Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
johnnyringo
Advisor
Jump to solution

Allowing SSH username/password authentication to Gateways in AWS / GCP

We have several CheckPoint R80.30 or R80.40 gateways in AWS and GCP, all configured to use TACACS authentication requiring a 2FA token code.  

I'm able to login to the GAIA WebUI portal just fine via TACACS, but SSH appears to only accept public keys.  /var/log/secure on the gateway shows this:

 

 

 

Connection closed by authenticating user billybob 10.21.56.27 port 50620 [preauth]

 

 

 

To authenticate using username/password to SSH, do I need to muck around with /etc/ssh/sshd_config or is there an easy clish command to do this?  I found sk109587 but it's quite old, and only mentions R77.

To state the obvious, our gateways do not have port 22 open to the Internet, so we are not concerned about password cracking or account locking.  

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

The process should still be relevant for R8x.
Specifically, the sshd_config needs to be edited to enable password/root login.

View solution in original post

PhoneBoy
Admin
Admin

Huh, looks like https://support.checkpoint.com/results/sk/sk109587 suggests to edit the sshd_config file directly in some versions.
If this isn't working as expected, I recommend a TAC case: https://help.checkpoint.com
If you want to be sure the sshd_config file doesn't get overwritten, make the file immutable (chattr +i).

View solution in original post

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

The process should still be relevant for R8x.
Specifically, the sshd_config needs to be edited to enable password/root login.

johnnyringo
Advisor

This does work, although it should be noted that in R80.40 take 83 and above, the template file must be modified and copied over in order to preserve the setting upon reboot:

 

 

cp /etc/ssh/templates/sshd_config.templ /etc/ssh/templates/sshd_config.templ_backup
sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/templates/sshd_config.templ
sed -i 's/PermitRootLogin forced-commands-only/PermitRootLogin yes/' /etc/ssh/templates/sshd_config.templ
/usr/bin/sshd_template_xlate < /config/active
service sshd restart

 

I see sk109587 was updated with instructions to update and push the template file, but it's missing the full path on the 4th command.

0 Kudos
iesnoz
Participant

Hi

I have this same problem with version 81.20 HF 10, I copied the steps of johnnyringo to keep changes, and the SSH works initially, but after reboot the problem appears again, changes are not permament, so I have to execute it on every reboot.To be more specific, the /etc/ssh/sshd_config keep changes for first PasswordAuthentication, but not for the last in the file.

 

In sk109587 version 81.20 is not mentioned, does anybody know if is going to be corrected or the steps are different?

Thanks in advance.

0 Kudos
johnnyringo
Advisor

FYI it did change in R81.10, which is just these 3 lines in expert mode:

sed -i 's/PasswordAuthentication no/PasswordAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/PermitRootLogin forced-commands-only/PermitRootLogin yes/' /etc/ssh/sshd_config
service sshd reload

 

I'm not sure about R81.20; could be same as R81.10 or could be another change.

0 Kudos
iesnoz
Participant

Hi

Thanks for the reply, I tried these commands but the result is the same. Checking the sshd_config file I see that after reboot one of the PasswordAuthentication lines remains set as yes but the other is set as no:

 

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

Match address 0::0/0,0.0.0.0/0
PasswordAuthentication no
Match all

 

If I edit the file with vi editor and change to "yes" then I can connect with SSH, but only until restart. "PermitRootLogin" line remains always the same:

UseDNS no
PermitRootLogin yes
ClientAliveInterval 0

 

Kind regards.

0 Kudos
PhoneBoy
Admin
Admin

You should be editing the template file  /etc/ssh/templates/sshd_config.templ rather than sshd_config directly.

0 Kudos
iesnoz
Participant

Hi PhoneBoy

 

Thanks for your reply. I checked the template and the commands are in "yes". I rebooted, just in case, and again I have to edit the second "PasswordAuthentication" which stays in no in the sshd_config. I rechecked the template and both values are "yes":

 

[Expert@MGMT8120:0]# cat /etc/ssh/templates/sshd_config.templ | grep Password
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# PasswordAuthentication yes
# PAM authentication, then enable this but set PasswordAuthentication yes
PasswordAuthentication yes

 

Kind regards.

0 Kudos
PhoneBoy
Admin
Admin

Huh, looks like https://support.checkpoint.com/results/sk/sk109587 suggests to edit the sshd_config file directly in some versions.
If this isn't working as expected, I recommend a TAC case: https://help.checkpoint.com
If you want to be sure the sshd_config file doesn't get overwritten, make the file immutable (chattr +i).

0 Kudos
iesnoz
Participant

Thanks for the tip, I used "chattr +i" and after reboot SSH is working.

I will open a case with TAC anyway to check if the sk109587 needs to be updated with version 81.20

Thanks again for your help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events