From 2fc86a72bfea6eba98e8e0c51f6b4e2bff736d79 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Sat, 27 Jan 2018 13:38:35 +0000 Subject: [PATCH] openssh: do not allow sftp login for non-admins Also suggested by @fabianfrz. Not perfect yet as we seem to mix wheel with access and either need to lock down shell access along with it or somehow tag along the shell privilege. Small race in the group setting on the user page. PR: https://forum.opnsense.org/index.php?topic=6994.0 --- src/etc/inc/plugins.inc.d/openssh.inc | 3 ++- src/www/system_usermanager.php | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/etc/inc/plugins.inc.d/openssh.inc b/src/etc/inc/plugins.inc.d/openssh.inc index a21fa2319..2f00edcc3 100644 --- a/src/etc/inc/plugins.inc.d/openssh.inc +++ b/src/etc/inc/plugins.inc.d/openssh.inc @@ -157,7 +157,8 @@ function openssh_configure_do($verbose = false, $interface = '') $sshconf .= "UseDNS no\n"; $sshconf .= "X11Forwarding no\n"; $sshconf .= "PubkeyAuthentication yes\n"; - $sshconf .= "Subsystem\tsftp\tinternal-sftp\n"; + $sshconf .= "Subsystem sftp internal-sftp\n"; + $sshconf .= "AllowGroups wheel\n"; if (isset($sshcfg['permitrootlogin'])) { $sshconf .= "PermitRootLogin yes\n"; } else { diff --git a/src/www/system_usermanager.php b/src/www/system_usermanager.php index 32eb5d5bd..5824e41d4 100644 --- a/src/www/system_usermanager.php +++ b/src/www/system_usermanager.php @@ -361,8 +361,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $a_user[] = $userent; } - local_user_set($userent); local_user_set_groups($userent, $pconfig['groups']); + local_user_set($userent); write_config(); if (!empty($pconfig['chkNewCert'])) {