System/Access/Servers - add compliance option and some cleanups. closes https://github.com/opnsense/docs/issues/514

2026-04-22 23:01:36 -04:00 · 2023-11-08 15:08:24 +01:00 · 2023-11-08 15:08:24 +01:00 · 8a48dce6da
commit 8a48dce6da
parent 467f9585e0
2 changed files with 46 additions and 18 deletions
--- a/source/manual/how-tos/user-local.rst
+++ b/source/manual/how-tos/user-local.rst
@ -5,7 +5,7 @@ Users & Groups
 .. image:: images/usermanager_groups.png
   :width: 100%

-With the local user manager of OPNsense one can add users and groups and define
+With the local user manager in OPNsense one can add users and groups and define
 the privileges for granting access to certain parts of the GUI (Web Configurator).

 Adding Users
@ -13,19 +13,28 @@ Adding Users
 To add a new user go to :menuselection:`System --> Access --> Users` and click on the **+** sign at
 the bottom right corner of the form.

-========================== =========== =========================================================
- **Disabled**               Unchecked   *Can be used to (temporarily) disable an account*
- **Username**               John        *A unique username*
- **Password**               secret      *A strong password*
- **Login shell**            /bin/csh    *The shell to use when logging in via the console.*
- **Full name**              John Doe    *Optional, Full username*
- **Expiration date**                    *Optional, if account should expire enter as mm/dd/yyy*
- **Group Membership**                   *Optional, select one or more groups*
- **Certificate**                        *Optional, check if a user certificate should be created*
- **OTP seed**                           *Optional, enter or generate a OTP seed (base32)*
- **Authorized keys**                    *Optional, paste ssh key for ssh console access*
- **IPsec Pre-Shared Key**               *Optional, IPsec PSK*
-========================== =========== =========================================================
+==================================================================================================
+
+=========================== ============ =========================================================
+**Disabled**                Unchecked    *Can be used to (temporarily) disable an account*
+**Username**                John         *A unique username*
+**Password**                secret       *A strong password*
+**Full name**               John Doe     *Optional, Full username, for reference only*
+**E-Mail**                  a@b.com      *Optional, users email, for reference only*
+**Comment**                              *Optional, comment field, for reference only*
+**Preferred landing page**  ui/page      *Optional, landing page to visit after login*
+**Login shell**             /bin/csh     *The shell to use when logging in via the console.*
+**Expiration date**                      *Optional, if account should expire enter as mm/dd/yyy*
+**Group Membership**                     *Optional, select one or more groups*
+**Effective Privileges**                 *Optional, additional grants for this user,*
+                                         *usually these are being handled via a group*
+**User Certificates**                    *Optional, check if a user certificate should be created*
+**API keys**                             *Optional, when planning to use the API from*
+                                         *another application, create keys for this user*
+**OTP seed**                             *Optional, enter or generate a OTP seed (base32)*
+**Authorized keys**                      *Optional, paste ssh key for ssh console access*
+=========================== ============ =========================================================
+

 Creating Groups
 ---------------
@ -34,3 +43,4 @@ corner of the form.

 Enter a **Group name** and a **Description** and add users to the group.

+When users should access resources on this firewall via a group, connect the relevant ones via **Assigned Privileges**.
--- a/source/manual/users.rst
+++ b/source/manual/users.rst
@ -22,7 +22,7 @@ authentication. These services include:
 Integrated into OPNsense are the **Local User Database** and **Voucher Server**.
 The Voucher Server is intended to be used with the Captive portal.

-External service currently supported are:
+External services currently supported are:

 * LDAP (OpenLDAP, MS Active Directory, Novell eDirectory)
 * Radius
@ -31,10 +31,16 @@ Authorization
 -------------
 Besides authenticating, user authorization to access parts of the configuration
 can also be setup with an external server, but in order to grant the appropriate
-privileges to the users they need to be imported in OPNsense's local user manager.
+privileges to the users they need to exist in OPNsense's local user manager.
 This way one can validate a user against its externally stored password and have
 a fine grained control over the configuration pages that user may access.

+.. Note::
+
+   As local users are local (bsd) system users, their naming scheme matches FreeBSD's in terms of length (33 characters)
+   and reserved characters.
+
+

 Users, Groups & Privileges
 --------------------------
@ -63,12 +69,24 @@ local user accounts by setting password length and complexity constraints.

 An overview of available settings:

-=====================================  ============================================================================================
+=====================================  =============================================================================================================
 **Policy**                            Enable password policy constraints.
 **Duration**                          [Policy] Password duration, optionally define how often the user should change his or her password.
 **Length**                            [Policy] Minimum password length to require.
 **Complexity**                        [Policy] Enforce password complexity checks.
-=====================================  ============================================================================================
+ **Compliance**                        [Policy] Require SHA-512 password hashing instead of Blowfish
+=====================================  =============================================================================================================
+
+
+.. Tip::
+
+   When using One Time Passwords in combination with the local database, the same policy constraints apply as configured in "Local Database".
+
+
+.. Note::
+
+   Our default Blowfish is not part of AES and is not considered compliant with any Federal Information Processing Standards (FIPS).
+   Although more secure than SHA-512, its use may not be permitted in some environments.