SSH Authentication

Starting from R81.10.00, you can use RSA key authorization instead of password-based authentication when you log in with SSH.

Warning - This configuration does not survive a firmware upgrade.

Procedure:

1. On a Linux OS, create the RSA key and export its public key in the openSSH format.

   • On a Linux OS, you can use openssl or any other tool.

   • On Check Point Gaia OS (not Gaia Embedded Check Point Gaia-based Operating System on Quantum Spark Appliances.) use this command:

     ssh-keygen -t rsa -b 4096

     Example from a Gaia OS server:

     Note - In this example, the /home/admin/MyKey file is the RSA Private Key, and the /home/admin/MyKey.pub file is the RSA Public Key.

     [Expert@HostName:0]# ssh-keygen -t rsa -b 4096

     Generating public/private rsa key pair.

     Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/MyKey

     Enter passphrase (empty for no passphrase): ****

     Enter same passphrase again: ****

     Your identification has been saved in /home/admin/MyKey.

     Your public key has been saved in /home/admin/MyKey.pub.

     The key fingerprint is:

     XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX admin@HostName

     [Expert@HostName:0]#

     Notes: See https://linux.die.net/man/1/ssh-keygen See https://www.ssh.com/academy/ssh/keygen When prompted, enter a path and a file name, in which to save the RSA private key When prompted, enter a passphrase - this becomes the user's password You can append several keys in this file. These keys are valid for all administrators configured on the appliance.

2. Transfer the file with the public key in the OpenSSH format (in the above example - /home/admin/MyKey.pub) to the Quantum Spark Appliance, to the /storage/ partition.

3. Connect to the command line on the Quantum Spark Appliance.

4. Log in to the Expert mode.

5. Create the required directory:

   mkdir /storage/.ssh

6. Configure the required permissions on this directory:

   chmod 700 /storage/.ssh

7. Move the file with the public key to the new directory and change the file's name to "authorized_keys":

   mv /storage/MyKey.pub /storage/.ssh/authorized_keys

8. Configure the required permissions on the file with the public key:

   chmod 600 /storage/.ssh/authorized_keys

9. Edit file /pfrm2.0/etc/sshd_config:

   1. Edit the file:

      vi /pfrm2.0/etc/sshd_config

   2. Search for the line that starts with:

      AuthorizedKeysFile

      After a firmware installation / upgrade, the default line is:

      AuthorizedKeysFile       none

   3. In this line, change the value from "none" to the absolute path of the "authorized_keys" file with the public key:

      AuthorizedKeysFile       /storage/.ssh/authorized_keys

   4. Save changes in the file and exit Vi editor.

10. Reboot the Quantum Spark Appliance.