Archives
/
opensense-docs
mirror of https://github.com/opnsense/docs
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

System/Access/Servers - add compliance option and some cleanups. closes https://github.com/opnsense/docs/issues/514

Browse Source
pull/517/head
Ad Schellevis 6 months ago
parent 467f9585e0
commit 8a48dce6da
2 changed files with 46 additions and 18 deletions
Show Stats Download Patch File Download Diff File

38
source/manual/how-tos/user-local.rst
Unescape Escape View File

@ -5,7 +5,7 @@ Users & Groups
.. image:: images/usermanager_groups.png
:width: 100%
With the local user manager of OPNsense one can add users and groups and define
With the local user manager in OPNsense one can add users and groups and define
the privileges for granting access to certain parts of the GUI (Web Configurator).
Adding Users
@ -13,19 +13,28 @@ Adding Users
To add a new user go to :menuselection:`System --> Access --> Users` and click on the **+** sign at
the bottom right corner of the form.
========================== =========== =========================================================
**Disabled** Unchecked *Can be used to (temporarily) disable an account*
**Username** John *A unique username*
**Password** secret *A strong password*
**Login shell** /bin/csh *The shell to use when logging in via the console.*
**Full name** John Doe *Optional, Full username*
**Expiration date** *Optional, if account should expire enter as mm/dd/yyy*
**Group Membership** *Optional, select one or more groups*
**Certificate** *Optional, check if a user certificate should be created*
**OTP seed** *Optional, enter or generate a OTP seed (base32)*
**Authorized keys** *Optional, paste ssh key for ssh console access*
**IPsec Pre-Shared Key** *Optional, IPsec PSK*
========================== =========== =========================================================
==================================================================================================
=========================== ============ =========================================================
**Disabled** Unchecked *Can be used to (temporarily) disable an account*
**Username** John *A unique username*
**Password** secret *A strong password*
**Full name** John Doe *Optional, Full username, for reference only*
**E-Mail** a@b.com *Optional, users email, for reference only*
**Comment** *Optional, comment field, for reference only*
**Preferred landing page** ui/page *Optional, landing page to visit after login*
**Login shell** /bin/csh *The shell to use when logging in via the console.*
**Expiration date** *Optional, if account should expire enter as mm/dd/yyy*
**Group Membership** *Optional, select one or more groups*
**Effective Privileges** *Optional, additional grants for this user,*
*usually these are being handled via a group*
**User Certificates** *Optional, check if a user certificate should be created*
**API keys** *Optional, when planning to use the API from*
*another application, create keys for this user*
**OTP seed** *Optional, enter or generate a OTP seed (base32)*
**Authorized keys** *Optional, paste ssh key for ssh console access*
=========================== ============ =========================================================
Creating Groups
---------------
@ -34,3 +43,4 @@ corner of the form.
Enter a **Group name** and a **Description** and add users to the group.
When users should access resources on this firewall via a group, connect the relevant ones via **Assigned Privileges**.

26
source/manual/users.rst
Unescape Escape View File

@ -22,7 +22,7 @@ authentication. These services include:
Integrated into OPNsense are the **Local User Database** and **Voucher Server**.
The Voucher Server is intended to be used with the Captive portal.
External service currently supported are:
External services currently supported are:
* LDAP (OpenLDAP, MS Active Directory, Novell eDirectory)
* Radius
@ -31,10 +31,16 @@ Authorization
-------------
Besides authenticating, user authorization to access parts of the configuration
can also be setup with an external server, but in order to grant the appropriate
privileges to the users they need to be imported in OPNsense's local user manager.
privileges to the users they need to exist in OPNsense's local user manager.
This way one can validate a user against its externally stored password and have
a fine grained control over the configuration pages that user may access.
.. Note::
As local users are local (bsd) system users, their naming scheme matches FreeBSD's in terms of length (33 characters)
and reserved characters.
Users, Groups & Privileges
--------------------------
@ -63,12 +69,24 @@ local user accounts by setting password length and complexity constraints.
An overview of available settings:
===================================== ============================================================================================
===================================== =============================================================================================================
**Policy** Enable password policy constraints.
**Duration** [Policy] Password duration, optionally define how often the user should change his or her password.
**Length** [Policy] Minimum password length to require.
**Complexity** [Policy] Enforce password complexity checks.
===================================== ============================================================================================
**Compliance** [Policy] Require SHA-512 password hashing instead of Blowfish
===================================== =============================================================================================================
.. Tip::
When using One Time Passwords in combination with the local database, the same policy constraints apply as configured in "Local Database".
.. Note::
Our default Blowfish is not part of AES and is not considered compliant with any Federal Information Processing Standards (FIPS).
Although more secure than SHA-512, its use may not be permitted in some environments.

Write Preview
Loading…
Cancel
Save