It's not the password file that needs alteration. You need to create (or edit) a file called /etc/scpusers and add in a list of the user names that are permitted to connect using SCP. Be careful about allowing the admin/root user to connect, since either of these users could subsequently system config files. You should construct your scripts and directory structure to create the backup and move it using non-privileged user accounts.
You should also make sure that all SSH/SCP users authenticate using public keys rather than passwords, you'll have to edit the /etc/ssh/sshd_config to remove the password login mode from the acceptable authentication methods. Steve http://www.appliedsecurity.co.uk On 24/7/08 09:49, "pkc_mls" <[EMAIL PROTECTED]> wrote: > Sergio Alvarez a écrit : >> Hello, >> >> Quite some time ago I learned of an unoficially suported change that could >> be done in the /etc/passwd file in SPLAT that would allow me to access that >> machine via SCP, which I would some times do on a SmartCenter well protected >> on an internal network, to make easier taking out backups from that machine. >> >> A customer of mine was taking backups from his cluster firewall modules and >> sending them via SCP to his SmartCenter from which he would later get all >> backups together to another machine on the network. But recently my customer >> decided to get a new machine to migrate his SmartCenter and we had to move >> to SPLAT 2.6 due to hardware support, since then he has not being able to >> access that SmartCenter using SCP from the firewall modules. >> >> I did some tests on my own with a SPLAT 2.6 virtual machine and Win SCP is >> not working either even after modifying the passwd file which leads me to >> think the R&D guys made a change on version 2.6 to limit the use of SCP. >> >> > you should compare the sshd_config files from 2.4 and 2.6, and also > check in the logs if you have any message > that indicates that scp fails. >> Has anybody else seen this issue? I would just like to confirm if I'm right >> or not. >> >> Regards > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
