LDAP Insecure Shell Access
-
I've successfully setup LDAP in pfSense - I can login to the GUI with the correct permissions. I'm also seeing the opposite - users that are not part of my defined group CANNOT login to the GUI.
This issue is with shell authentication using LDAP.
I have Shell Authentication Group DN configured withCN=pfSense_Admin,OU=Groups,DC=ad,DC=example,DC=comWhen I login (using SSH) to the shell with my AD user, I get the following output, followed by being dropped into the pfSense CLI menu.
You must be a memberOf of CN=pfSense_Admin,OU=Groups,DC=ad,DC=example,DC=com to login.I do appear to have limited privileges - i.e. I can't restart services, run pfTop, or reboot the firewall.
I can open the shell and issue commands and a non-root user.This isn't an issue is any given user doesn't have the correct attributes configured on their user account. But, that also isn't a solution to denying shell access to a firewall.
Has anyone seen this behavior or been able to replicate this? (I did see a Reddit post about this)
NOTE: I'm using Active Directory on Windows Server 2022.
NOTE: I've setup the necessary user attributes in AD to allow a user to login to the pfSense shell. I can already login to the shell - albeit in an insecure/broken way. -
So, to be clear, you expect those users to be able to login at the CLI without a warning and have full permissions from the group?
-
Yes (or whatever permissions are assigned to the group in the GUI). The issue here being that pfSense isn't respecting the group declaration. I can create a new AD user, not put that user in any groups, and still login to the CLI of pfSense.
-
So if you test it in Diag > Auth it returns the expected groups and they match the groups defined in pfSense?
-
Yep! I can login to the GUI just fine assuming my user is part of the "pfSense_Admin" group - the same group I have setup in the shell auth group section