topic Re: Allowing SSH username/password authentication to Gateways in AWS / GCP in Firewall and Security Management

Allowing SSH username/password authentication to Gateways in AWS / GCP

johnnyringo — Tue, 04 May 2021 17:09:11 GMT

We have several CheckPoint R80.30 or R80.40 gateways in AWS and GCP, all configured to use TACACS authentication requiring a 2FA token code.

I'm able to login to the GAIA WebUI portal just fine via TACACS, but SSH appears to only accept public keys. /var/log/secure on the gateway shows this:

Connection closed by authenticating user billybob 10.21.56.27 port 50620 [preauth]

To authenticate using username/password to SSH, do I need to muck around with /etc/ssh/sshd_config or is there an easy clish command to do this? I found sk109587 but it's quite old, and only mentions R77.

To state the obvious, our gateways do not have port 22 open to the Internet, so we are not concerned about password cracking or account locking.

Re: Allowing SSH username/password authentication to Gateways in AWS / GCP

PhoneBoy — Thu, 06 May 2021 20:15:22 GMT

The process should still be relevant for R8x.
Specifically, the sshd_config needs to be edited to enable password/root login.

Re: Allowing SSH username/password authentication to Gateways in AWS / GCP

johnnyringo — Wed, 30 Jun 2021 21:33:09 GMT

This does work, although it should be noted that in R80.40 take 83 and above, the template file must be modified and copied over in order to preserve the setting upon reboot:

cp /etc/ssh/templates/sshd_config.templ /etc/ssh/templates/sshd_config.templ_backup sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/templates/sshd_config.templ sed -i 's/PermitRootLogin forced-commands-only/PermitRootLogin yes/' /etc/ssh/templates/sshd_config.templ /usr/bin/sshd_template_xlate < /config/active service sshd restart

I see sk109587 was updated with instructions to update and push the template file, but it's missing the full path on the 4th command.

Re: Allowing SSH username/password authentication to Gateways in AWS / GCP

iesnoz — Sat, 24 Jun 2023 10:13:54 GMT

I have this same problem with version 81.20 HF 10, I copied the steps of johnnyringo to keep changes, and the SSH works initially, but after reboot the problem appears again, changes are not permament, so I have to execute it on every reboot.To be more specific, the /etc/ssh/sshd_config keep changes for first PasswordAuthentication, but not for the last in the file.

In sk109587 version 81.20 is not mentioned, does anybody know if is going to be corrected or the steps are different?

Thanks in advance.

Re: Allowing SSH username/password authentication to Gateways in AWS / GCP

johnnyringo — Sat, 24 Jun 2023 15:06:10 GMT

FYI it did change in R81.10, which is just these 3 lines in expert mode:

sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin forced-commands-only/PermitRootLogin yes/' /etc/ssh/sshd_config
service sshd reload

I'm not sure about R81.20; could be same as R81.10 or could be another change.

Re: Allowing SSH username/password authentication to Gateways in AWS / GCP

iesnoz — Sat, 24 Jun 2023 17:02:03 GMT

Thanks for the reply, I tried these commands but the result is the same. Checking the sshd_config file I see that after reboot one of the PasswordAuthentication lines remains set as yes but the other is set as no:

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

Match address 0::0/0,0.0.0.0/0
PasswordAuthentication no
Match all

If I edit the file with vi editor and change to "yes" then I can connect with SSH, but only until restart. "PermitRootLogin" line remains always the same:

UseDNS no
PermitRootLogin yes
ClientAliveInterval 0

Kind regards.

Re: Allowing SSH username/password authentication to Gateways in AWS / GCP

PhoneBoy — Mon, 26 Jun 2023 16:51:57 GMT

You should be editing the template file /etc/ssh/templates/sshd_config.templ rather than sshd_config directly.

Re: Allowing SSH username/password authentication to Gateways in AWS / GCP

iesnoz — Mon, 26 Jun 2023 18:16:09 GMT

Hi PhoneBoy

Thanks for your reply. I checked the template and the commands are in "yes". I rebooted, just in case, and again I have to edit the second "PasswordAuthentication" which stays in no in the sshd_config. I rechecked the template and both values are "yes":

[Expert@MGMT8120:0]# cat /etc/ssh/templates/sshd_config.templ | grep Password
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# PasswordAuthentication yes
# PAM authentication, then enable this but set PasswordAuthentication yes
PasswordAuthentication yes

Kind regards.

Re: Allowing SSH username/password authentication to Gateways in AWS / GCP

PhoneBoy — Mon, 26 Jun 2023 19:11:01 GMT

Huh, looks like https://support.checkpoint.com/results/sk/sk109587 suggests to edit the sshd_config file directly in some versions.
If this isn't working as expected, I recommend a TAC case: https://help.checkpoint.com
If you want to be sure the sshd_config file doesn't get overwritten, make the file immutable (chattr +i).

Re: Allowing SSH username/password authentication to Gateways in AWS / GCP

iesnoz — Tue, 27 Jun 2023 06:20:42 GMT

Thanks for the tip, I used "chattr +i" and after reboot SSH is working.

I will open a case with TAC anyway to check if the sk109587 needs to be updated with version 81.20

Thanks again for your help.