Using OPNsense as jumphost for non-admin users no longer works #8721

davidolrik · 2025-05-25T07:21:07Z

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Describe the bug

Non-admin users with /usr/sbin/nologin as shell can no longer use OPNsense as ssh jumphost, as group memberships are no longer synced to the unix groups.
Admin users are always in the wheel group so they are can still use OPNsense as ssh jumphost.

To Reproduce

Create an additional user group called ssh
Go to "System->Settings->Administration->Secure shell->Login group" and select wheel, ssh in the dropdown
Create a non-admin user with /usr/sbin/nologin as shell
Put new user in ssh group
ssh as admin to the firewall, do id <non-admin-user>, notice user is not in the ssh group
Try to ssh to a host on the internal network as the non-admin-user using the firewall as jumphost, notice the permission denied error
Work-around: sudo pw group mod ssh -m <non-admin-user>, try ssh to a host on the internal network, notice it works

Expected behavior

When adding users to a group in the UI it should be mirrored in the unix groups, so tools like ssh can pickup on it.

Describe alternatives you considered

Can't think of any alternatives, only work-arounds or setting up a secondary jumphost on the internal network and port forwarding to it.

Environment

OPNsense 25.1.7_4-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16

The text was updated successfully, but these errors were encountered:

fichtner · 2025-05-25T08:27:55Z

Internal and external audits always complained about non-admin users allowing shell access Even if this is a configuration mistake and is obviously never set by default. Only admins are allowed unix users including shell access therefore.

davidolrik · 2025-05-25T08:31:21Z

Even if with shell /usr/sbin/nologin ?

This effectively means only admins can use OPNsense as a jumphost, which might push people to make everyone an admin, which I think is way worse.

fichtner · 2025-05-25T08:52:00Z

If the user doesn’t have a shell it makes no sense to offer the user to the Unix system.

I think you are arguing from your use case perspective, which is fine. The bigger picture is clearer: you own making your users admins, or find a better way to your original use case.

davidolrik · 2025-05-25T08:57:51Z

It make perfect sense, as you can still use the ssh daemon for jumping to a host on the internal network - no shell needed.

But if this is the stance of the project, then the option in "System->Settings->Administration->Secure shell->Login group" should be removed as it makes no sense to add an additional login group as wheel can't be removed and the additional is not added to any user, not even the admins.

AdSchellevis · 2025-05-25T09:35:13Z

removing the login group might be an option indeed, I don't think there's a use for it anymore. As @fichtner mentioned, for compliance reasons we removed the shell option for non admin users quite some time ago (a0581ae)

davidolrik · 2025-05-25T09:42:03Z

Definitely remove it - it is confusing to have there - It suggests that the behaviour I'm looking for is still supported.

I'll spin up a separate jump host for each OPNsense install I have, as I don't want everyone with jump host privil 8A1C eges to be a firewall admin.

…ore or less deprecated by a0581ae, closes #8721

fichtner added the support Community support label May 25, 2025

davidolrik closed this as completed May 25, 2025

AdSchellevis added a commit that referenced this issue May 25, 2025

System: Settings: Administration - remove 'sshlogingroup' which was m…

160c393

…ore or less deprecated by a0581ae, closes #8721

AdSchellevis self-assigned this May 25, 2025

AdSchellevis added cleanup Low impact changes and removed support Community support labels May 25, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Using OPNsense as jumphost for non-admin users no longer works #8721

Using OPNsense as jumphost for non-admin users no longer works #8721

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Using OPNsense as jumphost for non-admin users no longer works #8721

Using OPNsense as jumphost for non-admin users no longer works #8721

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!