SSH Authentication
Starting from R81.10.00, you can use RSA key authorization instead of password-based authentication when you log in with SSH.
|
Warning - This configuration does not survive a firmware upgrade. |
Procedure:
-
On a Linux OS, create the RSA key and export its public key in the openSSH format.
-
On a Linux OS, you can use openssl or any other tool.
-
On Check Point Gaia OS (not ) use this command:
ssh-keygen -t rsa -b 4096
Example from a Gaia OS server:
Note - In this example, the /home/admin/MyKey file is the RSA Private Key, and the /home/admin/MyKey.pub file is the RSA Public Key.
[Expert@HostName:0]# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/MyKey
Enter passphrase (empty for no passphrase): ****
Enter same passphrase again: ****
Your identification has been saved in /home/admin/MyKey.
Your public key has been saved in /home/admin/MyKey.pub.
The key fingerprint is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX admin@HostName
[Expert@HostName:0]#
Notes:
-
When prompted, enter a path and a file name, in which to save the RSA private key
-
When prompted, enter a passphrase - this becomes the user's password
-
You can append several keys in this file. These keys are valid for all administrators configured on the appliance.
-
-
Transfer the file with the public key in the OpenSSH format (in the above example - /home/admin/MyKey.pub) to the Quantum Spark Appliance, to the /storage/ partition.
-
Connect to the command line on the Quantum Spark Appliance.
-
Log in to the Expert mode.
-
Create the required directory:
mkdir /storage/.ssh
-
Configure the required permissions on this directory:
chmod 700 /storage/.ssh
-
Move the file with the public key to the new directory and change the file's name to "authorized_keys":
mv /storage/MyKey.pub /storage/.ssh/authorized_keys
-
Configure the required permissions on the file with the public key:
chmod 600 /storage/.ssh/authorized_keys
-
Edit file /pfrm2.0/etc/sshd_config:
-
Edit the file:
vi /pfrm2.0/etc/sshd_config
-
Search for the line that starts with:
AuthorizedKeysFile
After a firmware installation / upgrade, the default line is:
AuthorizedKeysFile none
-
In this line, change the value from "none" to the absolute path of the "authorized_keys" file with the public key:
AuthorizedKeysFile /storage/.ssh/authorized_keys
-
Save changes in the file and exit Vi editor.
-
-
Reboot the Quantum Spark Appliance.