I missing something?
-
You are not telling ssh to run any commands. Look:
ssh root@192.168.223.1cat /var/etc/ipsec/ipsec.conf -
@Derelict Ahhh, ok! I didn't understand that it would behave differently if I included a command along with the SSH connection. It's working now with root as the user. Thank you everyone for your efforts in helping me understand this!!
-
Logging on as root is generally not recommended / insecure. A better way would be to create a dedicated user that will use public key for logging on and and authorize exactly what commands they can run using sudo.
- Install sudo package
- Add a new user: System / User Manager -> Add (let's call this user
testuserfor this example) - Set a very complicated password (we won't be using it)
- >>Paste your public key that you will be using to connect with.<<
- Save the user
- Go back and edit
testuserto expose the permissions part of the GUI that doesn't appear initially (bug?) - Grant the user User - System: Shell account access
- Save the user
- Edit the sudo config (System / sudo)
- Add User:
testuserwith Run As User: root, Check No Password, preferably, enter the allowed command list, or ALL
To test:
- ssh
testuser@pfSense - you should not be prompted for a password since you will be using public key login
[2.4.4-RELEASE][testuser@pfsense.local]/home/testuser:- id - you'll see the default user ID
(uid=2000(testuser) gid=65534(nobody) groups=65534(nobody)- sudo id - now root user ID
uid=0(root) gid=0(wheel) groups=0(wheel),2(kmem),3(sys),4(tty),5(operator),20(staff),31(guest),1999(admins)- sudo your-script -your script will run as root
To run your script from remote:
- ssh
testuser@pfSense sudo your-script
-
@awebster for the sake of education, why is logging on as root considered insecure? What are the advantages of creating a dedicated user if that user can just sudo and do everything that root can do anyway?
-
@tkohhh In general, logging on as root should be restricted to the local console only. There are considerable arguments in favor of this "best practice", and of course there are some dissenting opinions, neither of which I will get into here.
You are correct in saying, if you use ALL in the
sudolist allowed commands, the net effect is that you can do anything root can, which is why it is preferable to limit what commands are allowed. For instance to only allow your specific script(s) to run would be good security practice, as it would prevent someone from simply doing 'sudo sh' and end up in a root shell. -
@tkohhh said in User account - need permission to run scripts via SSH:
why is logging on as root considered insecure?
Root has absolute power and can do a lot of damage. Mere mortals cannot damage anything out of their own area. If you only have local access and no one else can log in with the root ID, then you're okay. One common practice is to require those with root access to log in with their own ID, then su to root. This creates a log entry to show who assumed root access. Of course, never allow root login via anywhere beyond the local LAN. If I want to connect remotely, then I have to fist connect to my main system and then connect to my firewall from there. You can also enable passwordless connections, which use a public/private key pair, to ensure connections only from that one computer.
