Hi Sergio,
The answer is much easier than you think. You don't need to go to
Redhat Linux
unless you need Expect or TCL to automate script to into routers and
switches.
If that is true, the other David is correct, go with RedHat Linux. But
for your
immediate question.
You CAN have telnet client on the SPLAT NGx SmartCenter. Simply do
this:
1) go to checkpoint.com and download this free utility
SecurePlatformAddOn_R55.gz.
Believe it or not, it actually works with NGx as well,
2) put this file in /var/tmp of the SPLAT SmartCenter box.
3) in expert mode, do this: patch add
/var/tmp/SecurePlatformAddOn_R55.gz
Now from the SPLAT box, you CAN telnet anywhere you like. Check it out:
[EMAIL PROTECTED] patch add SecurePlatformAddOn_R55.gz
Cannot find patch file SecurePlatformAddOn_R55.gz.
[EMAIL PROTECTED] patch add /var/tmp/SecurePlatformAddOn_R55.gz
Calculating the MD5 checksum of the package.
The MD5 checksum is: f2c1925d0a0dbb9229796505aeccc006
Is that right (Y/N)? Y
Extracting /var/tmp/SecurePlatformAddOn_R55.gz package ..
Starting the installation...
Extracting files ..
Extracting files completed successfully.
The addon packages are installed on your system. This process may take
several minutes ..
Addon was installed successfully.
Patch installed successfully.
[EMAIL PROTECTED] which telnet
/usr/bin/telnet
[EMAIL PROTECTED]
[EMAIL PROTECTED] telnet 192.168.15.10
Trying 192.168.15.10...
Connected to 192.168.15.10.
Escape character is '^]'.
Red Hat Enterprise Linux ES release 3 (Taroon)
Kernel 2.4.21-4.ELsmp on an i686
login:
Sergio Alvarez <[EMAIL PROTECTED]> wrote:
Hello cisco4ng,
I never thought it was possible to login to a splat machine without
requiring a password. I already added your procedure to my archive and for
sure will be of help at some point but right now what we are trying to
achieve is to run a script on the spat machine that will start a
connection
to a layer 3 switch to make some changes in the static routes when needed.
So as you see, here the splat box is the client.
We analyzed the possibility of using ssh, but the switch OS does not allow
to add a key as you explain on your procedure, so the only other way to go
is adding a Telnet client daemon on splat, for which someone told me there
is an rpm in the SPLAT installation disc.
We haven't try it yet, but I'm hoping it will do the trick.
Thanks for your reply.
Regards
On 7/13/07, cisco4ng wrote:
>
> Here is the complete instruction:
>
> >1) on the linux machine, run "ssh-keygen -t rsa"
> >2) on the secureplatform, in expert mode:
> > a) cd /root/.ssh
> > b) ssh-keygen -t rsa
> > c) touch authorized_keys
> > d) chmod 700 authorized_keys
> >3) copy the id_rsa.pub from the linux machine to the SPLAT machine.
> > (I had to do this via scp with password FROM the SPLAT box back
> > to the linux machine).
> >4) on the spat box, "cat id_rsa.pub >> authorized_keys"
> >5) modify the sshd_config file on the SPLAT box as follows:
> > DenyUsers shutdown halt nobody ntp pcap rpm
> > AllowGroups admin root
> >6) on the splat box, "service sshd restart"
> >7) from the linux machine, I can do this:
> > [EMAIL PROTECTED] .ssh]# ssh -l root 192.168.1.2
> > Last login: Mon Feb 21 09:27:25 2005 from 192.168.1.100
> > [EMAIL PROTECTED]
>
>
> * { visibility: hidden; } document.write('* { visibility: visible;
> }');
> .replbq{width:100%} var LetterVals = { UIStrings :
> { __last : 'not used' }, StateDynamic : true,
> yplus_browser : false, premium_user : false, smsintl : "",
> SidebarSyncActionType : "read", SidebarSyncAuxActionType :
> "", SidebarSyncUID : "12057",
> SidebarSyncAuxUID : "", getString : function(id) { var
> result = this.UIStrings[id]; if ( result == null ) { return
> "Not translated: '" + id + "'"; } return result;
> } } var YAHOO = window.YAHOO ? window.YAHOO : {}; if (
> !YAHOO.ShortcutsExt ){ YAHOO.ShortcutsExt = {};
> YAHOO.ShortcutsExt.CustomConfiguration = {}; }
> YAHOO.ShortcutsExt.CustomConfiguration.PartnerName = "Yahoo!";
> YAHOO.ShortcutsExt.CustomConfiguration.HelpUrl = "
> http://help.yahoo.com/us/mail/shortcuts";;
>
>
>
>
>
>
> cisco4ng wrote: I've done this before with
> SecurePlatform NG Feature Pack 3 about 3 years ago.
>
> 1) on the linux client machine, generate a private/public key with
> "ssh-keygen -t rsa"
> 2) in the /home/sergio/.ssh directory, copy the id_rsa.pub over to the
> splat
> box /root/.ssh/authorized_keys file (you may have to create this file).
> Name it like xxx
> 3) assign permission "chmod 700" to the authorized_keys file.
> 4) cat xxx >> authorized_keys
> 5) you have to do something to the /etc/passwd file,
> 6) now from the linux client, do this: "ssh -v -l root
> SmartCenter_IP_address"
>
> now you can log into the smartcenter without password. For extra
> protection,
> you can use "passphrase" during the "ssh-keygen -t rsa" key creation
> phrase.
>
> Hope that help.
>
> Sergio Alvarez wrote:
> Thanks for your replies Francisco and David,
>
> First of all, I´m very well aware of the fact that SPLAT is not Red Hat,
I
> just mentioned it because I know it is based on it and there are certain
> things you can do on it as you would on RH.
> I´m also very aware that SPLAT is a hardened OS and is not intended for
> anything else but running Check Point software, but I´m sure you guys
know
> that sometimes you just need to bend things a bit when working with
> limited
> resources and require to achieve miracles on a network.
>
> This SPLAT machine is NOT a firewall, it's just running a SmartCenter
and
> it
> is located on a very protected area of this network. As I mentioned
> before,
> several options have been analyzed prior to decide to go with the
solution
> we are trying to implement and be sure we really know what we are doing.
> Actually I did not give out all the details of the deployment, so with
all
> due respect, I don't think you are in a position to judge if I'm going
in
> the right direction or not.
>
> Regarding the info you provided about the paths where I could find the
> CPprofile and about the fact that with the admin user you are just
getting
> a
> cpshell and not bash will be of a big help, I had not thought about that
> and
> maybe what we need is to make a change in the /etc/passwd file to allow
> for
> admin to go straight to bash without having to use the expert command.
>
> Once again, I really appreciate the time you took to reply to my
posting.
>
> Regards
>
>
> On 7/12/07, David DeSimone wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Sergio Alvarez wrote:
> > >
> > > OK, so nobody answered anything about my previous posting (bellow),
> > > but I found the SPLAT installation disc contains an RPM for Telnet,
so
> > > we are going to try with that.
> >
> > I think nobody answered you because we may feel that you are
proceeding
> > in the wrong direction. The solution you describe is probably going to
> > be fragile, and not really work as effectively as you think it will.
> >
> > > This guy, obviously more Linux knowledgeable than me, says he tried
> > > adding the extra paths he needs using $path:, and usually on any
other
> > > Red Hat, he adds that in .profile or etc/profile so the changes are
> > > not lost, but he did that in SPLAT and did not work, so we need to
> > > know how to go about that.
> >
> > SPLAT is not "just a red hat box with checkpoint on it." It is a
> > hardened OS platform. That means many features you find on a generic
> > Linux server will be missing, and that is BY DESIGN. Missing
components
> > and services cannot be exploited. If you add them, you are reducing
the
> > security of your box. This box is just a firewall, and you would do
> > better to treat it as just that.
> >
> > Your customer installed SPLAT for a reason. If he wanted a regular Red
> > Hat box running Checkpoint, then he should have installed that. I
guess
> > he would have been happier that way.
> >
> > One of the problems you are likely running into is that the admin
> > account has a shell of /bin/cpshell, which cannot just run standard
> > commands. If you want to proceed with this, you might need to create
> > another account, or use the root account, which has a shell of
> /bin/bash.
> >
> > The bash shell should obey your expecations about reading .profile or
> > /etc/profile in order to set paths correctly.
> >
> > The "expert" shell that you get is a subshell, and so it does not read
> > the .profile or /etc/profile, but that will not necessarily be the
case
> > for a script that you launch via cron, or some other mechanism.
> >
> > - --
> > David DeSimone == Network Admin == [EMAIL PROTECTED]
> > "It took me fifteen years to discover that I had no
> > talent for writing, but I couldn't give it up because
> > by that time I was too famous. -- Robert Benchley
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.1 (GNU/Linux)
> >
> > iD8DBQFGlrACFSrKRjX5eCoRAiBLAJ0eiMpjWlGyakMHtVuvKKvxeOT39ACfQ4md
> > uj5aDH8GBH2GOBjSotQ7oxE=
> > =DPD+
> > -----END PGP SIGNATURE-----
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > [EMAIL PROTECTED]
> > =================================================
> >
>
>
>
> --
> Sergio Alvarez
> (506)8301342
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
>
> ---------------------------------
> Choose the right car based on your needs. Check out Yahoo! Autos new Car
> Finder tool.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
>
>
> ---------------------------------
> Need a vacation? Get great deals to amazing places on Yahoo! Travel.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
>
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
---------------------------------
Shape Yahoo! in your own image. Join our Network Research Panel today!
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
