https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194493#M36193 <P><STRONG>Which SSH key is used by embeded GAIA scheduled backup function by default?</STRONG> I asked because all have been added in authorized_keys. Of course I may setup both own backup scripts or ssh connectivity host profile but I'd like to use default GAIA config w/o additional configurarion under shell (only CLI or webUI).</P><P><EM>[Expert@hostname:0]# ls -l /etc/ssh/*.pub</EM><BR /><EM>-rw-r----- 1 admin root 590 Jul 25 04:48 /etc/ssh/ssh_host_dsa_key.pub</EM><BR /><EM>-rw-r--r-- 1 admin root 179 Jul 25 04:58 /etc/ssh/ssh_host_ecdsa_key.pub</EM><BR /><EM>-rw-r--r-- 1 admin root 99 Jul 25 04:58 /etc/ssh/ssh_host_ed25519_key.pub</EM><BR /><EM>-rw-r----- 1 admin root 627 Jul 25 04:48 /etc/ssh/ssh_host_key.pub</EM><BR /><EM>-rw-r----- 1 admin root 382 Jul 25 04:48 /etc/ssh/ssh_host_rsa_key.pub</EM><BR /><EM>[Expert@hostname:0]#</EM></P><P>BTW ssh -i option works only for ed25519, edsa and rsa (<EM>ssh_host_key</EM> and dsa return error of key format). I can connect via RSA key manually:<BR /><EM>Oct 9 07:40:08 hostname sshd[734829]: Accepted key RSA SHA256:xxxxxxxxxx found at /srv/scp//.ssh/authorized_keys:20</EM></P><P>but scheduled backup doesn't work:<BR /><EM>Oct 9 07:32:23 hostname sshd[734635]: Unable to negotiate with hostname port 28758: no matching host key type found. Their offer: ssh-rsa [preauth]</EM><BR /><EM>Oct 9 07:32:34 hostname sshd[734639]: Accepted password for backupconfig from hostname port 28760 ssh2</EM></P><P>It seems scheduled backup uses any other rsa key (probably SHA1).</P> Mon, 09 Oct 2023 06:02:04 GMT Pawel_Przybysze 2023-10-09T06:02:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194394#M36170 <P>Hello Team,</P><P>are you able to add PKI possibility to scheduled (or even on demand) backup for SCP option in the most current version R81.20?</P><P><SPAN class=""><SPAN class=""><SPAN class="">In the past I used a script when Nokia did not yet support SFTP (only FTP), but I would prefer not to use external scripts.</SPAN></SPAN></SPAN></P><P>&nbsp;</P><P>Everyone,<BR />have you got any idea how use scheduled backups with SCP server key instead of password?</P><P>&nbsp;</P><P>Thanks</P><P>Pawel</P> Fri, 06 Oct 2023 12:32:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194394#M36170 Pawel_Przybysze 2023-10-06T12:32:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194431#M36181 <P>Do you have keys installed for the destination server on your admin user?<BR />I believe (but could be wrong) that these will be tried first, if they exist.</P> Fri, 06 Oct 2023 17:53:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194431#M36181 PhoneBoy 2023-10-06T17:53:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194493#M36193 <P><STRONG>Which SSH key is used by embeded GAIA scheduled backup function by default?</STRONG> I asked because all have been added in authorized_keys. Of course I may setup both own backup scripts or ssh connectivity host profile but I'd like to use default GAIA config w/o additional configurarion under shell (only CLI or webUI).</P><P><EM>[Expert@hostname:0]# ls -l /etc/ssh/*.pub</EM><BR /><EM>-rw-r----- 1 admin root 590 Jul 25 04:48 /etc/ssh/ssh_host_dsa_key.pub</EM><BR /><EM>-rw-r--r-- 1 admin root 179 Jul 25 04:58 /etc/ssh/ssh_host_ecdsa_key.pub</EM><BR /><EM>-rw-r--r-- 1 admin root 99 Jul 25 04:58 /etc/ssh/ssh_host_ed25519_key.pub</EM><BR /><EM>-rw-r----- 1 admin root 627 Jul 25 04:48 /etc/ssh/ssh_host_key.pub</EM><BR /><EM>-rw-r----- 1 admin root 382 Jul 25 04:48 /etc/ssh/ssh_host_rsa_key.pub</EM><BR /><EM>[Expert@hostname:0]#</EM></P><P>BTW ssh -i option works only for ed25519, edsa and rsa (<EM>ssh_host_key</EM> and dsa return error of key format). I can connect via RSA key manually:<BR /><EM>Oct 9 07:40:08 hostname sshd[734829]: Accepted key RSA SHA256:xxxxxxxxxx found at /srv/scp//.ssh/authorized_keys:20</EM></P><P>but scheduled backup doesn't work:<BR /><EM>Oct 9 07:32:23 hostname sshd[734635]: Unable to negotiate with hostname port 28758: no matching host key type found. Their offer: ssh-rsa [preauth]</EM><BR /><EM>Oct 9 07:32:34 hostname sshd[734639]: Accepted password for backupconfig from hostname port 28760 ssh2</EM></P><P>It seems scheduled backup uses any other rsa key (probably SHA1).</P> Mon, 09 Oct 2023 06:02:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194493#M36193 Pawel_Przybysze 2023-10-09T06:02:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194569#M36223 <P>You mentioned R81.20, which is not a valid version for Embedded Gaia.<BR />In regular Gaia, I believe the admin user keys are used (but, again, could be wrong).</P> Mon, 09 Oct 2023 19:49:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194569#M36223 PhoneBoy 2023-10-09T19:49:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194678#M36250 <P>Issue has been resolved by re-generate new SSH key on all our Checkpoints for admin user. Unfortunately I don't know localization of default SSH key for admin user.</P><P>I can confirm - scheduled backup to SFTP/SCP uses admin user keys.</P><P>&nbsp;</P> Tue, 10 Oct 2023 14:58:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Adding-PKI-support-for-backuping-in-R81-20/m-p/194678#M36250 Pawel_Przybysze 2023-10-10T14:58:20Z