disable password login and sudo?

Status
Not open for further replies.
nojohnny101

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
I understand why the "disable password login" box is greyed out when the option "permit sudo" is checked under a particular user because when one performs sudo, a password must be entered.

however how does this work for the root account? how do you allow the root account to have sudo privileges (or is that inherent already?) but not allow SSH login with a password (only public/private key).

also, if you check "disable password login" for the root user, doesn't take away the GUI password for logging in and leave it open to anyone on the local network?

thanks for the help!
 
nojohnny101

nojohnny101

Wizard
Joined
Dec 3, 2015
Messages
1,478
Ok thanks for the quick responses. So best practices is to not allow sudo on any created user and check "disable password login" for all other uses (because I already have setup ssh public/price key authentication on every user I have created)? Is this correct?
 
pirateghost

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
nojohnny101 said:
Ok thanks for the quick responses. So best practices is to not allow sudo on any created user and check "disable password login" for all other uses (because I already have setup ssh public/price key authentication on every user I have created)? Is this correct?
Click to expand...
It all depends on your use case.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
nojohnny101 said:
Ok thanks for the quick responses. So best practices is to not allow sudo on any created user and check "disable password login" for all other uses (because I already have setup ssh public/price key authentication on every user I have created)? Is this correct?
Click to expand...
FYI, disabling password login for your users will make it so that they're unable to access samba shares.

If needed, you can specify the users that should have ssh access by adding "extra option" to Services -> SSH
Code:
AllowUsers joe bob mary


or

Code:
AllowGroups ssh_users


Honestly, I typically just create a jail, nullfs mount a dataset in it through the webgui, and grant users sftp access to it while properly creating an SFTP chroot environment. Simple, stable, and basically zero chance of giving a regular user (peon) access to the host operating system.
 
Last edited:
Glorious1

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
anodos said:
Honestly, I don't know why any freenas user would need sudo.
Click to expand...
I use sudo frequently. The manual says for security reasons, root logins are discouraged and disabled by default. So I don't do it. And I don't use password login, key only.
 
N

Nasarus

Cadet
Joined
Oct 4, 2016
Messages
6
This seems like a very strange behaviour (that is, prevent SSH user from also having sudo).

I'd very much like to be able to sudo when logged in via ssh.

I do not like (nor is it safe to) be logged in as root, sudo su, sudo -i etc. It's like walking around drunk with a loaded pistol.

I do like to have the pistol in my holster for when I need it though.

I also find passwords cumbersome and/or insecure.

Anywho, I have no idea if it will survive a reboot or not, but for now I've done the following (as root, of course):

Code:
visudo

Then add:
Code:
<username> ALL=(ALL) NOPASSWD: ALL

Of course this might seem cowboy to some. ymmv.
 
Last edited:
N

Nasarus

Cadet
Joined
Oct 4, 2016
Messages
6
Welp it looks like this is overwritten by script frequently, like whenever a user is modified.

A little bit of grep told me that it was originating from:

/conf/base/etc/local/sudoers

so I just added what I want my defaults to be in there...

Sure would have been nice if I could just check off both of those boxes at once, though.

I still don't know if this will stick. I might have to dive into the sqlite db next?
 
Glorious1

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
pirateghost said:
Lmao. So giving passwordless sudo is safer than root?

Bahaha. You're delusional
Click to expand...
Would it be more safe if he uses public key authentication to log in?
 
pirateghost

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
Glorious1 said:
Would it be more safe if he uses public key authentication to log in?
Click to expand...
No. It's stupid to think that sudo is safer than root. It makes sense for a workstation, to elevate credentials when needing to do administration work, but it should require authentication at least in the form of a password when you run a sudo command.

This is an appliance. When you're logged into the web GUI, you are root. You can do literally whatever you want to the data that's on the server. Logging in via root over SSH is the same as connecting to the GUI...

I can't seem to understand why this is a difficult concept to grasp.
 
Glorious1

Glorious1

Guru
Joined
Nov 23, 2014
Messages
1,211
pirateghost said:
No. It's stupid to think that sudo is safer than root. . . .

I can't seem to understand why this is a difficult concept to grasp.
Click to expand...
Perhaps it's because the documentation seems to disagree with you, saying regarding SSH configuration:
For security reasons, root logins are discouraged and disabled by default - if enabled, password must be set for root user in View Users
Click to expand...
 
N

Nasarus

Cadet
Joined
Oct 4, 2016
Messages
6
My physical workstation is locked down and secured.
I am the only one with physical access to this room.
My workstation requires two-part login, one physical (thing I have) and one password (thing I know).
My home directory (which contains my keys) is encrypted so even if someone has access, they can't get my keys.
My workstation also times out on inactivity, so even if I walk away and the door doesn't close and lock behind me, they're still likely hosed.

When I log into the NAS as root I feel like I'm walking around with a loaded gun. Any mistyped command can be disastrous. It is dangerous.

On the other side of that coin, needing to remember and type in long, secure, memorable dice-ware style passwords for this (and a hundred other) logins is painful. Sure, I could use a password manager - which is effectively what using my secured keys are - but without the hassle of typing - no?

I want the ability to log (securely) in without a password and then sudo, without a password. That's what I have now :)

It's exactly how every single AWS server instance works as well btw. - this is not some obscure practice. It is as secure as your terminal is.

I guess this is just a matter of "to each his own" - my only issues is that I needed to overcome some intentionally-laid barriers to get there. It would be nice if there was a switch somewhere under the hood to remove this behaviour and permit what I have done without going through the trouble.

For example, best possible behaviour would be to permit NOPASSWD for this sudoer, thus permitting SMB logins (using a random and unknown password) but still sudo without PW and keys to login.

Anyway that's my story ;)

Comments and critiques are honestly welcome. I'm open to alternative workflows if they work for me and very eager to be wrong and thereby learn new things.

This seems like a very good community and I appreciate the opportunity to partake.
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
Nasarus said:
My physical workstation is locked down and secured.
I am the only one with physical access to this room.
My workstation requires two-part login, one physical (thing I have) and one password (thing I know).
My home directory (which contains my keys) is encrypted so even if someone has access, they can't get my keys.
My workstation also times out on inactivity, so even if I walk away and the door doesn't close and lock behind me, they're still likely hosed.

When I log into the NAS as root I feel like I'm walking around with a loaded gun. Any mistyped command can be disastrous. It is dangerous.

On the other side of that coin, needing to remember and type in long, secure, memorable dice-ware style passwords for this (and a hundred other) logins is painful. Sure, I could use a password manager - which is effectively what using my secured keys are - but without the hassle of typing - no?

I want the ability to log (securely) in without a password and then sudo, without a password. That's what I have now :)

It's exactly how every single AWS server instance works as well btw. - this is not some obscure practice. It is as secure as your terminal is.

I guess this is just a matter of "to each his own" - my only issues is that I needed to overcome some intentionally-laid barriers to get there. It would be nice if there was a switch somewhere under the hood to remove this behaviour and permit what I have done without going through the trouble.

For example, best possible behaviour would be to permit NOPASSWD for this sudoer, thus permitting SMB logins (using a random and unknown password) but still sudo without PW and keys to login.

Anyway that's my story ;)

Comments and critiques are honestly welcome. I'm open to alternative workflows if they work for me and very eager to be wrong and thereby learn new things.

This seems like a very good community and I appreciate the opportunity to partake.
Click to expand...

I'm still a bit lost as to why anyone would need to use the CLI on freenas.

When I need to, I SSH in as root using key-based with and do what I need to do. If you feel squeamish about 'root' you probably don't mess around much with software appliances. :D
 
N

Nasarus

Cadet
Joined
Oct 4, 2016
Messages
6
I actually do this stuff for a living. It's pretty standard practice to never-ever log in as root when there is some alternative.

Sudo is your friend for exactly the reason I described. Think of a butcher with their knives - they carry around scabbards on their belts for the same reason: Put the tool away when you're not using it else cut yourself with it.

CLI is just super powerful and fast. Moving files around for example. I just reorganized my entire photo library using scripts I couldn't have accessed via GUI. Next I'll be setting up a VPN in a jail via CLI. It won't end there.

Again, this is really a to-each-his-own issue, I just wish the flexibility to permit it without hoop-jumping was in place instead of walling off those possibilities without a designed means for undoing it.

$0.02

p.s. Re Knives and walking around in root: imagine accidentally doing the following as ROOT as opposed to your own personal user:

chown -R myuser:mygroup /

instead of

chown -R myuser:mygroup .

(those keys are mighty close together... but the results are mighty different ;) )
 
Last edited:
pirateghost

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
A jail is different. Once you're jailed, you can use a user with sudo as you see fit. It doesn't use the same settings and accounts as FreeNAS.
 
I

i3luefire

Explorer
Joined
Jan 4, 2014
Messages
69
https://imgur.com/a/9F7wV
9F7wV
if all you want to do is prevent ssh logins with passwords you should set that via the ssh settings.
 
Status
Not open for further replies.

Similar threads

damian0815
  • Locked
[resolved] non-root user with passwordless login AND sudo
Replies
3
Views
3K
dlavigne
D
R
  • Locked
'sudo su' asks for password twice
Replies
13
Views
4K
fracai
fracai
G
root password login
Replies
2
Views
9K
gabsd
G
bigphil
  • Locked
Scripting login using password authentication
Replies
9
Views
4K
CMDR Sweeper
C
S
  • Locked
FreeNAS CIFS Share on Windows 7: Keeps Prompting for Credentials
Replies
10
Views
5K
Samword
S
Top