https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260123#M5552 <P>Hello, everyone.</P><P>One of our clients has just deployed a cluster in the AWS cloud with R81.20 Take 105, which, as we recall, uses the Key Pair to authenticate via SSH.</P><P>However, since the client belongs to financial institutions and has robust security policies, it is not possible for them to share the Key Pair with multiple users. In this regard, we would like to ask the following:</P><P>Is it possible to create local users with passwords to manage the cluster and allow the admin user to continue authenticating with the Key Pair?</P><P>If this is not possible, have you tried any alternatives to prevent a user from using the same Key Pair to access with any user?</P><P>We look forward to your response.</P><P>Best regards.</P><P>&nbsp;</P> Thu, 16 Oct 2025 21:04:10 GMT Jose_Luis_Hdz 2025-10-16T21:04:10Z https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260123#M5552 <P>Hello, everyone.</P><P>One of our clients has just deployed a cluster in the AWS cloud with R81.20 Take 105, which, as we recall, uses the Key Pair to authenticate via SSH.</P><P>However, since the client belongs to financial institutions and has robust security policies, it is not possible for them to share the Key Pair with multiple users. In this regard, we would like to ask the following:</P><P>Is it possible to create local users with passwords to manage the cluster and allow the admin user to continue authenticating with the Key Pair?</P><P>If this is not possible, have you tried any alternatives to prevent a user from using the same Key Pair to access with any user?</P><P>We look forward to your response.</P><P>Best regards.</P><P>&nbsp;</P> Thu, 16 Oct 2025 21:04:10 GMT https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260123#M5552 Jose_Luis_Hdz 2025-10-16T21:04:10Z https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260205#M5558 <P>PasswordAuthentication is disabled by default for SSH on cloud instances.<BR />This has to be disabled:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk109587" target="_blank">https://support.checkpoint.com/results/sk/sk109587</A>&nbsp;</P> Fri, 17 Oct 2025 20:41:14 GMT https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260205#M5558 PhoneBoy 2025-10-17T20:41:14Z https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260272#M5559 <P>Phoneboy is indeed correct.</P> Sun, 19 Oct 2025 11:50:42 GMT https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260272#M5559 the_rock 2025-10-19T11:50:42Z https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260343#M5560 <P>Hello Phoneboy.</P><P>My question is more about the implications of enabling SSH as an authentication method. That is, would doing this apply to all users in general, including the admin user? Or, alternatively, could the admin user keep the Key Pair as the authentication method and have local users authenticate via password?</P><P>Best regards.</P> Mon, 20 Oct 2025 15:21:45 GMT https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260343#M5560 Jose_Luis_Hdz 2025-10-20T15:21:45Z https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260345#M5561 <P>Traditionally, you just stick a bunch of public keys in the shared user account's ~/.ssh/authorized_keys file. Any key there can authenticate as the user, so each admin has their own unique key.</P> <P>If you do this, I would highly, highly recommend requiring users to put their unique username at the end of the line so as people resign, their key can be removed.</P> Mon, 20 Oct 2025 15:32:44 GMT https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260345#M5561 Bob_Zimmerman 2025-10-20T15:32:44Z https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260516#M5564 <P>You mean Password authentication?<BR />This is a server-wide setting, which means users are ALLOWED to use password-based authentication.<BR />SSH clients will always attempt key-based authentication first, which will be accepted if the key offered by the client matches an entry in ~/.ssh/authorized_keys (under user's home directory).<BR />If the key offered isn't authorized, if PasswordAuthentication is set to yes, then the user will be permitted to enter a password for authentication.</P> <P>Hope that makes it clear.</P> <P>&nbsp;</P> Tue, 21 Oct 2025 20:21:22 GMT https://community.checkpoint.com/t5/Cloud-Firewall/User-authentication-via-SSH-using-passwords-on-Security-Gateways/m-p/260516#M5564 PhoneBoy 2025-10-21T20:21:22Z