This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bill_Ng
Collaborator
‎2018-07-12 06:13 AM

SSH authentication using RSA for uid=0

All,

I'm trying to write a bash script to run from my management station to connect to the gateways via ssh. I would like to utilize the login without password prompting. I followed sk95890 - How to configure SSH authentication on Gaia OS using RSA key files , but the problem is that the user cannot type in any GAIA commands. I then tried changing the uid of the user to uid=0, but that broke the authentication piece of it and I have to type in passwords. Anyone know of a way this can be accomplished with uid=0 account?

I apologize in advance if this is a double post from the day before.

Thanks in advance,

Bill

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2018-07-13 03:11 AM

Generally when you call ssh from a script, it's done in non-interactive mode, meaning you cannot interactively enter commands.

Can you share with us the relevant script fragment?

0 Kudos
Bill_Ng
Collaborator
‎2018-07-13 07:42 AM
In response to PhoneBoy

Hi Dameon,

I'm trying to use 'ssh -i /home/user1/.ssh/id_rsa 10.10.10.10 fw ver'.  user1 was created within the GAIA portal with uid=0.  The problem is that I can't get user1 to use the id_rsa file correctly to authenticate to the gateway.  It still prompts me for a password.  I noticed that when I created the rsa key it actually put it in /home/admin/.ssh.  If I changed the uid to 103 or something else I can use the id_rsa fine, but I can't fun the GAIA commands like 'fw ver, cphaprob stat' and others.

Hope that makes sense.  Let me know if you need more info.

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-13 08:39 AM
In response to Bill_Ng

What error do you get with that SSH command?

I suspect the issue is that the environment variables aren't getting set correctly for this other user.

0 Kudos
Bill_Ng
Collaborator
‎2018-07-13 09:48 AM
In response to PhoneBoy

I'm not getting an error per se. It's still prompting me for password to sign when I run that command from my management station to the gateway.

0 Kudos
Bill_Ng
Collaborator
‎2018-07-13 11:07 AM
In response to Bill_Ng

More info.

I was able to get the default 'admin' to authenticate to the gateway with rsa key.  The shell for 'admin' is /etc/cli.sh.  I want to keep the admin in clish.  So I created an admin-like user from the portal named 'user1' and changed the shell for that account to /bin/bash.  I followed all the same steps I did with the default 'admin' account.  I noticed when 'ssh-keygen' for the user1 account it by default wants to write it to /home/admin/.ssh not /home/user1/.ssh.  I did change the location to /home/user1/.ssh/ and named the file user1_rsa.  It created user1_rsa and user1_rsa.pub. and at the end of the file it puts in admin@managementservername and not user1@managementservername.  

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2018-07-13 12:34 PM

just put content of rsa key from /home/admin/.ssh into ".ssh/authorized_keys" under user where you are running script and execute ssh like this:

ssh my_test_user@ip_address

On remote host you need to have created user "my_test_user", create hidden folder .ssh under /home/my_test_user/,  create file "authorized_keys" in that folder and put rsa key already generated.

Kind regards,
Jozko Mrkvicka
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-07-13 01:56 PM

Then the other question is why would you want to run a SSH session from management to the GW? Why not use cprid to execute a script on the GW?

Regards, Maarten
JozkoMrkvicka
Authority
Authority
‎2018-07-14 11:47 AM
In response to Maarten_Sjouw

yep, the best option.

more info (including script) here.

Kind regards,
Jozko Mrkvicka
0 Kudos
Bill_Ng
Collaborator
‎2018-07-16 09:28 AM
In response to JozkoMrkvicka

Hi Jozko,

Thanks.  That did the trick for SSH.  It works now with the other ID.

Hi Maarten/Jozko,

I never knew of or have used 'cprid_util'.  In looking at link it looks like it will do the trick as well if not better using SIC.  I'll start playing around with cprid_util as well.  I was a little leary in trying to make ssh work.

Thank you both so much for pointing me in the right direction.

Bill

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events