Allow a user via ssh to: ifconfig eth0 down

OM606 · Apr 6, 2019, 1:28 PM

Hi networksecurity folks

I have created a user called adminsh in the browser GUI and made it member of the admin group. I only need this user for the network administration over ssh. basically the only thing the user needs to do is "ifconfig eth0 down" and "ifconfig eth up"

However, when i login through ssh and do a "ifconfig eth0 down" i get: ifconfig: down: permission denied.

How can i set the permission i order to allow the user at least network administration. It's even fine if the user has root privilege as this user is only allowed to loging in via rsa key and not with a password.

/etc/passd
adminsh:*:2000:65534::/home/adminsh:/bin/tcsh

/etc/group
admins:*:1999:root,adminsh

Regards and thanks,
Markus

Grimson · Apr 6, 2019, 1:32 PM

RTFM: https://docs.netgate.com/pfsense/en/latest/usermanager/sudo-package.html

OM606 · Apr 6, 2019, 1:40 PM

I think sudo is no option in my case as i run the ifconfig command from another host via ssh. thats also why i setup ssh login via ssh key instead of password.

I would prefere to give the user i have created root privilege. how can i give the user root priviledge?

Regards and thanks,
Markus

Grimson · Apr 6, 2019, 1:51 PM

@OM606 said in Allow a user via ssh to: ifconfig eth0 down:

I think sudo is no option in my case as i run the ifconfig command from another host via ssh. thats also why i setup ssh login via ssh key instead of password.

Read the documentation again, sudo is exactly what you need.

OM606 · Apr 6, 2019, 8:38 PM

I have installed sudo and configured it for my user adminsh but it's not working as i expected.

When i run the following from the remote host:

ssh adminsh@172.16.16.1 ifconfig re0 down

It gives me the following error:
ifconfig: down: permission denied

The reason for this is quite obvious because somewhere in the processs it would like to get the (sudo) password.

If i log in via ssh adminsh@172.16.16.1 and then execute sudo ifconfig re0 down it asks me for the password and everything works fine.

Any chance that i can execute this under sudo from remote?
I have tried something like following but this did not work:

ssh adminsh@172.16.16.1 sudo ifconfig re0 down
sudo: no tty present and no askpass program specified.

Otherwise, if there is a way that if i ssh into pfsense with admin or root that i get directly to the shell without the pfsense welcome menu? This would solve my problem definitely.

Thanks,
Markus

Grimson · Apr 6, 2019, 8:42 PM

@OM606 said in Allow a user via ssh to: ifconfig eth0 down:

If i log in via ssh adminsh@172.16.16.1 and then execute sudo ifconfig re0 down it asks me for the password and everything works fine.

Oh come on, the documentation even has an example setup for a command without a password. Show a screenshot of your sudo config.

OM606 · Apr 6, 2019, 8:58 PM

Grimson, first of all, thanks for your patience so much!

I have configured sudo only throught the webgui (System/sudo)

Do you mean the config file /usr/local/etc/sudoers ?

It looks like following:

root ALL=(root) ALL
admin ALL=(root) ALL
%admins ALL=(root) ALL
adminsh ALL=(root) ALL

Or do i need to put the custom command like in the example for user bob in the documentation in the following file:
/usr/local/etc/sudoers.d

Regards and thanks,
Markus

Grimson · Apr 6, 2019, 9:08 PM

@OM606

I really hope you are just drunk. Enable the "No Password" option like the documentation tells you in the first example.

OM606 · Apr 6, 2019, 9:17 PM

being drunk would not help much :-) because even with the No Password option i still get this:

ssh adminsh@172.16.16.1 ifconfig re0 down
ifconfig: down: permission denied

if i login using ssh adminsh@172.16.16.1
and then run:
sudo ifconfig re0 down
everything works but thats not what i need!! as stated in the first posts :-)

Other question, what do i have to change in order to not get /etc/rc.initial being started when i ssh into as root or admin?
i only need csh or any other shell instead of the menu. This would really solve my problem and if i need the menu i can just run /etc/rc.initial

Markus

Grimson · Apr 6, 2019, 9:26 PM

@OM606 said in Allow a user via ssh to: ifconfig eth0 down:

being drunk would not help much :-) because even with the No Password option i still get this:

ssh adminsh@172.16.16.1 ifconfig re0 down

Just for the sake of others that might read this post, you obviously still need to use sudo:

ssh adminsh@172.16.16.1 sudo ifconfig re0 down

@OM606
As I'm pretty convinced you are just trolling I will now add you to my blocked users list.

OM606 · Apr 6, 2019, 9:24 PM

thanks, you are very helpful and sorry for me beeing so untalented