User and Password Management - CE 2.6.0

WvdW

I have a lab installation where I have been playing around user management on. I am running into some issues which I have not been able to resolve despite a huge amount of google and forum thread searches, so any pointers or links would be highly appreciated :)

Background

• I am trying to configure a secured user setup to minimize potential soft spots.
• Using a standard install I set a new password for admin - password1.
• I added a new user - admin2 - with its own password - password2 - and added this user to the admins group.
• I changed the password for admin - password3 - and removed it from the admins group while also disabling it.
• I secured the console access.
• I enabled SSH.

Tested

• I am able to successfully log into the webUI, SSH and console using admin2
• I cannot log into the webUI, SSH or console with admin
  Up to this point everything is working as expected.

Where the issues start

• I tried logging into the console with root but it wasn't using the same password as admin - password3
• I then tried using the original admin password - password1 - and was able to get in.

Assistance required

• My understanding from the docs is that the root password mirrors that of admin. So in my case it should be using password3 after the update and not password1? It seems like the connection between the admin and root password got broken after the initial install?
• My understanding from the docs is that you cannot/must not use passwd in shell to update passwords for any users? The problem is that you cannot update passwords for root in the webUI, so where are you supposed to do it then?
• I tried using passwd and it updates the root password but only in the current session. As soon as you reboot it reverts to the original password so there is no persistence. I cannot find any docs dealing with changing a root password, they all just focus on resetting the admin/root password to default. Anybody know how to do this correctly?
• I tried using the changepassword shell script as well but it gives an error when you use root as the username to update?

So basically it looks like you are stuck with root using whatever the original password is that you assigned to admin during the initial setup. I cannot find any way to update it to anything else and have it persist :(. So at this point I don't know if this is a bug or by design?

Werner

Gertjan

@wvdw said in User and Password Management - CE 2.6.0:

The problem is that you cannot update passwords for root in the webUI, so where are you supposed to do it then?

pfSense is GUI based.
The console / SSH access is very important, but not really needed for normal operations.

When I updated my admin's password using the GUI, I had to use this new password during console (VGA) access.
SSH : I don't care, as I use this :

Remember : the console access is a physical access to the device. If an unwanted user has physical access, because he uses the console, he already 'owns' the device.

You might think : everybody knows the user name ( == admin) during GUI access, so only the password, like "CdJFlBZyMmMn1lXUkmGgpsRH5Egpcck8W3BILUJYcXJ" will protect the GUI access.
Because you think that one is easy to guess ? ;)

Normally, only users on the LAN should be able to access the GUI, for your other LAN type interface use firewall rules to block the GUI access.
WAN is already blocked.
You can even narrow down the GUI access to a known IPv4 on your LAN.

These days, when you install a known vanilla 'debian', root (admin) access isn't even proposed any more. You enter the system using a normal user, like 'debian' and when logged in, you 'su' or 'sudo' to root if needed.
But's that's for a server or desktop device. pfSense is not such a device.
SSH + keys is mandatory, user+password is something of the past.

WvdW

Hi Gertjan,

I am a long term Linux admin and well aware of best practices when it comes to user/password/key management.
To answer your points:

• Yes, I am already using keys only for SSH access
• root cannot login via SSH
• I am already using sudo for root privileges elevation for admin2
• I use the webUI for the majority of actions but the playback scripts and shell access is there for a reason - so that you are able to administer pfSense even if you don't have webUI access and/or to make system changes which are not possible in the webUI.

All of the above is however irrelevant as it doesn't answer my primary question i.e. how do you change the root password? There must be a way to do this and you should be able to do this from time to time. I just don't understand why it's been made so complicated.

Werner

Gertjan

@wvdw said in User and Password Management - CE 2.6.0:

Yes, I am already using keys only for SSH access

Ok, so no more need to specify a user when logging in.

@wvdw said in User and Password Management - CE 2.6.0:

root cannot login via SSH

Right.
I didn't test, but this :

still needs to be setup in the client SSH (Putty in my case) so the correct key gets chosen.
( something like that ).

@wvdw said in User and Password Management - CE 2.6.0:

I am already using sudo for root privileges elevation for admin2

Why do you think you need a second or another admin ?
pfSense is based on a main stream OS, FreeBSD. But as I said above, its not some multi user account device. There's an "admin", and that is used for maintenance tasks.
From what is know, even if you declare another user also as a member of the admin group, it's still not the main 'admin' ( == root) so this can / could give issues.

@wvdw said in User and Password Management - CE 2.6.0:

have webUI access and/or to make system changes which are not possible in the webUI.

That's ok.
Just keep in mind that pfSense is GUI driven. Known command line commands can't over ride settings that are handled by the GUI.

@wvdw said in User and Password Management - CE 2.6.0:

how do you change the root password?

admin password : As said, I just did that, see above, previous post.

I just went down to the basement, used the 'terminal' (console) access, and had to use the new password I changed in the GUI.

@wvdw said in User and Password Management - CE 2.6.0:

There must be a way to do this and you should be able to do this from time to time. I just don't understand why it's been made so complicated.

Complicated ? Use the GUI to change the password ;)

WvdW

@Gertjan: admin does not equal root. These are two totally distinct and separate users in the local users table on freebsd (cat /etc/passwd). They therefore each have their own password. The webGUI initially just sets both these users with the same password.

admin = the initial main administrative user to manage the system through the webUI
root = the original (and only) super user on the system

admin has just been added to the admins user group (cat /etc/group) which has been assigned some elevated system privileges.

If you read through the best practices documentation for securing pfSense then you will quickly see there is a clear recommendation to disable the standard admin user and add a new user with a different username that has also been added to the admins group to manage the system instead of using admin.

And no, changing the admin password in the webGUI does not also change the root password.

My question remains: how do you change the root password?

PS: I use a Linux workstation so I don't have to set or configure anything in Putty

Gertjan

@wvdw said in User and Password Management - CE 2.6.0:

If you read through the best practices documentation for securing pfSense

Interesting. I might have to read that one.
You have a link ?

@wvdw said in User and Password Management - CE 2.6.0:

I use a Linux workstation

I've nothing like that.
But I do use a Debian based web mail dns etc server (real old school bare bone) for more then a decade.
No GUI (no webmin, X or the like). Just me, SSH client and nano.

'workstation' was a word I used when I was hammering on a Sun Sparc something using Solaris, if memory info is still correct ;) Also known as the pizza box.

stephenw10

Hmm, that's not the expected behaviour. And it's not what I see here, so far.

I assume you changed the admin password in the GUI via the user manager?

Did you try logging in as root before you secured the console or disabled it?

Or via ssh?

Did you actually set the password and disable the account in one step? It could be the password was not changed for either admin or root.

Steve

WvdW

@stephenw10 I think you may be on to something there...

Yes, I changed the admin password in the webGUI. I did both in one step so I see where you are going with this... because I disabled the user it might have ignored the other changes like the new password.

I will re-enable admin and try to log in with both the old and new passwords to see which one is applicable. If it never changed the password then I can assume my statement above is true. I will then first do a password change, save the changes and then do a disable and save again to see what the impact is.

If it indeed did drop the password change because of the disable in the same step then it might be worth revising the script or at least putting a notice in the UI to make people aware of this.

Yes, I logged in with root before and after securing the console.

Based on your statement and that it is not inline with expected behaviour can I then also assume that changing the admin password in the webUI will always change it for both admin and root users? Disabling admin however has no further impact on root.

Werner

WvdW

@stephenw10 : Okay did some quick testing and the following is true:

• Disabling admin must be done as a standalone step. All other changes made during the same step are ignored
• Changing the password for the admin user changes it for both admin and root
• You can still change the password for admin even if it is currently disabled. So this seems to be the correct (only?) way of updating a root password even if you are not using the admin user.

All of the above is obviously done through the webGUI.

Thanks for the pointer as that helped resolve the query :)

Werner

stephenw10

Hmm, that's an interesting edge case. Since, as you say, you can still change the password on a disabled account, it seems unexpected that changing the account status would prevent setting a password.
Let me open something...

stephenw10

Mmm, are you able to test a 2.7 snapshot?

I can't replicate that issue there it may already be fixed.

Steve

WvdW

@stephenw10 Sure I can grab it and put on a test box but it will take a day or so. I will post back here as soon as I have an answer.