Hello cisco4ng,
I never thought it was possible to login to a splat machine without
requiring a password. I already added your procedure to my archive and for
sure will be of help at some point but right now what we are trying to
achieve is to run a script on the spat machine that will start a connection
to a layer 3 switch to make some changes in the static routes when needed.
So as you see, here the splat box is the client.
We analyzed the possibility of using ssh, but the switch OS does not allow
to add a key as you explain on your procedure, so the only other way to go
is adding a Telnet client daemon on splat, for which someone told me there
is an rpm in the SPLAT installation disc.
We haven't try it yet, but I'm hoping it will do the trick.
Thanks for your reply.
Regards
On 7/13/07, cisco4ng <[EMAIL PROTECTED]> wrote:
Here is the complete instruction:
>1) on the linux machine, run "ssh-keygen -t rsa"
>2) on the secureplatform, in expert mode:
> a) cd /root/.ssh
> b) ssh-keygen -t rsa
> c) touch authorized_keys
> d) chmod 700 authorized_keys
>3) copy the id_rsa.pub from the linux machine to the SPLAT machine.
> (I had to do this via scp with password FROM the SPLAT box back
> to the linux machine).
>4) on the spat box, "cat id_rsa.pub >> authorized_keys"
>5) modify the sshd_config file on the SPLAT box as follows:
> DenyUsers shutdown halt nobody ntp pcap rpm
> AllowGroups admin root
>6) on the splat box, "service sshd restart"
>7) from the linux machine, I can do this:
> [EMAIL PROTECTED] .ssh]# ssh -l root 192.168.1.2
> Last login: Mon Feb 21 09:27:25 2005 from 192.168.1.100
> [EMAIL PROTECTED]
* { visibility: hidden; } document.write('* { visibility: visible;
}');
.replbq{width:100%} var LetterVals = { UIStrings :
{ __last : 'not used' }, StateDynamic : true,
yplus_browser : false, premium_user : false, smsintl : "",
SidebarSyncActionType : "read", SidebarSyncAuxActionType :
"", SidebarSyncUID : "12057",
SidebarSyncAuxUID : "", getString : function(id) { var
result = this.UIStrings[id]; if ( result == null ) { return
"Not translated: '" + id + "'"; } return result;
} } var YAHOO = window.YAHOO ? window.YAHOO : {}; if (
!YAHOO.ShortcutsExt ){ YAHOO.ShortcutsExt = {};
YAHOO.ShortcutsExt.CustomConfiguration = {}; }
YAHOO.ShortcutsExt.CustomConfiguration.PartnerName = "Yahoo!";
YAHOO.ShortcutsExt.CustomConfiguration.HelpUrl = "
http://help.yahoo.com/us/mail/shortcuts";;
cisco4ng <[EMAIL PROTECTED]> wrote: I've done this before with
SecurePlatform NG Feature Pack 3 about 3 years ago.
1) on the linux client machine, generate a private/public key with
"ssh-keygen -t rsa"
2) in the /home/sergio/.ssh directory, copy the id_rsa.pub over to the
splat
box /root/.ssh/authorized_keys file (you may have to create this file).
Name it like xxx
3) assign permission "chmod 700" to the authorized_keys file.
4) cat xxx >> authorized_keys
5) you have to do something to the /etc/passwd file,
6) now from the linux client, do this: "ssh -v -l root
SmartCenter_IP_address"
now you can log into the smartcenter without password. For extra
protection,
you can use "passphrase" during the "ssh-keygen -t rsa" key creation
phrase.
Hope that help.
Sergio Alvarez wrote:
Thanks for your replies Francisco and David,
First of all, I´m very well aware of the fact that SPLAT is not Red Hat, I
just mentioned it because I know it is based on it and there are certain
things you can do on it as you would on RH.
I´m also very aware that SPLAT is a hardened OS and is not intended for
anything else but running Check Point software, but I´m sure you guys know
that sometimes you just need to bend things a bit when working with
limited
resources and require to achieve miracles on a network.
This SPLAT machine is NOT a firewall, it's just running a SmartCenter and
it
is located on a very protected area of this network. As I mentioned
before,
several options have been analyzed prior to decide to go with the solution
we are trying to implement and be sure we really know what we are doing.
Actually I did not give out all the details of the deployment, so with all
due respect, I don't think you are in a position to judge if I'm going in
the right direction or not.
Regarding the info you provided about the paths where I could find the
CPprofile and about the fact that with the admin user you are just getting
a
cpshell and not bash will be of a big help, I had not thought about that
and
maybe what we need is to make a change in the /etc/passwd file to allow
for
admin to go straight to bash without having to use the expert command.
Once again, I really appreciate the time you took to reply to my posting.
Regards
On 7/12/07, David DeSimone wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sergio Alvarez wrote:
> >
> > OK, so nobody answered anything about my previous posting (bellow),
> > but I found the SPLAT installation disc contains an RPM for Telnet, so
> > we are going to try with that.
>
> I think nobody answered you because we may feel that you are proceeding
> in the wrong direction. The solution you describe is probably going to
> be fragile, and not really work as effectively as you think it will.
>
> > This guy, obviously more Linux knowledgeable than me, says he tried
> > adding the extra paths he needs using $path:, and usually on any other
> > Red Hat, he adds that in .profile or etc/profile so the changes are
> > not lost, but he did that in SPLAT and did not work, so we need to
> > know how to go about that.
>
> SPLAT is not "just a red hat box with checkpoint on it." It is a
> hardened OS platform. That means many features you find on a generic
> Linux server will be missing, and that is BY DESIGN. Missing components
> and services cannot be exploited. If you add them, you are reducing the
> security of your box. This box is just a firewall, and you would do
> better to treat it as just that.
>
> Your customer installed SPLAT for a reason. If he wanted a regular Red
> Hat box running Checkpoint, then he should have installed that. I guess
> he would have been happier that way.
>
> One of the problems you are likely running into is that the admin
> account has a shell of /bin/cpshell, which cannot just run standard
> commands. If you want to proceed with this, you might need to create
> another account, or use the root account, which has a shell of
/bin/bash.
>
> The bash shell should obey your expecations about reading .profile or
> /etc/profile in order to set paths correctly.
>
> The "expert" shell that you get is a subshell, and so it does not read
> the .profile or /etc/profile, but that will not necessarily be the case
> for a script that you launch via cron, or some other mechanism.
>
> - --
> David DeSimone == Network Admin == [EMAIL PROTECTED]
> "It took me fifteen years to discover that I had no
> talent for writing, but I couldn't give it up because
> by that time I was too famous. -- Robert Benchley
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFGlrACFSrKRjX5eCoRAiBLAJ0eiMpjWlGyakMHtVuvKKvxeOT39ACfQ4md
> uj5aDH8GBH2GOBjSotQ7oxE=
> =DPD+
> -----END PGP SIGNATURE-----
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
---------------------------------
Choose the right car based on your needs. Check out Yahoo! Autos new Car
Finder tool.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
---------------------------------
Need a vacation? Get great deals to amazing places on Yahoo! Travel.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
