SOLVED Disabling GUI Log in as root

[keithfrank]

I am running TrueNAS Scale 22.12.2
I must have made an error during my install since my root user can in fact still login to the GUI.
I know that BlueFin recommends that roor be disabled from logging in to the GUI.
I have created an admin(not called admi) user with all the correct privileges to login to the GUI.
Is there a way and is it recommended to somehow disable the root user from logging in through the GUI at this point and how would I go about doing that correctly?
Thank you for any help in advance.

 

[artlessknave]

I do not believe this has been implemented. they are recommending it because they plan to move in that direction.
I don't think you can, or there is any recommendation to, disable root at this time.

 

[morganL]

The root user can login via webUI.

We just recommend the normal process to be login as an admin..... is there somewhere this is written differently?

 

[keithfrank]

I must be misunderstanding the process that I found here https://www.truenas.com/community/threads/disabling-gui-log-in-as-root.109699/ where it says "To improve system security after the local administrator account is created, disable the root account password so that root access to the system is restricted.

 

[morganL]

I must be misunderstanding the process that I found here https://www.truenas.com/community/threads/disabling-gui-log-in-as-root.109699/ where it says "To improve system security after the local administrator account is created, disable the root account password so that root access to the system is restricted.

This link is referring back to this thread???

 

[keithfrank]

oops... sorry. Here is the proper link: https://www.truenas.com/docs/scale/scaletutorials/credentials/rootlesslogin/

 

[morganL]

I haven't tried it, but I would have thought it is in "edit users"

Local Users Screens

Provides information on the Users screens and settings and information on settings for the TrueNAS SCALE Shell screen.

www.truenas.com

 

[artlessknave]

if we are just talking about disabling the password for the root account, that can be done in the user account settings (any user, really)
I don't have it in front of me right now, but I think there is both a checkbox to disable the password, and the option to select /nologin for the shell.
both would prevent root from doing..anything really.

you can also go into the SSH settings and block root from SSH login, or at least from password only root login. this would allow using ssh keys.
this is what I have set currently.

there is no official process for it, because it's not being done yet. being able to use a non root account to login to the webUI is, itself, quite new, and that message is more about letting us all know that multi user webUI is finally, finally, FINALLY on the way.

I think it's causing more angst than is really needed though. "ermagerd you gonna get HACKED if you don't do this ONE trick!"

 

[artlessknave]

looks like you can just hit lock user. it says it cant be used with disable password. either would do it. one would prevent the account from doing anything, while the other would just prevent using the password to log in.

 

[keithfrank]

SOLVED!
Thanks @artlessknave! went to credentials -> root -> edit and used the toggle switch under "Edit User" to "Disable Password".
Worked like a charm. root can no longer log into the GUI but my admin user still can.

 

[2twisty]

Can you still 'su root' in the shell?

 

[keithfrank]

Can you still 'su root' in the shell?

No but you can "sudo su" which will bring you to "root@truenas"