Configuring SSH Authentication with RSA Key Files

Prerequisites

1. Console access / LOM Card access to the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. server.

2. Administrator access to the Gaia server, or an equivalent user with the required permission.

Procedure

Notes: For the initial setup, it is necessary to do each step only one time. To configure more SSH users, it is necessary to do only steps 1 through 7.

1. Create a pair of SSH keys.

   You can use these tools:

   • On a Windows OS computer - the PuTTYgen tool.

   • On the Gaia server (or on a Linux OS computer) - the "ssh-keygen" command.

     Important: To use the "ssh-keygen" command on the Gaia server: Connect to the command line and log in to the Expert mode. Save the pair of the key files in some directory. Save the private SSH key file on your SSH client computer. You configure the public SSH key on the Gaia server later.

2. Configure a new user on the Gaia server for the SSH connection and assign the administrator role.

   You can create and configure a new user in Gaia Portal Web interface for the Check Point Gaia operating system. or Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). / Gaia gClish.

   • In Gaia Portal:

     Note - On Scalable Platforms (Maestro and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

     Create a new user with these settings:

     • Default shell: /bin/bash

     • Assigned Role: adminRole (you can create another more limited role)

     In our example, the username is: filecopy

     See:

     • Managing User Accounts in Gaia Portal

     • Configuring Roles in Gaia Portal

   • In Gaia Clish / Gaia gClish:

     Note - On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in Gaia gClish of the applicable Security Group.

     1. Create a new user.

        See Managing User Accounts in Gaia Clish.

        Example:

        MyGW> add user filecopy uid 103 homedir /home/filecopy WARNING Must set password and a role before user can login. - Use 'set user USER password' to set password. - Use 'add rba user USER roles ROLE' to set a role. MyGW> MyGW> set user filecopy password New password: Verify new password: MyGW>

     2. Assign the administrator role to the new user.

        See Configuring Roles in Gaia Clish.

        Note - You can create another more limited role.

        Example:

        MyGW> add rba user filecopy roles adminRole

     3. Configure the default shell /bin/bash for the new user.

        See Configuring Roles in Gaia Clish.

        Example:

        MyGW> set user filecopy shell /bin/bash

     4. Save the configuration:

        MyGW> save config

3. Connect with an SSH client to the Gaia server.

4. Log in with the new user.

   In our example, the username is: filecopy

   The default shell for this user is the Expert mode.

5. Configure the required directory ".ssh" in the home directory:

   1. Create the directory ".ssh":

      • On a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Member Security Gateway that is part of a cluster. / Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. / Log Server Dedicated Check Point server that runs Check Point software to store and process logs.:

        mkdir -v ~/.ssh

      • On a Scalable Platform Security Group:

        g_all mkdir -v ~/.ssh

   2. Assign the required permissions to the new directory ".ssh":

      • On a Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member / Management Server / Log Server:

        chmod -v u=rwx,g=,o= ~/.ssh

      • On a Scalable Platform Security Group:

        g_all chmod -v u=rwx,g=,o= ~/.ssh

6. Configure the required file "authorized_keys":

   1. Create the required file "authorized_keys":

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        touch ~/.ssh/authorized_keys

      • On a Scalable Platform Security Group:

        g_all touch ~/.ssh/authorized_keys

   2. Assign the required permissions to the new file "authorized_keys":

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        chmod -v u=rw,g=,o= ~/.ssh/authorized_keys

      • On a Scalable Platform Security Group:

        g_all chmod -v u=rw,g=,o= ~/.ssh/authorized_keys

   3. Edit the "authorized_keys" file:

      vi ~/.ssh/authorized_keys

   4. Paste the SSH key you created earlier into this file.

      • Always copy the public key exactly as generated, without extra spaces or line breaks.

      • For RSA, the string must start with: ssh-rsa

   5. Save the changes in the file and exit the editor.

   6. On a Scalable Platform Security Group, copy the modified file to all Security Group Members:

      asg_cp2blades ~/.ssh/authorized_keys

7. Make the required changes in the SSH configuration template for the Gaia Operating System:

   1. Back up the sshd_config.templ file:

      • On a Security Gateway / Cluster Member / Management Server / Log Server:

        cp -v /etc/ssh/templates/sshd_config.templ{,_BKP}

      • On a Scalable Platform Security Group:

        g_all cp -v /etc/ssh/templates/sshd_config.templ{,_BKP}

   2. Edit the sshd_config.templ file:

      vi /etc/ssh/templates/sshd_config.templ

   3. At the bottom of the file, change the line:

      from

      PasswordAuthentication yes

      to:

      PasswordAuthentication no

   4. Save the changes in the file and exit the editor.

   5. On a Scalable Platform Security Group, copy the modified file to all Security Group Members:

      asg_cp2blades /etc/ssh/templates/sshd_config.templ

8. Import the changes from the SSH configuration template into the running Gaia configuration:

   • On a Security Gateway / Cluster Member / Management Server / Log Server:

     /usr/bin/sshd_template_xlate < /config/active

   • On a Scalable Platform Security Group:

     g_all /usr/bin/sshd_template_xlate < /config/active

9. Restart the SSHD process:

   • On a Security Gateway / Cluster Member / Management Server / Log Server:

     service sshd restart

   • On a Scalable Platform Security Group:

     g_all service sshd restart

10. Close the current SSH connection for the new user.

11. Connect with an SSH client to the Gaia server.

12. Log in with the new user with the private SSH key.

    In our example, the username is: filecopy

    Example:

    login as: filecopy This system is for authorized use only. Authenticating with public key "rsa-key-20230207" Last login: Sun Jul 2 15:08:58 2023 from 172.20.213.71 [Expert@MyGW:0]#