There are 2 things to keep in mind here: 1. You MUST edit the /etc/scpusers file to add the users that are allowed access. This has been in place since NG AI R55. It won't work without this change. 2. You do NOT need to change the shell to bash in the /etc/passwd file UNLESS you are using a windows-based scp client such as WinSCP. A normal scp from another linux or unix server will work fine without any changes to the passwd file so long as the username is included in the aforementioned /etc/scpusers file. If you DO want to use a windows-based scp client, then yes, you have to change the passwd file to use bash instead. This is not a recommended solution though. Rather use another linux machine to go and get your backups via scp, or better yet, schedule the backups to be "pushed" to a remote server via scp from the SecurePlatform server itself.
Once again, it's never a good idea to allow root access via ssh or scp, but as cisco4ng has explained, it's an easy configuration change if you really need it. If you write your scripts correctly, you shouldn't really need root access to the server. You should be able to get the files you need simply by placing the correct permissions on the files and placing them in the correct directories on the SecurePlatform server. Cheers Matt -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Sergio Alvarez Sent: 24 July 2008 02:01 PM To: [email protected] Subject: Re: [FW-1] SCP service on SPLAT Hello guys, thanks a lot to all for your answers. I have been able to access a SPLAT machine via SCP just by modifying "passwd" file for years now, but I will for sure try the rest of the procedure explained by cisco4ng. Thanks again. On Thu, Jul 24, 2008 at 4:51 AM, cisco4ng <[EMAIL PROTECTED]> wrote: > do this: > > 1- modify the /etc/passwd and change "cpshell" to "bash", > 2- create a file /etc/scpusers and add "admin and "root" in there in > separate lines, > 3- modify the /etc/ssh/sshd_config and replace the following lines: > DenyUsers root shutdown halt nobody ntp pcap rpm > AllowGroups root > with: > DenyUsers shutdown halt nobody ntp pcap rpm > AllowGroups root admin > 4- restart sshd with "service sshd restart", > > Now you can use scp with "admin" and "root" account > > Easy right? > > --- On Thu, 7/24/08, pkc_mls <[EMAIL PROTECTED]> wrote: > > From: pkc_mls <[EMAIL PROTECTED]> > Subject: Re: [FW-1] SCP service on SPLAT > To: [email protected] > Date: Thursday, July 24, 2008, 5:16 AM > > Stephen JT Bourike a écrit : > > It's not the password file that needs alteration. > > > you indeed need to modify the passwd file, as by default the > /etc/cpshell that is used to connect > doesn't allow you to use scp. > > but you also have to configure the ssh daemon to accept scp for your > user(s). > > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > > > > > > Scanned by Check Point Total Security Gateway. > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > -- Sergio Alvarez (506)8301342 Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
