SSH Authentication

Starting from R81.10.00, you can use RSA key authorization instead of password-based authentication when you log in over SSH.

Warning - This configuration does not survive a firmware upgrade.

Procedure:

  1. Create the RSA key and export its public key in the OpenSSH format.

    • On the Check Point Gaia OS (not Gaia EmbeddedClosed Check Point Gaia-based Operating System on Quantum Spark Appliances. OS) use this command in the Expert mode:

      1. Run the command:

        ssh-keygen -t rsa -b 4096

        Notes:

      2. In this prompt, enter the required path and the file name for the RSA Private Key:

        Enter file in which to save the key (/home/admin/.ssh/id_rsa):

        Note - You can append several keys in this file.

        These keys are valid for all administrators configured on the Quantum Spark appliance.

      3. In this prompt, just press the Enter key:

        Enter passphrase (empty for no passphrase):

      4. In this prompt, just press the Enter key:

        Enter same passphrase again:

      Example from a Gaia OS server:

      Note - In this example, the "/home/admin/MyKey" file is the RSA Private Key, and the "/home/admin/MyKey.pub" file is the RSA Public Key.

      		 
      [Expert@HostName:0]# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin/.ssh/id_rsa): /home/admin/MyKey
Enter passphrase (empty for no passphrase): Press the Enter Key
Enter same passphrase again: Press the Enter Key
Your identification has been saved in /home/admin/MyKey.
Your public key has been saved in /home/admin/MyKey.pub.
The key fingerprint is:
SHA256:iru...   ...   ...   ...   ...   ...bKrY admin@HostName
The key's randomart image is:
+---[RSA 4096]----+
|B=*. ..          |
|.B =o...         |
|  *o=.  .        |
|   O.. .         |
|..* = . S        |
|...@ = *         |
| E= O * .        |
|   = * .         |
|  ..B..          |
+----[SHA256]-----+
[Expert@HostName:0]#

    • On a Linux OS, you can use the "openssl" command or any other applicable tool.

      Do not configure a passphrase.

      openssl genrsa -out /var/log/MyKey.private 4096

      openssl rsa -in /var/log/MyKey.private -out /var/log/MyKey.public -outform PEM -pubout

    • On a Windows OS, you can use the "PuTTYgen" tool.

      Do not configure a passphrase.

      In the PuTTY built-in help, refer to the chapter "Using public keys for SSH authentication".

  2. Transfer the file with the public key from the Linux-based server to your computer:

    Example

    RSA Private Key

    RSA Public Key

    For Gaia OS

    /home/admin/MyKey

    /home/admin/MyKey.pub

    For Linux OS

    /var/log/MyKey.private

    /var/log/MyKey.public

  3. Connect to the command line on the Quantum Spark Appliance.

  4. Log in.

  5. If the default shell is Gaia ClishClosed The default shell of the Gaia CLI, then go to the Expert mode:

    expert

  6. Create the required directory:

    mkdir -v /storage/.ssh

  7. Configure the required permissions on this directory:

    chmod 700 /storage/.ssh

  8. Transfer the file with the public key (in the above example for Gaia OS- "MyKey.pub") from your computer to the Quantum Spark Appliance to this directory:

    /storage/.ssh

  9. Rename the file with the public key to "authorized_keys":

    mv -v /storage/MyKey.pub /storage/.ssh/authorized_keys

  10. Configure the required permissions on the file with the public key:

    chmod 600 /storage/.ssh/authorized_keys

  11. Edit file "/pfrm2.0/etc/sshd_config" file:

    1. Back up the current file:

      cp -v /pfrm2.0/etc/sshd_config{,_BKP}

    2. Edit the current file:

      vi /pfrm2.0/etc/sshd_config

    3. Change this line:

      AuthorizedKeysFile       none

      to this line:

      AuthorizedKeysFile       /storage/.ssh/authorized_keys

    4. Save the changes in the file and exit the editor.

  12. Reboot the Quantum Spark Appliance.

  13. In your SSH client, configure the SSH session to use the RSA Private Key file.

    Refer to the documentation for the SSH client.

    Note - For PuTTY, it is necessary to convert the RSA Private Key file from the OpenSSH format to the PPK format:

    1. Start the PuTTYgen tool.

    2. From the top, click the Conversions menu.

    3. Click Import key.

    4. Select the RSA Private Key file and click Open.

    5. In the bottom right corner, click Save private key.

      Do not configure a passphrase.

  14. Connect with the SSH client (that uses the RSA Private Key file) to the Quantum Spark Appliance.

    When prompted, enter the applicable username.

    There should not be a prompt for the password.