TrueNAS Nightly Development DocumentationThis content follows experimental nightly development software. Pre-release software is intended for testing purposes only.
Use the Product and Version selectors above to view content specific to a stable software release.
Using Administrator Logins
5 minute read.
Root account logins are deprecated in SCALE Bluefin 22.12.0 or newer for security hardening and to comply with Federal Information Processing Standards (FIPS). All TrueNAS users should create an administrator account with all required permissions and begin using it to access TrueNAS. When the root user password is disabled, only an administrative user account can log in to the TrueNAS web interface.
TrueNAS SCALE plans to permanently disable root account access in a future release.
The default SCALE administrator account name changes from admin to truenas_admin in TrueNAS SCALE 24.10 (Electric Eel) fresh installations. Earlier releases of SCALE with the admin account retain this account when upgrading to 24.10 through the UI.
To improve security and minimize username discoverability, create one or more administrator accounts with unique usernames and passwords and disable password access for default administrator accounts (root, admin, or truenas_admin). Configure appropriate administrative privileges for each admin account. Follow the principle of least privilege (PoLP) and assign the lowest permissions required to perform the administrative tasks expected for that user. See Security Recommendations for more information.
After adding the admin user account and group privileges, login to confirm UI access then disable the root and/or default administrator user password(s). Go to Credentials > Users, click on the user, and select Edit. Click the Disable Password toggle to disable the password, then click Save.
Administrator accounts have roles and privileges that allow greater control over access to functions in SCALE and to further utilize FIPS-compliance. SCALE includes three predefined admin user account levels:
Full Admin - Assigned to the local administrator account created by the system when clean installing SCALE using an
iso file. Also assigned when manually creating an admin user if logged in as the root user account after upgrading from a pre-22.12.3 release of SCALE or migrating from CORE to SCALE.Sharing Admin - Assigned to users responsible for only managing shares (SMB, NFS, iSCSI). This user can create shares and the datasets for shares, start/restart the share service, and modify the ACL for the share dataset.
Readonly Admin - Assigned to users that can monitor the system but not make changes to settings.
For more information on the different administrator scenarios users can encounter, read Logging Into SCALE the First Time.
Create a new administrator account or select an existing account to grant administrative privileges. Note the primary group assigned to that user.
Go to Credentials > Groups and select the row for primary group of the admin user to expand it. Click edit Edit.
Alternatively, click Add to create a new group for administrative users, such as Share_Administrators.
Use the Privileges dropdown to select assign permissions as Local Administrator to allow full administrative access or select Read-Only Administrator or Sharing Administrator to limit permissions.
When required, select the sudo authorization permissions to allow the admin group. For improved security, deny sudo permissions unless required for specific, recurring administrative tasks or allow sudo permissions only when needed to perform a discrete task and then deny again when finished. Do not allow sudo permissions for read-only administrators.
Click Save.
After creating a new group, click group Members to open the Update Members screen and assign one or more administrative user accounts to the group. Click Save.
Log out of the TrueNAS system and then log back in using the new user credentials to verify that the admin credentials work properly with your network configuration.
As a security measure, the root user is no longer the default account and the password is disabled when you create the truenas_admin or admin user during installation.
Do not disable the default admin account, root, and any custom admin account passwords at the same time. If all root and administrator account passwords become disabled at the same time and the web interface session times out, a one-time sign-in screen allows access to the system.
Enter and confirm a password to gain access to the UI. After logging in, immediately go to Credentials > Users to enable the password for an administrator account before the session times out again. This temporary password is not saved as a new password and it does not enable the admin or root passwords, it only provides one-time access to the UI.
When disabling a password for UI login, it is also disabled for SSH access.
To enable SSH to access the system as an admin user (or for root):
Configure the SSH service.
a. Go to System > Services, then select Configure for the SSH service.
b. Select Log in as Root with Password to enable the user to sign in as root.
Select Log in as Admin with Password and Allow Password Authentication to enable an admin user to sign in as admin. Select both options.
c. Click Save and restart the SSH service.
Configure or verify the user configuration options to allow SSH access.
If you want to SSH into the system as the root, you must enable a password for the root user. If the root password password is disabled in the UI you cannot use it to gain SSH access to the system.
To allow an admin user to issue commands in an ssh session, edit that admin user and select which sudo options are allowed. Select SSH password login enabled to allow authenticating and logging into an SSH session. Disable this after completing the SSH session to return to a security hardened system.
Select Allow all sudo commands with no password. You to see a prompt in the ssh session to enter a password the first time you enter a sudo command but to not see this password prompt again in the same session.
To use two-factor authentication with an administrator account, first configure and enable SSH service to allow SSH access, then configure two-factor authentication. If you have the root user configured with a password and enable it, you can SSH into the system with the root user. Security best practice is to disable the root user password and only use a local administrator account.
At present, administrator logins work with TrueCommand but you need to set up the TrueNAS connection using an API key.