Configuring the Gaia OS for SCP Connection

Important:

On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal Web interface for the Check Point Gaia operating system. of the applicable Security Group.
On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must run the applicable commands in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish of the applicable Security Group.
After you add, configure, or delete features, run the "save config" command to save the settings permanently.. Scalable Platforms save the changes automatically.

Background

To connect with an SCP client (for example, WinSCP) to the Gaia operating system, the default shell of the user that connects must be set to /bin/bash.

Important - On a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., the Access Control policy must allow the SCP connection. Limit the source only to known hosts on your internal networks.

There are two configuration options:

Configure a dedicated user for SCP connections that has permissions only to its home directory (recommended).
Temporarily change the default shell of an administrator user.

Permanent Configuration (recommended)

Procedure in Gaia Portal for permanent configuration of an SCP user

Connect to Gaia Portal.

Add the applicable limited Gaia OS role:

In the left tree, click User Management > Roles.
On the top toolbar, click Add.
In the Role Name field, enter the desired name for this role.

For example: SCPonlyRole

In the search field above the features, enter:

expert mode

To the left of the feature Expert Mode, click in the R/W column and click Read / Write.
At the bottom, click OK.

Add the applicable limited Gaia OS user:
1. In the left tree, click User Management > Users.
2. On the top toolbar, click Add.
3. In the Login field, configure the desired username.
4. In the Password field, configure the desired password.
5. In the Real Name field, configure the desired name.
6. In the Confirm Password field, enter the same password.
7. In the Shell field, select /usr/bin/scponly.
8. In the UID field, enter the an integer between 103 and 65533.
9. In the Access Mechanisms section, clear all checkboxes.
10. In the Available Roles section, click the limited role you created earlier (in our example: SCPonlyRole) and click Add.
11. At the bottom, click OK.

Procedure in Gaia Clish for permanent configuration of an SCP user

Connect to the command line on Gaia OS.
Log in.

If your default shell is the Expert mode, go to Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).:

clish

Add the applicable limited Gaia OS role:

In our example, the role name is "SCPonlyRole".

add rba role SCPonlyRole domain-type System readwrite-features expert

Add the applicable limited Gaia OS user:

Add the username with the required UID and the home directory:

add user SCPonly uid 103 homedir /home/SCPonly

Notes:

In our example, the username is "SCPonly".
The user UID must be an integer between 103 and 65533.

Optional: Configure a desired real name for this user:

set user SCPonly realname "SCP-only user"

Assign the limited Gaia OS role you created earlier:

add rba user SCPonly roles SCPonlyRole

Assign the limited SCP-only shell and the Group ID:

set user SCPonly gid 100 shell /usr/bin/scponly

Configure the password for this limited user:

set user SCPonly password

When prompted, enter the password and confirm it.

Save the changes in the Gaia OS database:

save config

Temporary Configuration

Procedure in Gaia Portal for temporary configuration of an SCP user

Connect to Gaia Portal.
In the left tree, click User Management > Users.
Select your user and click Edit.
In the Shell field, select /bin/bash.
At the bottom, click OK.
Connect with an SCP client to this Gaia server and transfer the required files.
Connect to Gaia Portal.
In the left tree, click User Management > Users.
Select your user and click Edit.
In the Shell field, select /bin/cli.sh.
At the bottom, click OK.

Procedure in Gaia Clish for temporary configuration of an SCP user

Connect to the command line on Gaia OS.
Log in.

If your default shell is the Expert mode, go to Gaia Clish:

clish

Change the default shell to /bin/bash (Expert mode):

set user <username> shell /bin/bash

Example for the username 'admin':

set user admin shell /bin/bash

Connect with an SCP client to this Gaia server and transfer the required files.

Change the default shell to /bin/cli.sh (Gaia Clish):

set user <username> shell /bin/cli.sh

Example for the username 'admin':

set user admin shell /bin/cli.sh

Save the changes in the Gaia OS database to be sure:

save config