This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jose_Luis_Hdz
Explorer
‎2025-10-16 02:04 PM
Jump to solution

User authentication via SSH using passwords on Security Gateways in AWS.

Hello, everyone.

One of our clients has just deployed a cluster in the AWS cloud with R81.20 Take 105, which, as we recall, uses the Key Pair to authenticate via SSH.

However, since the client belongs to financial institutions and has robust security policies, it is not possible for them to share the Key Pair with multiple users. In this regard, we would like to ask the following:

Is it possible to create local users with passwords to manage the cluster and allow the admin user to continue authenticating with the Key Pair?

If this is not possible, have you tried any alternatives to prevent a user from using the same Key Pair to access with any user?

We look forward to your response.

Best regards.

 

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-10-17 01:41 PM
Jump to solution

PasswordAuthentication is disabled by default for SSH on cloud instances.
This has to be disabled: https://support.checkpoint.com/results/sk/sk109587 

View solution in original post

(1)
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-10-20 08:32 AM
Jump to solution

Traditionally, you just stick a bunch of public keys in the shared user account's ~/.ssh/authorized_keys file. Any key there can authenticate as the user, so each admin has their own unique key.

If you do this, I would highly, highly recommend requiring users to put their unique username at the end of the line so as people resign, their key can be removed.

View solution in original post

0 Kudos
(1)
5 Replies
PhoneBoy
Admin
Admin
‎2025-10-17 01:41 PM
Jump to solution

PasswordAuthentication is disabled by default for SSH on cloud instances.
This has to be disabled: https://support.checkpoint.com/results/sk/sk109587 

(1)
Jose_Luis_Hdz
Explorer
‎2025-10-20 08:21 AM
In response to PhoneBoy
Jump to solution

Hello Phoneboy.

My question is more about the implications of enabling SSH as an authentication method. That is, would doing this apply to all users in general, including the admin user? Or, alternatively, could the admin user keep the Key Pair as the authentication method and have local users authenticate via password?

Best regards.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-21 01:21 PM
In response to Jose_Luis_Hdz
Jump to solution

You mean Password authentication?
This is a server-wide setting, which means users are ALLOWED to use password-based authentication.
SSH clients will always attempt key-based authentication first, which will be accepted if the key offered by the client matches an entry in ~/.ssh/authorized_keys (under user's home directory).
If the key offered isn't authorized, if PasswordAuthentication is set to yes, then the user will be permitted to enter a password for authentication.

Hope that makes it clear.

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-19 04:50 AM
Jump to solution

Phoneboy is indeed correct.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-10-20 08:32 AM
Jump to solution

Traditionally, you just stick a bunch of public keys in the shared user account's ~/.ssh/authorized_keys file. Any key there can authenticate as the user, so each admin has their own unique key.

If you do this, I would highly, highly recommend requiring users to put their unique username at the end of the line so as people resign, their key can be removed.

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Trending Discussions
AWS Cluster in-place upgrade
Upcoming Events

    Sort by:
    CheckMates Events