TrueNASTrueNAS Nightly Development Documentation
This content follows experimental nightly development software. Pre-release software is intended for testing purposes only.
Use the Product and Version selectors above to view content specific to a stable software release.

Using Administrator Logins

Root account logins are deprecated in TrueNAS Bluefin 22.12.0 or newer for security hardening and to comply with Federal Information Processing Standards (FIPS). All TrueNAS users should create an administrator account with all required permissions and begin using it to access TrueNAS. When the root user password is disabled, only an administrative user account can log in to the TrueNAS web interface.

TrueNAS plans to permanently disable root account access in a future release.

The default TrueNAS administrator account name changes from admin to truenas_admin in TrueNAS 24.10 (Electric Eel) fresh installations. Earlier releases of TrueNAS with the admin account retain this account when upgrading to 24.10 through the UI.

To improve security and minimize username discoverability, create one or more administrator accounts with unique usernames and passwords and disable password access for default administrator accounts (root, admin, or truenas_admin). Configure appropriate administrative privileges for each admin account. Follow the principle of least privilege (PoLP) and assign the lowest permissions required to perform the administrative tasks expected for that user. If a task requires SSH login or sudo command permission, temporarily enable these settings then disable when the task is complete. See Security Recommendations and Allowing Sudo Commands for more information.

After adding the admin user account and group privileges, login to confirm UI access then disable the root and/or default administrator user password(s). Go to Credentials > Users, click on the user, and select Edit. Click the Disable Password toggle to disable the password, then click Save.

Administrator accounts have roles and privileges that are FIPS compliant and allow more control over access to TrueNAS functions.

TrueNAS has three predefined admin user account levels:

  • Full Admin - Assigned to the local administrator account created by the system when clean installing TrueNAS using an iso file. Also assigned when manually creating an admin user if logged in as the root user account after upgrading from a pre-22.12.3 release of TrueNAS or migrating from FreeBSD- to Linux-based TrueNAS releases.

  • Sharing Admin - Assigned to users responsible for only managing shares (SMB, NFS, iSCSI). This user can create shares and the datasets for shares, start/restart the share service, and modify the ACL for the share dataset.

  • Readonly Admin - Assigned to users that can monitor the system but not make changes to settings.

For more information on the different administrator scenarios users can encounter, read Logging In for the First Time.

Changing Administrator Account Passwords

Adminstrator passwords can be changed on the Edit User screen or, if currently logged in as that admin user, by clicking the Settings account_circle icon on the top toolbar and clicking Change Password.

Click on the Change Password dialpad icon button to display the change password dialog where you can enter a new password for the currently logged-in user.

The truenas_admin user and admin users with full control permissions see the Change Password dialog with the New Password and Confirm Password fields. These users do not need to enter their current password to change the password.

Sharing Admin and Readonly Admin users see the Change Password dialog with the Current Password, New Password, and Confirm Password fields. These users must enter the current password to validate the user account before changing the password.

Click on the visibility_off icon to display entered passwords. To stop displaying the password, click on the visibility icon.

Configuring Administrative Privileges

Create a new administrator account or select an existing account to grant administrative privileges. Note the primary group assigned to that user.

Go to Credentials > Groups and select the row for primary group of the admin user to expand it. Click Edit.

Alternatively, click Add to create a new group for administrative users, such as Share_Administrators.

Use the Privileges dropdown to select assign permissions as Local Administrator to allow full administrative access or select Read-Only Administrator or Sharing Administrator to limit permissions.

If required, set the sudo permissions to assign. For improved security, temporarily enable limited sudo permissions only when required to complete an administrative task and disable sudo after completing the task. See Allowing Sudo Commands for more information.

Click Save.

After creating a new group, click Members to open the Update Members screen and assign one or more administrative user accounts to the group. Click Save.

Log out of the TrueNAS system and then log back in using the new user credentials to verify that the admin credentials work properly with your network configuration.

Allowing Sudo Commands

As a security hardening feature, administrator accounts in Linux-based TrueNAS releases (22.12.0 or newer) cannot execute certain root-level commands in a shell or SSH session by default. If a user attempts to execute one of these commands without root-level access, TrueNAS returns a command not found error.

Administrative users who need to execute root-level commands to complete a task should temporarily enable sudo permissions for that user by going to Credentials and editing the user or group to allow some or all sudo commands. For best security, enable only the required commands to perform the task and require password authentication, unless the task or app prevents it. Disable sudo permissions when the task completes and you no longer need them.

Allowed sudo commands, Allow all sudo commands, Allowed sudo commands with no password, and Allow all sudo commands with no password grant limited root-like permissions using the sudo command. Use Allowed sudo commands or Allowed sudo commands with no password to list specific sudo commands to allow. Enter each command as an absolute path to the ELF (Executable and Linkable Format) executable file, for example, /usr/bin/nano. /usr/bin/ is the default location for commands. Press Enter after each command.

To allow full access to sudo commands, select either Allow all sudo commands or Allow all sudo commands with no password. If you allow sudo commands with password protection, TrueNAS prompts you for a password the first time you enter a sudo command, but not again in the same session. Disable these settings after completing the task to return to a security-hardened system.

Do not allow sudo permissions for read-only administrators.

Disabling Root and Admin User Passwords

As a security measure, the root user is no longer the default account and TrueNAS disables the root password when you create the truenas_admin or admin user during installation.

Do not disable the default admin account, root, and any custom admin account passwords at the same time. If all root and administrator account passwords become disabled at the same time and the web interface session times out, a one-time sign-in screen allows access to the system.

Reset Root Password Sign-In Screen
Figure 4: Reset Root Password Sign-In Screen

Enter and confirm a password to gain access to the UI. After logging in, immediately go to Credentials > Users to enable the password for an administrator account before the session times out again. TrueNAS does not save the temporary password as a new password or enable the admin or root passwords. It only provides one-time access to the UI.

Disabling a password for UI login also disables it for SSH access.

Accessing the System Through an SSH Session

To enable SSH access to the system as an admin user (or root user), you must first configure the SSH service.

  1. Go to System > Services, then click (Edit) for the SSH service.

  2. Enter the groups (truenas_admin, root, etc.) you want to enable for password authentication in the Password Login Groups field.

  3. Enable Allow Password Authentication.

  4. Click Save and restart the SSH service.

Now you must verify the user configuration options to allow SSH access.

If you want to SSH into the system as the root:

  1. Go to Credentials > Users and click the root user, then click (Edit).

  2. Make sure Disable Pasword is disabled. If the root user has Disable Password enabled, you cannot use it to gain SSH access to the system.

  3. Click Save.

To allow an admin user to issue commands in an SSH session:

  1. Go to Credentials > Users, click the admin user, then click (Edit).

  2. Enable SSH password login enabled under Authentication.

  3. Click Save.

  4. Disable this after completing the SSH session to return to a security-hardened system.

Two-Factor Authentication (2FA) and Administrator Account Log In

To use two-factor authentication with an administrator account, configure and enable SSH service to allow SSH access, then configure two-factor authentication. If you have the root user configured with a password and it is enabled, you can SSH into the system as the root user. Disable the root user password and only use a local administrator account for more security.

Administrator Logins and TrueCommand

Administrator logins work with TrueCommand, but you need to set up the TrueNAS connection using an API key.