Bug #12346
closed
Deny SSH access for ``admin`` and ``root`` users when the ``admin`` GUI account is disabled
Added by Steve Wheeler about 3 years ago.
Updated almost 3 years ago.
Plus Target Version:
22.01
Affected Architecture:
All
Description
If the admin user is disabled in the webgui that user can still login via SSH if it's enabled as long as they have either the admins group or 'User - System: Shell account access' privilege.
Both of those are set by default.
This includes via SSH key if configured.
In this condition the admin user cannot login to the webgui.
Other user accounts cannot login via SSH when they are disabled.
The webgui does not display a warning if the admin credentials are still default if the account is disabled.
Tested:
2.5.2-rel
21.05.1-rel
21.09-BETA (arm)
built on Tue Sep 07 01:12:17 EDT 2021
FreeBSD 12.2-STABLE
- Status changed from New to In Progress
- Assignee set to Jim Pingle
I could swear there was already a redmine issue for this but I'm not seeing it now.
We can't actually completely disable admin as it's tied to root and disabling root would break things. That said, we could cut off ssh access at least.
In source:src/etc/sshd#L88 we set PermitRootLogin to yes unconditionally, but if we wrapped that in a check if the admin user was disabled and set it to no if admin is disabled, it should prevent both root and admin from hitting SSH without affecting console access or other functions.
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
tested on XG-7100 running 21.09.b.20210911.0100
was unable to ssh as admin following disabling admin from GUI user manager
- Status changed from Feedback to Closed
- Subject changed from Disabled admin user can still login via SSH to Deny SSH access for ``admin`` and ``root`` users when the ``admin`` GUI account is disabled
Updating subject for release notes
- Plus Target Version changed from 21.09 to 22.01
- Private changed from Yes to No
Also available in: Atom
PDF
Updated by 
Updated by