TrueNAS as a VM

[Software Info]

HI All,
New to this forum. Thanks for an excellent product. I set up the latest TrueNAS 13 as a virtual machine. A number of Admins can sign into the VMWare console and as such, they would all have access to the TrueNAS console. Only two of the eight admins though should be able to access the console. Is there a way to lock the console and have it prompt for a password?

 

[jgreco]

Is there a way to lock the console and have it prompt for a password?

FreeBSD supports this, yes, but I do not believe that TrueNAS does. If you look at /etc/ttys, you will notice that ttyv0 uses a gettytab entry of "freenas", which launches the console user interface. If you change it from "freenas" back to "Pc", you will get a normal login prompt on the console. If you additionally mark /dev/console as insecure, the FreeBSD init daemon will also ask for a password before letting you into singleuser mode.

The problem is that TrueNAS is an appliance, and you are not supposed to be tinkering in /etc/ttys. I am not sure exactly under which conditions this file gets rewritten - it might be at each boot - but I do not feel that you cannot rely on this FreeBSD behaviour.

It might be worthwhile to see what happens if serial console is enabled (which would involve setting up an ESXi pipe from one serial port to another on another VM); this used to disable the VGA interface. I'm not sure what it does today -- I'm sorry -- so it could be a useless rabbit hole.

You are also going to need to worry about Control-Alt-Delete, which can be disabled with the normal FreeBSD boot tweak. There is nothing that can prevent RESET or ACPI power off signals, of course.

Please let me know how your explorations work out, and you are welcome to ask additional questions. I do similar work in a purely FreeBSD environment and it is interesting to me. I just don't have the time right now to go experimenting on your behalf.

 

[danb35]

Is there a way to lock the console and have it prompt for a password?

Yes, there is.

 

[HoneyBadger]

In addition to the TrueNAS level controls that have been indicated here, you can also enforce these rules at the VMware level to prevent console connections (or other actions such as power commands!) from being sent, by setting more restrictive vCenter permissions based on group/roles there.

 

[sretalla]

Yes, there is.

But to help a bit with that... not the setting as pictured... you need to un-tick that box.