Non root user ssh logon or other methods



  • I use Xymon for monitoring, formerly Hobbit, formerly BigBrother.  It's an awesome monitoring system, I thoroughly suggest it.  Either way, I've got a couple of different options to monitor this box, but I'm running into problems with all of them.

    Option 1: Remote SSH client> 
        There is a client that executes entirely out of SSH, however, I run the server as a regular user for obvious reasons.  In order for the SSH client to work I need key based auth as that user, which isn't a problem for the myriad of other systems I do this for, but I am unable to get this to work in pfsense.  Not just specifically key based auth, but for any user I configure other than root/admin.  Has anyone got this to work?  Here's the output from ssh -v

    [username@hostname bin]$ ssh -v firewall
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to firewall [10.1.0.10] port 22.
    debug1: Connection established.
    debug1: identity file /home/username/.ssh/identity type -1
    debug1: identity file /home/username/.ssh/identity-cert type -1
    debug1: identity file /home/username/.ssh/id_rsa type 1
    debug1: identity file /home/username/.ssh/id_rsa-cert type -1
    debug1: identity file /home/username/.ssh/id_dsa type -1
    debug1: identity file /home/username/.ssh/id_dsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.4p1_hpn13v11 FreeBSD-20100308
    debug1: match: OpenSSH_5.4p1_hpn13v11 FreeBSD-20100308 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.3
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host 'firewall' is known and matches the RSA host key.
    debug1: Found key in /home/username/.ssh/known_hosts:4
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/username/.ssh/identity
    debug1: Offering public key: /home/username/.ssh/id_rsa
    debug1: Authentications that can continue: publickey,password,keyboard-interactive
    debug1: Trying private key: /home/username/.ssh/id_dsa
    debug1: Next authentication method: keyboard-interactive
    Password:
    debug1: Authentications that can continue: publickey,password,keyboard-interactive

    I see that it likes the public key, but still fails to authenticate, and what's more irritating is that I can go through keyboard interactive then password and it will still fail no matter what.  I simply cannot logon as any other user than root.  Also, I've tried this with adding the Shell Access permission in user manager and with all permissions, which isn't a preferred method, but still no luck.

    Option 2: Fat Client
        There exists a fat client for BSD that I can pull and run successfully, however; no matter what I've tried to do I cannot get it to autostart, but you'll have to forgive me, I not very savvy with pfsense/nanobsd.  If I understand it correctly, everything gets re-written upon restart, so I can't use rc.d, but cron is an option.  I understand that BSD supports the '@reboot' syntax in cron, but I haven't been able to get that to work either.  Any suggestions?