doas: authentication failed on OPNsense about doas HOT 10 OPEN

doas does use PAM, but it doesn't require any specific file or module to be added. In fact my FreeBSD servers don't have /usr/local/etc/pam.d/ at all. Which makes me wonder if the PAM configuration on OPNsense is causing a failure here.

from doas.

A couple of things spring to mind.

1. Where is your doas.conf file located? On FreeBSD-based systems it should be /usr/local/etc/

2. Is your user part of the wheel group?

3. Do you get the authentication denied error before or after you attempt to put in your password?

4. Have you tried any other configuration lines? Like "permit myuser as root", just to see if it's a group issue (or doas config issue) or if it's a problem for all rules in the doas.conf file?

5. How did you install doas? Was it from source (if so from where) was it from ports, a package?

from doas.

1. Where is your doas.conf file located? On FreeBSD-based systems it should be /usr/local/etc/

It's there, otherwise doas would've complained: already checked that

2. Is your user part of the wheel group?

yes

3. Do you get the authentication denied error before or after you attempt to put in your password?

after + Enter

4. Have you tried any other configuration lines? Like "permit myuser as root", just to see if it's a group issue (or doas config issue) or if it's a problem for all rules in the doas.conf file?

yes, same authentication failed error

5. How did you install doas? Was it from source (if so from where) was it from ports, a package?

from the official FreeBSD ports tree via make install

from doas.

Earlier you mentioned you created the file " /usr/local/etc/pam.d/doas", but this shouldn't be required. It should only be necessary on some Linux distros, likeCentOS. On FreeBSD-based systems this shouldn't be required. I wonder if this file is short-circuiting the authentication. Maybe try removing it?

from doas.

Once I hit this problem, I added it as per discussion in #31, because I noticed sudo file under /usr/local/etc/pam.d. So I tried before without it with no success.

If I drop the sudo file, I get the authentication Password: error prompt from sudo, which made me think it should be similar with doas.

By the way if I remove /usr/local/etc/pam.d/doas, doas errors out much quicker after hitting Enter.

I don't work with FreeBSD often, so I'm definitely missing something in the authentication chain, but maybe you have an idea where to add some debug statements in the code to see where this issue is coming from.

from doas.

doas is clearly linked against PAM, and as I see from here the error sits under PAM_MAXTRIES case returned by pam_authenticate().

from doas.

The difference in the audit log is:

user <user> authenticated successfully for sudo [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]

vs

user <user> could not authenticate for doas. [using - + -]

from doas.

It's interesting, because the sudo port is in sync with upstream:

• https://github.com/opnsense/ports/tree/master/security/sudo
• https://github.com/freebsd/freebsd-ports/tree/main/security/sudo

and the sudo PAM file is expected there.

when I was inspecting PAM configs under /etc/pam.d I didn't find anything unusual, though I expect given its nature it could be more hardened. @fichtner ?

from doas.

ok, so I should've read https://docs.opnsense.org/development/components/authentication.html closer.

After adding doas to this list it started working (with /usr/local/etc/pam.d/doas in place):

user <user> authenticated successfully for doas [using OPNsense\Auth\Services\System + OPNsense\Auth\Local]

I'm curious what would be the proper fix here: bypass pam_opnsense.so somehow or add doas to that list. I guess @fichtner could guide me there.

Thanks for your help @slicer69 with debugging this!

from doas.

You're welcome.

I'm guessing adding "doas" to the list of authentication programs, as mentioned in the above comment, is probably the most straight forward approach. It seems OPNsense is doing something here above what vanilla FreeBSD does so maybe there should be a patch to help the OPNsense system recognize doas as an option?

from doas.