This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Johannes_Bachma
Participant
‎2018-08-07 12:46 AM
Jump to solution

Activate bashUser via script on a Embedded Gaia device?

Hi,

it is possible to activate the bashUser via script on a Embedded Gaia device?

I want to execute the following command in expert mode "bashUser on" via a bat-script from a Windows client.

I tried it with the tool "plink". With this tool, I'm able to login and execute several commands in the clish. But I have to be in expert mode to execute the "bashUser on" command.

But I have problems after using "expert" to provide the expert-password via the script.

On a normal Gaia appliance I can use the following (but on Embedded Gaia there is not set command for the shell):

C:\ScriptingTest\plink.exe -ssh admin@192.168.0.1 -pw vpn123 set user admin shell /bin/bash

Any idea how I can solve this?

Best regards,

Johannes

2 Solutions

Accepted Solutions
G_W_Albrecht
Legend Legend
Legend
‎2018-08-24 04:11 AM
Jump to solution

My collegue found the correct syntax needed to achieve this on centrally managed SMBs:

$CPDIR/bin/cprid_util -server <IP of SMB> -verbose rexec -rcmd /bin/bash -c "LOGNAME=admin bashUser on"
user: admin

Bash login enabled.
Scp access enabled.

Note:
        Your default shell will now be bash,
        and when you login you will enter expert mode.
        We recommend that you use clish as your default shell,
        and move to expert mode only when necessary.
        You can move from bash to clish using the "clish" command.
        To restore your default shell to clish run "bashUser off"

Seems that the environment variable LOGNAME is not set in Embedded GAiA...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

G_W_Albrecht
Legend Legend
Legend
‎2018-08-27 12:44 AM
Jump to solution

As a follow-up you can find here the relevant SKs:

sk119633 How to remotely reset Admin password on Centrally Managed 1100 / 1200R / 1400 appliance fro...

and the original cprid_util SK:

sk101047 How to manage Security Gateway using the "cprid_util" tool

I also did some testing and have found that the LOGNAME seems only to be needed by bashUser - other commands will work the same without it:

# $CPDIR/bin/cprid_util -server 172.x.x.x -verbose rexec -rcmd /bin/bash -c "free"
              total         used         free       shared      buffers
  Mem:       983408       831912       151496            0        25120
 Swap:            0            0            0
Total:       983408       831912       151496

# $CPDIR/bin/cprid_util -server 172.x.x.x -verbose rexec -rcmd /bin/bash -c "fw ver -k"
This is Check Point's 1200R Appliance R77.20.75 - Build 286
kernel: R77.20.75 - Build 256

# $CPDIR/bin/cprid_util -server 172.28.8.177 -verbose rexec -rcmd /bin/clish -c "show diag"
Current system info
-----------------------------------
Image name: R77_990172286_20_75
Image version: 286
Bootloader version: 990170212
HW MAC Address: 00:1C:7F:
LAN MAC Address: 00:1C:7F:
DMZ MAC Address: 00:1C:7F:
Unit version: 1
Unit model: L61i
Marketing capabilities: 0
Marketing name: <Undefined>
ODM Hardware Revision: <Undefined>
Management opaque: Kb2XMJTTeWk=:xaYS3i++sLw=:zRlzLIL82ek=
Hardware capabilities: 1 - SD card
RTC status: OK
eMMC Initial bad blocks: 0
eMMC Current bad blocks: 0
eMMC Spare blocks: 118
HW monitor file system not found

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

View solution in original post

11 Replies
G_W_Albrecht
Legend Legend
Legend
‎2018-08-07 03:02 AM
Jump to solution

I fear that a script on a Win PC will not do - e.g. SSH will execute the given command in the default shell only, but you can see how this works from a CP SMS here: Reset Expert Password on an 1100

To activate bashUser, this would be:

$CPDIR/bin/cprid_util -server <IP of SMB> -verbose rexec -rcmd /bin/bash -c "bashUser on"

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Johannes_Bachma
Participant
‎2018-08-23 04:58 AM
In response to G_W_Albrecht
Jump to solution

Hi Günther,

thanks for your answer.

I tried it today with the cprid_util command you provided, also slightly different variations. But sadly non of them worked.

I got a "Current user cannot be determined" when using the command above.

I was only able to use cprid_util for clish commands like "show clock" for example when using:

$CPDIR/bin/cprid_util -server <IP of SMB> -verbose rexec -rcmd /bin/clish -c "show clock"

The appliances are managed via SmartProvisioing, I think that will not cause any problems here, since clish commands will work.But everytime I tried it with /bin/bash I got an error.

Best regards,

Johannes

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-08-23 06:19 AM
In response to Johannes_Bachma
Jump to solution

Very strange - i tested it again now, and on the first time, it worked, but any other try would give Current user cannot be determined.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-08-23 07:02 AM
In response to G_W_Albrecht
Jump to solution

Very interesting - it works without issues on a locally managed 730, but only worked once on the 1200R.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-08-24 03:25 AM
Jump to solution

No, it does not Smiley Sad - i did some tests together with our Linux Guru and found that the error only shows on centrally managed SMBs, but the command is not executed in both cases!

Reason:

- This command is only working when SIC has been established --> so locally managed SMBs are not supported.

- Embedded GAiA seems to be different, so it also does not work as it is on SMBs with existing SIC, but at least gives an error message...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-08-24 04:11 AM
Jump to solution

My collegue found the correct syntax needed to achieve this on centrally managed SMBs:

$CPDIR/bin/cprid_util -server <IP of SMB> -verbose rexec -rcmd /bin/bash -c "LOGNAME=admin bashUser on"
user: admin

Bash login enabled.
Scp access enabled.

Note:
        Your default shell will now be bash,
        and when you login you will enter expert mode.
        We recommend that you use clish as your default shell,
        and move to expert mode only when necessary.
        You can move from bash to clish using the "clish" command.
        To restore your default shell to clish run "bashUser off"

Seems that the environment variable LOGNAME is not set in Embedded GAiA...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Johannes_Bachma
Participant
‎2018-08-24 04:20 AM
In response to G_W_Albrecht
Jump to solution

Thank you very much for your troubleshooting and testing. I really appreciate this.

I will try this command the next days Smiley Happy

G_W_Albrecht
Legend Legend
Legend
‎2018-08-24 05:11 AM
In response to Johannes_Bachma
Jump to solution

Good Luck Smiley Happy ! Please mark it as correct answer if it does also work for you.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Johannes_Bachma
Participant
‎2018-08-26 11:47 PM
In response to G_W_Albrecht
Jump to solution

The command also worked on my side. Thanks again Günther. This will help me a lot Smiley Happy

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-26 09:03 PM
In response to G_W_Albrecht
Jump to solution

I tested it with my SMB appliances and it seems to work, so marking as correct Smiley Happy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-08-27 12:44 AM
Jump to solution

As a follow-up you can find here the relevant SKs:

sk119633 How to remotely reset Admin password on Centrally Managed 1100 / 1200R / 1400 appliance fro...

and the original cprid_util SK:

sk101047 How to manage Security Gateway using the "cprid_util" tool

I also did some testing and have found that the LOGNAME seems only to be needed by bashUser - other commands will work the same without it:

# $CPDIR/bin/cprid_util -server 172.x.x.x -verbose rexec -rcmd /bin/bash -c "free"
              total         used         free       shared      buffers
  Mem:       983408       831912       151496            0        25120
 Swap:            0            0            0
Total:       983408       831912       151496

# $CPDIR/bin/cprid_util -server 172.x.x.x -verbose rexec -rcmd /bin/bash -c "fw ver -k"
This is Check Point's 1200R Appliance R77.20.75 - Build 286
kernel: R77.20.75 - Build 256

# $CPDIR/bin/cprid_util -server 172.28.8.177 -verbose rexec -rcmd /bin/clish -c "show diag"
Current system info
-----------------------------------
Image name: R77_990172286_20_75
Image version: 286
Bootloader version: 990170212
HW MAC Address: 00:1C:7F:
LAN MAC Address: 00:1C:7F:
DMZ MAC Address: 00:1C:7F:
Unit version: 1
Unit model: L61i
Marketing capabilities: 0
Marketing name: <Undefined>
ODM Hardware Revision: <Undefined>
Management opaque: Kb2XMJTTeWk=:xaYS3i++sLw=:zRlzLIL82ek=
Hardware capabilities: 1 - SD card
RTC status: OK
eMMC Initial bad blocks: 0
eMMC Current bad blocks: 0
eMMC Spare blocks: 118
HW monitor file system not found

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events