1.
User Management and Privileges
February 2015 Hangout
Jim Pingle

2.
Project Notes
● pfSense 2.2.1 coming in the near future
– Addresses problems found after 2.2-RELEASE
● pfSense University on-line training
– Several classes complete, good feedback
– Still some openings and more classes being added
● Roadmap for future versions of pfSense:
https://blog.pfsense.org/?p=1588
– 2.3 will move to pkgng, no more PBI, deprecate PPTP, update mechanism
change, build system overhaul, possible bootstrap GUI
– 3.0, removing PHP, moving to Python, REST API, core using Intel DPDK,
encryption enhancements, etc
● New hardware coming soon

3.
New Hardware!
● Intel® C2000 Family
● Mini-ITX (Q1), Nano-ITX or Rack (June)
● SG-2440
● SG-4860
● May/June, 8860 (Bigger) and 2220 (Smaller)
● XYZ0 in model number is:
– X=Cores
– Y=GB of RAM
– Z=# of Network Ports
● All have AES-NI and QuickAssist – Extremely fast VPN handling w/IPsec and AES-GCM
● Some systems are linked on the store already, shipping in April:
– http://store.pfsense.org/SG2440/ ($499)
– http://store.pfsense.org/SG4860/ ($699)

4.
About this Hangout
● Covering User Management and Privileges
● “Why” and “How” to use additional accounts
● GUI and SSH User Security
● GUI and SSH Network Security
● Other Concerns
● Due to time constraints, local users only (No
LDAP) – Future hangout topic

5.
Why utilize multiple users?
● Security
– Keeps the number of people with the root/admin password low
● Default admin account cannot be deleted, but may be disabled
– Easier to lock out someone if they leave or only need temporary access
– User access can be limited to specific pages they need to see
– Users can be denied configuration write privileges
● Accountability
– Configuration history shows users who made changes
– Firewall and NAT rules are tagged with the creator and last person to change
● Non-Administrative Access
– OpenVPN, IPsec, Captive Portal, SCP, etc.

6.
pfSense Privilege System
● Privileges can be set per-user or inherited from a group
● Privileges exist for almost every page
● Special privileges for …
– Special pages such as the Dashboard
– Captive Portal access (optional)
– IPsec XAuth VPN Dial-in access
– L2TP/PPPoE Dial-in Access
– SSH Tunnel only access
– SCP access
– SSH Shell Access
– Help Pages
– Deny Configuration Write
– “WebCfg - System: User Password Manager page” allows user to change password
● Most packages do not hook in or are not compatible with privileges

7.
Working with Privileges
● A few notes before showing how to add users/groups
● Using groups speeds up and simplifies the process
● Save a user or group first, then edit to add individual permissions
● Be wary of the permission order
– If a user does not have Dashboard access, they are redirected to the first
page listed in their privilege list
●
Do not add the “Deny Config Write” privilege to the “All” or
“Admins” group (for obvious reasons)
– Easy to do accidentally with a “select all” on the privilege list!
●
Menus will change to only show pages a user may access

8.
Privilege Gotchas
● Be careful of pages that can execute commands or apply changes
– Denying configuration write access does not prevent these actions which can make
changes!
● Granting someone access to exec.php (Diagnostics > Command) is essentially
the same as giving them full access to every page. Use with caution, they can
make any changes they want!
● Similarly, Backup/Restore access would let someone make any change they like
by uploading a new configuration
– Access to the configuration history isn't quite so bad but they could still roll back changes
● By default, SSH users do not get the menu because they don't have access to
the commands
– Using sudo can help delegate
– Shell users still may have access to files and other parts of the system that are sensitive
even if they cannot run commands as root

9.
Group Management
● Groups are the easiest way to manage privileges
● System > User Manager, Groups tab
●
Click + to create a group, give it a name, click Save
● Click 'e' to edit the group, then + to add privileges
● Users may be assigned here for batch changes, or the
group may be added to a user directly for individual
changes
● Great for single privileges that many, but not all, will
have, such as IPsec Xauth Dialin

10.
User Management
● System > User Manager, Users tab
● Click + to add a new user
● Username, password, confirm password are only
required fields
● Account can be disabled or have a set expiration date
– Account will be disabled on that day (e.g. expire tomorrow
will expire at midnight tonight)
– If expired, remember to fix date before re-enabling the
account
● Group membership can be managed

11.
User Management (cont'd)
● Certificate can be created
– Process is different during account creation: check the box, enter
a name, choose options
– Later when editing account, click + and then a cert can be
created, imported, etc.
● Authorized keys are keys for SSH access, check the box,
paste in a value
● IPsec Pre-Shared Key
– Used for PSK-based mobile IPsec access (not xauth, L2TP/IPsec,
IKEv2, etc)
● Click Save
● Privileges can be added by editing the user again after save

12.
User Management Demo
● Group List / Add/Edit Group / Privileges
● User List / Add/Edit User / Privileges
● User login / logout
– Show “default” landing page behavior (Users: opal, carrie, larry,
pat)
– Show what happens when a user has no GUI permissions (User:
norm)
● Show menu changes
● Deny Config Write demo
● Show system log entries for redirects and other access info

13.
SSH Access
● Enable under System > Advanced, Admin Access tab
● Several levels of access:
– User – System – SSH Tunneling
● Allows user to connect and create SSH forwards, but no shell or
SCP
– User – System – Copy Files
● Allows user to connect with an SCP client such as scp, Filezilla,
WinSCP, etc. to transfer files
– User – System – Shell Account Access
● Access to the shell, tunneling, and SCP

14.
SSH Access (cont'd)
● Passwords are set in GUI only, do not use “passwd” in shell!
● Admin and Root share credentials
● Admin is locked to menu for shell and cannot use SCP, only SSH
● Root user works for SCP or SSH access
● Other users may access the shell or SCP, depending on privileges
● Other users who SCP files need to be aware of file and directory permissions
and on NanoBSD, filesystem read/write status
● Other users do not get the menu at login because they do not have sufficient
privileges to run all commands on the menu
● Users may be granted more privileges in the shell by using sudo
● Just because a user can't run a command doesn't mean they can't
necessarily see sensitive files, remember this is a firewall and not intended
to be a multi-user UNIX shell server, only give SSH access to trusted
administrators!

15.
SSH Authentication
● SSH has several authentication modes, including
– Password – least secure
– Keyboard-Interactive – Still password-based, extensible
– Key-based authentication – Best and most secure, but complicated to setup
● Password-based modes are susceptible to brute force attacks
● Client must create their own public/private key pair using a utility such as
ssh-keygen
● Public key is copied to “authorized keys” list for their account on the server
● Private key should be protected with a passphrase and other security
measures
● SSH agent/forwarding makes this more convenient

16.
Sudo Package
● Rhymes with voodoo!
● Installed from System > Packages, Available Packages tab
● Once installed, appears as System > sudo
● Default permissions grant full sudo access to members of the admins
group, as well as root and admin users
● User/Group column selects who receives the permission
● Run As column selects the user the command will run under, typically
root
● No Password checkbox allows the user to run the specified
command(s) without supplying their password. Convenient, but
potentially dangerous!

17.
Sudo Package (cont'd)
● Command list specifies what commands and parameters may be used
by the user or group
– Special “ALL” keyword means all commands with any parameters
– A command with no parameters set after will allow any parameters:
● /sbin/pfctl
– A command with a specific parameter set limits the user to only that one
parameter:
● /sbin/pfctl -ss
– To restrict a user to run a command without any parameters, use “” after the
command name:
● /sbin/ifconfig “”
– Separate commands in the list using a comma:
● /sbin/ifconfig, /sbin/pfctl, /sbin/ping, /sbin/ping6
● Commands run using sudo are logged to the main system log

18.
SSH Access Demo
● SSH as root/admin
● SCP as root
● Login as unprivileged user
● Use of sudo
● SSH keys
– Disable password auth
– Generate Key
– Add to User
– Login using key
– SSH Agent: eval `ssh-agent`; ssh-add

19.
Remote GUI Access
● Unforgivable: HTTP GUI on WAN
● Worse: GUI port open to the world (any port)
● Good: GUI port open to select hosts
– Can use an alias with dyndns FQDN entries!
● Better: GUI on non-standard port open to select
hosts
● Best: GUI port closed to the world, access by
VPN only

20.
Remote SSH Access
● Worst: SSH port open to the world
– Constant brute force attacks
● Meh: SSH port open to the world on an alternate port
– Security by obscurity, may protect against some casual scans but
not all
● OK: SSH port open to select hosts
● Good: SSH (any port) with key-based authentication
● Better: Key-based authentication, open to only select hosts
● Best: No direct access. Key-based auth + VPN

21.
Security Best Practices
● Only use encrypted protocols (HTTPS, SSH, no HTTP!)
● Reduce or eliminate use of the “admin” account
● Never leave system passwords at their default value
● Give each person their own account, no sharing!
● Encourage use of strong passwords (>8 chars, mix of letters, numbers, symbols, and
case)
● Change passwords frequently (<=90d) and do not repeat
● Set an expiration date and/or disable accounts that only need temporary access
●
Remove accounts promptly when a user leaves the company
● Do not expose GUI or SSH services to the world
● Use key-based authentication for SSH
● Use remote access VPNs for management where possible
● Don't ignore physical security!
– Disabling console access is OK, but not perfect, can be reset/bypassed by someone with
physical access and control of the hardware

22.
External Authentication Servers
● LDAP can be used for GUI access
– Must have local groups defined to match user group in
LDAP
– If LDAP is down, falls back to local auth but is really
slow loading pages
● RADIUS cannot be used for GUI access (yet)
● Both can be used for OpenVPN and IPsec
● Some areas like Captive Portal and L2TP are not
connected to these Authentication Servers

23.
Other Notes
● XMLRPC Sync currently requires use of the admin user and
cannot be changed
– Will be addressed in a future version
● Resetting the LAN IP via the console or SSH will offer to reset the
authentication source back to Local, if remote authentication is
not functional
● Password reset function on the console menu will also re-enable
admin account if used
● Reset a password for other accounts via shell:
– pfSsh.php playback changepassword <username>
– Will also optionally re-enable and remove expiration

24.
Conclusion
● Questions?
● Ideas for hangout topics? Post on forum,
comment on the blog posts, Reddit, etc