Configuring the Gaia OS for SCP Connection

Important:

  • On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must connect to the Gaia Portal of the applicable Security Group.

  • On Scalable Platforms (ElasticXL, Maestro, and Chassis), you must run the applicable commands in Gaia gClish of the applicable Security Group.

  • After you add, configure, or delete features, run the "save config" command to save the settings permanently. Scalable Platforms save the changes automatically.

Background

To connect with an SCP client (for example, WinSCP) to the Gaia operating system, the default shell of the user that connects must be set to /bin/bash.

Important - On a Security Gateway / Cluster, the Access Control policy must allow the SCP connection. Limit the source only to known hosts on your internal networks.

There are two configuration options:

  • Configure a dedicated user for SCP connections that has permissions only to its home directory (recommended).

  • Temporarily change the default shell of an administrator user.

Permanent Configuration (recommended)

  1. Connect to Gaia Portal.

  2. Add the applicable limited Gaia OS role:

    1. In the left tree, click User Management > Roles.

    2. On the top toolbar, click Add.

    3. In the Role Name field, enter the desired name for this role.

      For example: SCPonlyRole

    4. In the search field above the features, enter:

      expert mode

    5. To the left of the feature Expert Mode, click in the R/W column and click Read / Write.

    6. At the bottom, click OK.

  3. Add the applicable limited Gaia OS user:

    1. In the left tree, click User Management > Users.

    2. On the top toolbar, click Add.

    3. In the Login field, configure the desired username.

    4. In the Password field, configure the desired password.

    5. In the Real Name field, configure the desired name.

    6. In the Confirm Password field, enter the same password.

    7. In the Shell field, select /usr/bin/scponly.

    8. In the UID field, enter the an integer between 103 and 65533.

    9. In the Access Mechanisms section, clear all checkboxes.

    10. In the Available Roles section, click the limited role you created earlier (in our example: SCPonlyRole) and click Add.

    11. At the bottom, click OK.

  1. Connect to the command line on Gaia OS.

  2. Log in.

  3. If your default shell is the Expert mode, go to Gaia Clish:

    clish

  4. Add the applicable limited Gaia OS role:

    In our example, the role name is "SCPonlyRole".

    add rba role SCPonlyRole domain-type System readwrite-features expert

  5. Add the applicable limited Gaia OS user:

    1. Add the username with the required UID and the home directory:

      add user SCPonly uid 103 homedir /home/SCPonly

      Notes:

      • In our example, the username is "SCPonly".

      • The user UID must be an integer between 103 and 65533.

    2. Optional: Configure a desired real name for this user:

      set user SCPonly realname "SCP-only user"

    3. Assign the limited Gaia OS role you created earlier:

      add rba user SCPonly roles SCPonlyRole

    4. Assign the limited SCP-only shell and the Group ID:

      set user SCPonly gid 100 shell /usr/bin/scponly

    5. Configure the password for this limited user:

      set user SCPonly password

      When prompted, enter the password and confirm it.

    6. Save the changes in the Gaia OS database:

      save config

Temporary Configuration

  1. Connect to Gaia Portal.

  2. In the left tree, click User Management > Users.

  3. Select your user and click Edit.

  4. In the Shell field, select /bin/bash.

  5. At the bottom, click OK.

  6. Connect with an SCP client to this Gaia server and transfer the required files.

  7. Connect to Gaia Portal.

  8. In the left tree, click User Management > Users.

  9. Select your user and click Edit.

  10. In the Shell field, select /bin/cli.sh.

  11. At the bottom, click OK.

  1. Connect to the command line on Gaia OS.

  2. Log in.

  3. If your default shell is the Expert mode, go to Gaia Clish:

    clish

  4. Change the default shell to /bin/bash (Expert mode):

    set user <username> shell /bin/bash

    Example for the username 'admin':

    set user admin shell /bin/bash

  5. Connect with an SCP client to this Gaia server and transfer the required files.

  6. Change the default shell to /bin/cli.sh (Gaia Clish):

    set user <username> shell /bin/cli.sh

    Example for the username 'admin':

    set user admin shell /bin/cli.sh

  7. Save the changes in the Gaia OS database to be sure:

    save config