SOLVED Disable logged in root user

[u6f6o]

Hi,

I hope this is no obvious question but I did not find any answer so far. When I use iKVM, I can select from different options and one is 9) Shell.

When I choose this option, I am automatically logged in as root user. Is there any way to disable this behaviour? In general I would like to have the given options present after I entered a valid root password.

Thx in advance,
u6f6o

 

[Ericloewe]

You can't do that, but you can disable the local console wholesale.

 

[u6f6o]

Okay, better than nothing. Could you point me to the right document or gui option?

I understand that some people might consider this paranoid because if somebody has physical access to my nas, everything is lost anyways but I would sleep better with the knowledge that not anybody can login as root as he/she puts in a monitor and keyoard.

 

[MrToddsFriends]

Okay, better than nothing. Could you point me to the right document or gui option?

http://doc.freenas.org/9.10/quick.html

Be aware of the risk that you will loose the chance to (re-)configure the network interface(s) on the console in case of a configuration error, i.e. when you are not able to connect to your NAS via the GUI over the network.

 

[u6f6o]

Okay, so in worst case I'd have to re-install the system, re-import the pools and re-configure everything?

 

[MrToddsFriends]

One should always have a copy of the current configuration at hand to avoid the need to reconfigure everything, see
Save Config / Upload Config in System -> General.
http://doc.freenas.org/9.10/system.html#general

 

[danb35]

Be aware of the risk that you will loose the chance to (re-)configure the network interface(s) on the console in case of a configuration error, i.e. when you are not able to connect to your NAS via the GUI over the network.

No you won't; you just need to log in as root and then run the console menu manually (I think it's in /etc/netcli, but I don't remember for sure off the top of my head).

 

[Sakuru]

No you won't; you just need to log in as root and then run the console menu manually (I think it's in /etc/netcli, but I don't remember for sure off the top of my head).

Correct.

 

[u6f6o]

Hhmm, this is more of a general discussion probably, but after my first steps with freenas I have the impression that it is a pretty root-centric architecture!? Which is actually quite the contrary of my previous experience with e.g. linux boxes/servers I worked with (avoid using root unless it's really necessary, create own user/group for every service etc.).

So when I was asked for a root pw during the installation I started my password generator and created a quite strong password. Yesterday I decided to try to login to the console with iKVM (in order to see if copy paste works there) and suddenly I realised that I can login without password and reconfigure basically everything.

So call me paranoid, but this topic troubles me quite a bit. I know that the likelihood that somebody plugs in keyboard and monitor and does bad stuff on my nas is quite small but how is this handled in offices where you put your freenas boxes etc.?

 

[danb35]

In the first place, if an attacker gains physical access to your box, you're pretty much screwed. But to protect against the specific threat you mention, the answer has already been given in this thread--disable the console menu. You can still access the menu (as I mentioned a couple of posts back), but you have to log in as root first.

 

[u6f6o]

Yeah, I agree, if physical access is there, you cannot do much anyways. I'll disable the console menu for now and gather more experience with freenas before I push to hard ;-)

Okay, this worked perfectly. Now I have a login shell when I connect via iKVM. Thx for the help!