Configuring SSH Authentication with RSA Key Files
Prerequisites
-
Console access / LOM access to the Gaia
Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. server -
Administrator access to the Gaia server, or an equivalent user with the required permission
-
The Gaia server must run version R80.40 with Take 83, or a higher version.
|
|
Notes:
|
Procedure
-
Create a pair of SSH keys.
You can use these tools:
-
On a Windows OS computer - the PuTTYgen tool.
-
On the Gaia server (or on a OS computer) - the "
ssh-keygen" command.
Important:
-
To use the "
ssh-keygen" command on the Gaia server:-
Connect to the command line and log in to the Expert mode.
-
Save the pair of key files in some directory.
-
-
Save the private SSH key file on your SSH client computer.
-
You configure the public SSH key on the Gaia server later.
-
-
-
Configure a new user on the Gaia server for the SSH connection and assign the administrator role.
You can create and configure a new user in Gaia Portal
Web interface for the Check Point Gaia operating system. or Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell)..-
In Gaia Portal:
Create a new user with these settings:
-
Default shell:
/bin/bash -
Assigned Role:
adminRole(you can create another more limited role)In our example, the username is:
filecopySee:
In Gaia Clish:
-
Create a new user.
See Managing User Accounts in Gaia Clish.
Example:
MyGW> add user filecopy uid 103 homedir /home/filecopy WARNING Must set password and a role before user can login. - Use 'set user USER password' to set password. - Use 'add rba user USER roles ROLE' to set a role. MyGW> set user filecopy password New password: Verify new password: MyGW> -
Assign the administrator role to the new user.
See Configuring Roles in Gaia Clish.
Note - You can create another more limited role.
Example:
MyGW> add rba user filecopy roles adminRole -
Configure the default shell /bin/bash for the new user.
See Configuring Roles in Gaia Clish.
Example:
MyGW> set user filecopy shell /bin/bash -
Save the configuration:
MyGW> save config
-
-
-
Connect with an SSH client to the Gaia server.
-
Log in with the new user.
In our example, the username is:
filecopy. -
Make sure you are in the home directory:
cd ~ ; pwd -
Configure the required directory "
.ssh":-
Create the directory "
.ssh":mkdir -v .ssh -
Assign the required permissions to the new directory "
.ssh":chmod -v u=rwx,g=,o= ~/.ssh
-
-
Configure the required file "
authorized_keys":-
Create the required file "
authorized_keys":touch ~/.ssh/authorized_keys -
Assign the required permissions to the new file "
authorized_keys":chmod -v u=rw,g=,o= ~/.ssh/authorized_keys -
Edit the "
authorized_keys" file:vi ~/.ssh/authorized_keys -
Paste the SSH key you created earlier into this file.
-
Save the changes in the file and exit the editor.
-
-
Make the required changes in the SSH configuration template for the GaiaOperating System:
-
Back up the
sshd_config.templfile:cp -v /etc/ssh/templates/sshd_config.templ{,_BKP}d -
Edit the
sshd_config.templfile:vi /etc/ssh/templates/sshd_config.templ -
At the bottom of the file, change the line:
from
PasswordAuthentication yesto:
PasswordAuthentication no -
Save the changes in the file and exit the editor.
-
-
Import the changes from the SSH configuration template into the running Gaia configuration:
/usr/bin/sshd_template_xlate < /config/active -
Restart the SSHD process:
service sshd restart -
Close the current SSH connection for the new user.
-
Connect with an SSH client to the Gaia server.
-
Log in with the new user with the private SSH key.
In our example, the username is:
filecopyExample:
login as: filecopy This system is for authorized use only. Authenticating with public key "rsa-key-20230207" Last login: Sun Jul 2 15:08:58 2023 from 172.20.213.71 [Expert@MyGW:0]#