From 8a48dce6da7fd1427ca863ce1b9bd5ee595e08a1 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Wed, 8 Nov 2023 15:08:24 +0100 Subject: [PATCH] System/Access/Servers - add compliance option and some cleanups. closes https://github.com/opnsense/docs/issues/514 --- source/manual/how-tos/user-local.rst | 38 ++++++++++++++++++---------- source/manual/users.rst | 26 ++++++++++++++++--- 2 files changed, 46 insertions(+), 18 deletions(-) diff --git a/source/manual/how-tos/user-local.rst b/source/manual/how-tos/user-local.rst index 92d600dd..7ef52b7c 100644 --- a/source/manual/how-tos/user-local.rst +++ b/source/manual/how-tos/user-local.rst @@ -5,7 +5,7 @@ Users & Groups .. image:: images/usermanager_groups.png :width: 100% -With the local user manager of OPNsense one can add users and groups and define +With the local user manager in OPNsense one can add users and groups and define the privileges for granting access to certain parts of the GUI (Web Configurator). Adding Users @@ -13,19 +13,28 @@ Adding Users To add a new user go to :menuselection:`System --> Access --> Users` and click on the **+** sign at the bottom right corner of the form. -========================== =========== ========================================================= - **Disabled** Unchecked *Can be used to (temporarily) disable an account* - **Username** John *A unique username* - **Password** secret *A strong password* - **Login shell** /bin/csh *The shell to use when logging in via the console.* - **Full name** John Doe *Optional, Full username* - **Expiration date** *Optional, if account should expire enter as mm/dd/yyy* - **Group Membership** *Optional, select one or more groups* - **Certificate** *Optional, check if a user certificate should be created* - **OTP seed** *Optional, enter or generate a OTP seed (base32)* - **Authorized keys** *Optional, paste ssh key for ssh console access* - **IPsec Pre-Shared Key** *Optional, IPsec PSK* -========================== =========== ========================================================= +================================================================================================== + +=========================== ============ ========================================================= +**Disabled** Unchecked *Can be used to (temporarily) disable an account* +**Username** John *A unique username* +**Password** secret *A strong password* +**Full name** John Doe *Optional, Full username, for reference only* +**E-Mail** a@b.com *Optional, users email, for reference only* +**Comment** *Optional, comment field, for reference only* +**Preferred landing page** ui/page *Optional, landing page to visit after login* +**Login shell** /bin/csh *The shell to use when logging in via the console.* +**Expiration date** *Optional, if account should expire enter as mm/dd/yyy* +**Group Membership** *Optional, select one or more groups* +**Effective Privileges** *Optional, additional grants for this user,* + *usually these are being handled via a group* +**User Certificates** *Optional, check if a user certificate should be created* +**API keys** *Optional, when planning to use the API from* + *another application, create keys for this user* +**OTP seed** *Optional, enter or generate a OTP seed (base32)* +**Authorized keys** *Optional, paste ssh key for ssh console access* +=========================== ============ ========================================================= + Creating Groups --------------- @@ -34,3 +43,4 @@ corner of the form. Enter a **Group name** and a **Description** and add users to the group. +When users should access resources on this firewall via a group, connect the relevant ones via **Assigned Privileges**. diff --git a/source/manual/users.rst b/source/manual/users.rst index ab8bf6db..fd143cae 100644 --- a/source/manual/users.rst +++ b/source/manual/users.rst @@ -22,7 +22,7 @@ authentication. These services include: Integrated into OPNsense are the **Local User Database** and **Voucher Server**. The Voucher Server is intended to be used with the Captive portal. -External service currently supported are: +External services currently supported are: * LDAP (OpenLDAP, MS Active Directory, Novell eDirectory) * Radius @@ -31,10 +31,16 @@ Authorization ------------- Besides authenticating, user authorization to access parts of the configuration can also be setup with an external server, but in order to grant the appropriate -privileges to the users they need to be imported in OPNsense's local user manager. +privileges to the users they need to exist in OPNsense's local user manager. This way one can validate a user against its externally stored password and have a fine grained control over the configuration pages that user may access. +.. Note:: + + As local users are local (bsd) system users, their naming scheme matches FreeBSD's in terms of length (33 characters) + and reserved characters. + + Users, Groups & Privileges -------------------------- @@ -63,12 +69,24 @@ local user accounts by setting password length and complexity constraints. An overview of available settings: -===================================== ============================================================================================ +===================================== ============================================================================================================= **Policy** Enable password policy constraints. **Duration** [Policy] Password duration, optionally define how often the user should change his or her password. **Length** [Policy] Minimum password length to require. **Complexity** [Policy] Enforce password complexity checks. -===================================== ============================================================================================ + **Compliance** [Policy] Require SHA-512 password hashing instead of Blowfish +===================================== ============================================================================================================= + + +.. Tip:: + + When using One Time Passwords in combination with the local database, the same policy constraints apply as configured in "Local Database". + + +.. Note:: + + Our default Blowfish is not part of AES and is not considered compliant with any Federal Information Processing Standards (FIPS). + Although more secure than SHA-512, its use may not be permitted in some environments.