SSH Authentication

Starting from R81.10.00, you can use RSA key authorization instead of password-based authentication when you log in with SSH.

Warning - This configuration does not survive a firmware upgrade.

Procedure:

  1. On a Linux OS, create the RSA key and export its public key in the openSSH format.

    • On a Linux OS, you can use openssl or any other tool.

    • On Check Point Gaia OS (not Gaia EmbeddedClosed Check Point Gaia-based Operating System on Quantum Spark Appliances.) use this command:

      ssh-keygen -t rsa -b 4096

      Example from a Gaia OS server:

      Note - In this example, the /home/admin/MyKey file is the RSA Private Key, and the /home/admin/MyKey.pub file is the RSA Public Key.

      [Expert@HostName:0]# ssh-keygen -t rsa -b 4096

      Generating public/private rsa key pair.

      Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/MyKey

      Enter passphrase (empty for no passphrase): ****

      Enter same passphrase again: ****

      Your identification has been saved in /home/admin/MyKey.

      Your public key has been saved in /home/admin/MyKey.pub.

      The key fingerprint is:

      XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX admin@HostName

      [Expert@HostName:0]#

      Notes:

  2. Transfer the file with the public key in the OpenSSH format (in the above example - /home/admin/MyKey.pub) to the Quantum Spark Appliance, to the /storage/ partition.

  3. Connect to the command line on the Quantum Spark Appliance.

  4. Log in to the Expert mode.

  5. Create the required directory:

    mkdir /storage/.ssh

  6. Configure the required permissions on this directory:

    chmod 700 /storage/.ssh

  7. Move the file with the public key to the new directory and change the file's name to "authorized_keys":

    mv /storage/MyKey.pub /storage/.ssh/authorized_keys

  8. Configure the required permissions on the file with the public key:

    chmod 600 /storage/.ssh/authorized_keys

  9. Edit file /pfrm2.0/etc/sshd_config:

    1. Edit the file:

      vi /pfrm2.0/etc/sshd_config

    2. Search for the line that starts with:

      AuthorizedKeysFile

      After a firmware installation / upgrade, the default line is:

      AuthorizedKeysFile       none
    3. In this line, change the value from "none" to the absolute path of the "authorized_keys" file with the public key:

      AuthorizedKeysFile       /storage/.ssh/authorized_keys
    4. Save changes in the file and exit Vi editor.

  10. Reboot the Quantum Spark Appliance.