2018-01-30 10:40:13 +00:00
|
|
|
=======================
|
|
|
|
Creating Users & Groups
|
|
|
|
=======================
|
|
|
|
|
|
|
|
.. image:: images/usermanager_groups.png
|
2018-07-31 14:51:11 +00:00
|
|
|
:width: 100%
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
With the local user manager of OPNsense one can add users and groups and define
|
|
|
|
the privileges for granting access to certain parts of the GUI (Web Configurator).
|
|
|
|
|
|
|
|
Adding Users
|
|
|
|
------------
|
2019-03-06 17:27:21 +00:00
|
|
|
To add a new user go to :menuselection:`System --> Access --> Users` and click on the **+** sign at
|
2018-01-30 10:40:13 +00:00
|
|
|
the bottom right corner of the form.
|
|
|
|
|
|
|
|
========================== =========== =========================================================
|
|
|
|
**Disabled** Unchecked *Can be used to (temporarily) disable an account*
|
|
|
|
**Username** John *A unique username*
|
|
|
|
**Password** secret *A strong password*
|
|
|
|
**Full name** John Doe *Optional, Full username*
|
2019-02-18 15:10:43 +00:00
|
|
|
**Login shell** *The shell to use when logging in via the console.*
|
2018-01-30 10:40:13 +00:00
|
|
|
**Expiration date** *Optional, if account should expire enter as mm/dd/yyy*
|
|
|
|
**Group Membership** *Optional, select one or more groups*
|
|
|
|
**Certificate** *Optional, check if a user certificate should be created*
|
|
|
|
**OTP seed** *Optional, enter or generate a OTP seed (base32)*
|
|
|
|
**Authorized keys** *Optional, paste ssh key for ssh console access*
|
|
|
|
**IPsec Pre-Shared Key** *Optional, IPsec PSK*
|
|
|
|
========================== =========== =========================================================
|
|
|
|
|
|
|
|
Creating Groups
|
|
|
|
---------------
|
2019-03-06 17:27:21 +00:00
|
|
|
Go to :menuselection:`System --> Access --> Groups` and click on the **+** sign in the lower right
|
2018-01-30 10:40:13 +00:00
|
|
|
corner of the form.
|
|
|
|
|
2019-02-18 15:10:43 +00:00
|
|
|
Enter a **Group name** and a **Description** and add users to the group.
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
Add privileges to a group
|
|
|
|
-------------------------
|
|
|
|
After creating a group the privileges can be added by editing the group.
|
2019-03-06 17:27:21 +00:00
|
|
|
Go to :menuselection:`System --> Access --> Groups` and click on the edit symbol (pencil) right next
|
2018-01-30 10:40:13 +00:00
|
|
|
to the group you like to change.
|
|
|
|
|
2019-02-18 15:10:43 +00:00
|
|
|
To assign privileges, just click on the pencil icon on the right of **Assigned Privileges**.
|
|
|
|
A form will be shown where each page can be either selected or deselected.
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
The search bottom at the top of this form can be used to quickly find the right
|
|
|
|
page.
|
|
|
|
|
|
|
|
.. image:: images/user_privileges.png
|
2018-07-31 14:51:11 +00:00
|
|
|
:width: 100%
|
2018-01-30 10:40:13 +00:00
|
|
|
|
|
|
|
After making the right selection click on **Save** to store the new settings.
|
2019-02-18 15:10:43 +00:00
|
|
|
|
2019-03-15 13:45:20 +00:00
|
|
|
.. _SSH and console login:
|
|
|
|
|
2019-02-18 15:10:43 +00:00
|
|
|
SSH and console login
|
|
|
|
---------------------
|
|
|
|
|
|
|
|
User accounts can be used for logging in to the web frontend, as well as for logging in to the console (via VGA,
|
|
|
|
serial or SSH). The latter will only work if the user's shell is not set to ``/sbin/nologin`` and if group the user is
|
|
|
|
part of is allowed SSH access.
|
|
|
|
|
2019-03-06 17:27:21 +00:00
|
|
|
In order to access OPNsense via SSH, SSH access will need to be configured via :menuselection:`System --> Settings --> Administration`.
|
2019-02-18 15:10:43 +00:00
|
|
|
Under the "Secure Shell" heading, the following options are available:
|
|
|
|
|
|
|
|
============================ ==========================================================================
|
|
|
|
**Enable secure shell** Global on/off switch.
|
|
|
|
**Login Group** Which user groups can access OPNsense via SSH.
|
|
|
|
**Permit root user login** Normally, only non-root accounts are allowed for security reasons.
|
|
|
|
This option enables root login.
|
|
|
|
**Permit password login** The recommended login method is using SSH keys as it's more secure,
|
|
|
|
but this option will also enable password logins.
|
|
|
|
**SSH Port** Defaults to 22, but can be changed to make port scanning less effective.
|
|
|
|
**Listen interfaces** By default, SSH listens on all interfaces. You can limit this
|
|
|
|
(to just the LAN, for example) for additional security
|
|
|
|
at the cost of availability.
|
|
|
|
============================ ==========================================================================
|
|
|
|
|