This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Danny
Champion
Champion
‎2017-08-30 11:51 PM

HowTo - Creating an scpuser account on Gaia Clish

While reviewing Check Point installations I often encounter setups where the shell of the admin user account was changed to /bin/bash in order to allow copying documents via scp to and from Check Point Gaia systems.

This is because the scponly shell isn't known.

Follow these steps to create an scpuser for copying documents securely without compromising your admin account.

[ R77.30 ]

add user scpuser uid 2600 homedir /home/scpuser
set user scpuser shell /usr/bin/scponly
set user scpuser password
save config‍‍‍‍‍‍‍‍

[ R80.x ]

add user scpuser uid 2600 homedir /home/scpuser
set user scpuser realname Scpuser
add rba role scpRole domain-type System readwrite-features expert
add rba user scpuser roles scpRole
set user scpuser gid 100 shell /usr/bin/scponly
set user scpuser password
save config‍‍‍‍‍‍‍‍‍‍‍‍‍‍
7 Replies
PhoneBoy
Admin
Admin
‎2017-09-01 12:42 PM

Good tip, but I'm going to move it to the https://community.checkpoint.com/community/infinity-general/appliances-and-gaia?sr=search&searchId=1...‌ forum Smiley Happy

0 Kudos
Astardzhiev
Contributor
‎2017-09-04 06:51 AM

Indeed it is very good tip, however you have to tweak little bit group permissions I believe... The reason is that if you create a capture with tcpdump (with admin user) and then try to download it via scp (using scpuser) you will not be allowed. I have faced something similar recently.

Quinn_Yost
Contributor
‎2017-09-05 06:57 AM
In response to Astardzhiev

I've adopted an old-school approach to the inability to read/write.  When creating the home directory for the scp user, I make sure to `chmod g+s` that directory.   This causes all subsequent files created there to be created with the group assigned to the directory rather than the group of the creating user.  Then when a tcpdump or similar is created, I specify the scp user's home directory as the path for the file.

Similarly, I only scp to the scp user's home directory and then move files around with the expert user.

Markusevc
Employee
Employee
‎2017-10-14 01:07 PM

Enabling SFTP

This alternative example describes how to enable SFTP access on a Security Gateway using the default “admin” account. Note: a Security Policy must already contain a rule that allows connections via SSH.


1. Connect via command line using the default “admin" account
2. Navigate to expert mode
3. Backup the current /etc/ssh/sshd_config file

cp /etc/ssh/sshd_config /etc/ssh/sshd_config_original

4. Edit the current /etc/ssh/sshd_config file:

vi /etc/ssh/sshd_config


5. Below the sftp line

#Subsystem sftp /usr/libexec/openssh/sftp-server

Add:

Subsystem sftp internal-sftp


6. Save the changes and exit from vi editor.

7. Restart the SSHD daemon

/sbin/service sshd restart


8. Now you can connect with the gateway with an SFTP client using TCP port 22.

Security Solutions Expert for Global Strategic Partners GSI/MSP/Telco & Consultancy Firms
G_W_Albrecht
Legend
Legend
‎2019-09-16 05:15 AM
In response to Markusevc

This is a real relevation for Mac OS users - now we can connect using Cyberduck instead of WinSCP !

Is this sftp server also available on Embedded GAiA units ?

CCSE CCTE SMB Specialist
0 Kudos
Alex_Lam1
Contributor
‎2019-05-13 06:14 AM

Thanks Danny.

That helps.

Wow R80.xx really changes a few stuffs 🙂 

 

0 Kudos
Denis_Spirin
Explorer
‎2019-09-16 01:54 AM

But what to do with permissions? Do you allow scpuser read access to /var/log? Do you create a specific folder, that belongs to scpuser? Manually setting permissions might be cumbersome.
0 Kudos