This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pawel_Przybysze
Participant
‎2023-10-06 05:32 AM
Jump to solution

Adding PKI support for backuping in R81.20

Hello Team,

are you able to add PKI possibility to scheduled (or even on demand) backup for SCP option in the most current version R81.20?

In the past I used a script when Nokia did not yet support SFTP (only FTP), but I would prefer not to use external scripts.

 

Everyone,
have you got any idea how use scheduled backups with SCP server key instead of password?

 

Thanks

Pawel

0 Kudos
1 Solution

Accepted Solutions
Pawel_Przybysze
Participant
‎2023-10-10 07:58 AM
In response to PhoneBoy
Jump to solution

Issue has been resolved by re-generate new SSH key on all our Checkpoints for admin user. Unfortunately I don't know localization of default SSH key for admin user.

I can confirm - scheduled backup to SFTP/SCP uses admin user keys.

 

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2023-10-06 10:53 AM
Jump to solution

Do you have keys installed for the destination server on your admin user?
I believe (but could be wrong) that these will be tried first, if they exist.

0 Kudos
Pawel_Przybysze
Participant
‎2023-10-08 11:02 PM
In response to PhoneBoy
Jump to solution

Which SSH key is used by embeded GAIA scheduled backup function by default? I asked because all have been added in authorized_keys. Of course I may setup both own backup scripts or ssh connectivity host profile but I'd like to use default GAIA config w/o additional configurarion under shell (only CLI or webUI).

[Expert@hostname:0]# ls -l /etc/ssh/*.pub
-rw-r----- 1 admin root 590 Jul 25 04:48 /etc/ssh/ssh_host_dsa_key.pub
-rw-r--r-- 1 admin root 179 Jul 25 04:58 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r--r-- 1 admin root 99 Jul 25 04:58 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r----- 1 admin root 627 Jul 25 04:48 /etc/ssh/ssh_host_key.pub
-rw-r----- 1 admin root 382 Jul 25 04:48 /etc/ssh/ssh_host_rsa_key.pub
[Expert@hostname:0]#

BTW ssh -i option works only for ed25519, edsa and rsa (ssh_host_key and dsa return error of key format). I can connect via RSA key manually:
Oct 9 07:40:08 hostname sshd[734829]: Accepted key RSA SHA256:xxxxxxxxxx found at /srv/scp//.ssh/authorized_keys:20

but scheduled backup doesn't work:
Oct 9 07:32:23 hostname sshd[734635]: Unable to negotiate with hostname port 28758: no matching host key type found. Their offer: ssh-rsa [preauth]
Oct 9 07:32:34 hostname sshd[734639]: Accepted password for backupconfig from hostname port 28760 ssh2

It seems scheduled backup uses any other rsa key (probably SHA1).

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-09 12:49 PM
In response to Pawel_Przybysze
Jump to solution

You mentioned R81.20, which is not a valid version for Embedded Gaia.
In regular Gaia, I believe the admin user keys are used (but, again, could be wrong).

0 Kudos
Pawel_Przybysze
Participant
‎2023-10-10 07:58 AM
In response to PhoneBoy
Jump to solution

Issue has been resolved by re-generate new SSH key on all our Checkpoints for admin user. Unfortunately I don't know localization of default SSH key for admin user.

I can confirm - scheduled backup to SFTP/SCP uses admin user keys.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events