SSH (Linux) Server Access

You can access a remote application over SSH through a supported client.

Supported Clients

Operating System Recommended Clients

Windows

  • Win CMD

  • MobaXterm

  • PuTTY

  • SecureCRT

macOS

  • Mac basic

  • Terminal iTerm2

  • SecureCRT

Note - If you use any other client, the connection is terminated if it is idle for 5 minutes or you might experience connection issues.

Connection Modes

You can connect to the application over SSH with one of these modes:

  • One-time password (OTP)

  • SSH private key authentication

One-Time Password

For a one-time access to an application, you can use the One-Time Password (OTP) to connect to the resource either through a terminal (for example, CMD window) or a client (for example, puTTY).

  1. In the Harmony Connect User App Portal, click the SSH application you want to connect to.

    The Connect to <application name> window appears.

  2. In the Harmony Connect User App Portal, click the SSH application you want to connect to.

    The Connect to AdminConsole window appears.

  3. Do one of these:

    • To connect to the application through a terminal:

      1. Open the terminal window.

      2. Enter the Command from the Connect to AdminConsole window and run the command.

      3. At the Temporary access token prompt, enter the Password for the terminal from the Connect to AdminConsole window.

        The system connects to the application over SSH successfully.

      4. Proceed with authentication to the SSH application's host.

    • To connect to the resource through a client:

      1. Open the client (for example, puTTY) and connect to the Host specified in the Connect to AdminConsole window.

      2. At the login as prompt on the client windiw, enter the Username from the Connect to AdminConsole window.

        The pre-authentication banner message from server appears.

      3. At the Temporary access token prompt, enter the Password for the client from the Connect to AdminConsole window.

        The system connects to the application over SSH successfully.

      4. Proceed with authentication to the SSH application's host.

Note - The one-time password is for one time connection only and it expires after five minutes.

SSH Private Key Authentication

You can use a personal key to seamlessly connect to your servers using a personal key. You can connect to your device without the need to visit Harmony Connect portal.

  • Key Download

    1. Download your Check Point Key from the user settings. Select the format (.PPK or .PEM) based on your operating system.

    1. If you use macOS/Linux OS, locate the key path that runs the command to open the key permissions:

    chmod 400 KEY

    Run this command to add the key to your directory:

    ssh-add KEY

    Note - The key expires after 90 days, and you must then download a new key.

  • Connect With the Key

    To connect to the server using the private key through your terminal or client:

    • To connect to the server through your terminal, in Connect to AdminConsole, enter your private key and click copy.

    • To connect to server through your client, in Connect to AdminConsole, enter your Username, Host and Private key.

    For easier access, Check Point suggests you enter this command to your .bashrc file:

    zerotrustaccess() { ssh -i KEY HOST -l $USER#@$1::$2;}

    • zerotrustaccess is the command you can use to access any server. You can change this to your convenience.

    • KEY is the full path of the key downloaded from the portal.

    • HOST is the SSH host provided in the window, when you click each server in the portal.

      Add the above items and run one of these commands to connect to any server.

      zerotrustaccess SERVER-NAME

      zerotrustaccess SERVER-ADDR

       

      Note -

    • If the SERVER-ADDR exists in multiple data centers, you must enter the site name:

      zerotrustaccess SERVER-ADDR::SITE-NAME

    • If your Harmony Connect Application-Level accessClosed Clientless access to specific corporate applications, such as web, SSH, RDP, tunnel, and database applications. user can access multiple Linux users, you must identity the device user name in SERVER-ADDR:

      zerotrustaccess USERNAME@SERVER-ADDR

SSH Server Errors

Scenarios for SSH access failure:

Type Error message Scenario

Connectivity

Timeout - Confirm that server address is configured correctly

 This error appears if:
  • Server address is incorrect.
  • Server is not accessible from the selected Connector.
  • Site is down.

Connectivity

Connection refused - Confirm that server SSH service is up

Server is accessible, but the SSH service is down.

Connectivity

Bad configurations - Confirm that server account is configured correctly

Server is accessible with SSH service, but the account configured is incorrect (account name / password / key)

Accessibility

Forbidden - You must log in to your Harmony Connect Application-Level account before connecting to the server

For security reasons, users must have an active session with Harmony Connect Application-Level to connect to a server. This error appears if you do not have an active session. Go to your Harmony Connect Application-Level account at https://REGION.connect.checkpoint.com/ACCOUNT and log in.

Accessibility

Unauthorized access - Ask your system administrator for access permissions to this server

You do not have access permissions to connect to this resource.

Permissions and secrets

Error - Unable to connect to server
  • Server name / address provided does not exist in the system.
  • Provided key does not exist in the provided path.
  • Provided key is expired or corrupted.

Permissions and secrets

Invalid credentials - Confirm that your OTP is correct

OTP provided is incorrect or expired.

Permissions and secrets

(Bash Error)

Permissions 0644 for 'KEY' are too open

Key permissions are not set. Locate the key path and run the command: chmod 400 KEY-PATH