Comments (10)
doas does use PAM, but it doesn't require any specific file or module to be added. In fact my FreeBSD servers don't have /usr/local/etc/pam.d/ at all. Which makes me wonder if the PAM configuration on OPNsense is causing a failure here.
from doas.
A couple of things spring to mind.
-
Where is your doas.conf file located? On FreeBSD-based systems it should be /usr/local/etc/
-
Is your user part of the wheel group?
-
Do you get the authentication denied error before or after you attempt to put in your password?
-
Have you tried any other configuration lines? Like "permit myuser as root", just to see if it's a group issue (or doas config issue) or if it's a problem for all rules in the doas.conf file?
-
How did you install doas? Was it from source (if so from where) was it from ports, a package?
from doas.
1. Where is your doas.conf file located? On FreeBSD-based systems it should be /usr/local/etc/
It's there, otherwise doas would've complained: already checked that
2. Is your user part of the wheel group?
yes
3. Do you get the authentication denied error before or after you attempt to put in your password?
after + Enter
4. Have you tried any other configuration lines? Like "permit myuser as root", just to see if it's a group issue (or doas config issue) or if it's a problem for all rules in the doas.conf file?
yes, same authentication failed
error
5. How did you install doas? Was it from source (if so from where) was it from ports, a package?
from the official FreeBSD ports tree via make install
from doas.
Earlier you mentioned you created the file " /usr/local/etc/pam.d/doas", but this shouldn't be required. It should only be necessary on some Linux distros, likeCentOS. On FreeBSD-based systems this shouldn't be required. I wonder if this file is short-circuiting the authentication. Maybe try removing it?
from doas.
Once I hit this problem, I added it as per discussion in #31, because I noticed sudo
file under /usr/local/etc/pam.d
. So I tried before without it with no success.
If I drop the sudo
file, I get the authentication Password:
error prompt from sudo
, which made me think it should be similar with doas
.
By the way if I remove /usr/local/etc/pam.d/doas
, doas
errors out much quicker after hitting Enter.
I don't work with FreeBSD often, so I'm definitely missing something in the authentication chain, but maybe you have an idea where to add some debug statements in the code to see where this issue is coming from.
from doas.
doas
is clearly linked against PAM, and as I see from here the error sits under PAM_MAXTRIES
case returned by pam_authenticate()
.
from doas.
The difference in the audit log is:
user <user> authenticated successfully for sudo [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]
vs
user <user> could not authenticate for doas. [using - + -]
from doas.
It's interesting, because the sudo
port is in sync with upstream:
- https://github.com/opnsense/ports/tree/master/security/sudo
- https://github.com/freebsd/freebsd-ports/tree/main/security/sudo
and the sudo
PAM file is expected there.
when I was inspecting PAM configs under /etc/pam.d
I didn't find anything unusual, though I expect given its nature it could be more hardened. @fichtner ?
from doas.
ok, so I should've read https://docs.opnsense.org/development/components/authentication.html closer.
After adding doas
to this list it started working (with /usr/local/etc/pam.d/doas
in place):
user <user> authenticated successfully for doas [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]
I'm curious what would be the proper fix here: bypass pam_opnsense.so
somehow or add doas
to that list. I guess @fichtner could guide me there.
Thanks for your help @slicer69 with debugging this!
from doas.
You're welcome.
I'm guessing adding "doas" to the list of authentication programs, as mentioned in the above comment, is probably the most straight forward approach. It seems OPNsense is doing something here above what vanilla FreeBSD does so maybe there should be a patch to help the OPNsense system recognize doas as an option?
from doas.
Related Issues (20)
- how do you enable --with-timestamp HOT 1
- doas: Operation not permitted HOT 1
- Sudo askpass analog HOT 1
- Add -e known from sudo HOT 3
- persist is not effective if doas comes after /usr/bin/time. HOT 1
- [Git master] Vulnerable to privilege escalation using ioctls `TIOCSTI` and `TIOCLINUX` HOT 4
- FreeBSD port: `vidoas` script has wrong default `doas.conf` file path HOT 4
- FreeBSD port: `stdout` of sub command got redirected to `stderr` HOT 5
- using 'nopass' still asking for password HOT 10
- doas: syntax error at line 1 HOT 8
- How can I make doas show symbols or asteriks when I type my password, since I want some feedback when typing my password? HOT 1
- `persist` option does not work HOT 1
- become POSIX compliant HOT 3
- `doas` hangs when doas command pipes into another doas command HOT 1
- Request for Pacstall Support HOT 1
- It doesn't seems to work in Solus HOT 1
- ´doas -u user´ results in "doas: Operation not permitted" HOT 5
- doas: syntax error at line 1 HOT 1
- How to uninstall/purge doas? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from doas.