Bug #12346
closedDeny SSH access for ``admin`` and ``root`` users when the ``admin`` GUI account is disabled
100%
Description
If the admin user is disabled in the webgui that user can still login via SSH if it's enabled as long as they have either the admins group or 'User - System: Shell account access' privilege.
Both of those are set by default.
This includes via SSH key if configured.
In this condition the admin user cannot login to the webgui.
Other user accounts cannot login via SSH when they are disabled.
The webgui does not display a warning if the admin credentials are still default if the account is disabled.
Tested:
2.5.2-rel
21.05.1-rel
21.09-BETA (arm) built on Tue Sep 07 01:12:17 EDT 2021 FreeBSD 12.2-STABLE
Updated by Jim Pingle about 3 years ago
- Status changed from New to In Progress
- Assignee set to Jim Pingle
I could swear there was already a redmine issue for this but I'm not seeing it now.
We can't actually completely disable admin as it's tied to root and disabling root would break things. That said, we could cut off ssh access at least.
In source:src/etc/sshd#L88 we set PermitRootLogin
to yes
unconditionally, but if we wrapped that in a check if the admin user was disabled and set it to no
if admin is disabled, it should prevent both root
and admin
from hitting SSH without affecting console access or other functions.
Updated by Jim Pingle about 3 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset 5d0c974dd7e369cb551aacb5f4587e400141cb7a.
Updated by Jordan G about 3 years ago
tested on XG-7100 running 21.09.b.20210911.0100
was unable to ssh as admin following disabling admin from GUI user manager
Updated by Jim Pingle about 3 years ago
- Subject changed from Disabled admin user can still login via SSH to Deny SSH access for ``admin`` and ``root`` users when the ``admin`` GUI account is disabled
Updating subject for release notes
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01