SFTP to SPLAT Server

[tty35]

For the love of GOD, can someone please list out the steps for what needs to be done in order to enable SFTP to a SPLAT MGMT server? I don't know why this is such an "hidden" setup... it seems Checkpoint's SK is even confused.

Thanks for the help!

[kva.kva]

Which SK do you mean?

[tty35]

I can't even find the SK now on Checkpoint's KB site, but I did find it listed on another site:

Check SecureKnowledge!

Solution ID: sk26258
In HFA 04 the SSH package was hardened to prevent users with regular
permissions from copying files to SecurePlatform from the outside

Procedure:
In expert mode on SecurePlatform:

1) create /etc/scpusers file

"[EMAIL PROTECTED] touch /etc/scpusers"

2) Open "scpusers" with a text editor such as vi.

"[EMAIL PROTECTED] vi /etc/scpusers"

3) Add authorized users, list 1 per line.

NOTE:
Only users listed in this file will be allowed to use scp.

4) Restart ssh with 'service sshd restart' on command line


I've done this before without any luck. I've also been to training where the instructor said to just add a new user, change the users shell to BASH in \etc\passwd and also chaneg the Users DIR. I've done this and still no luck. I 've also been told that you DO NOT need to create a scpusers file and add users to it.

[kva.kva]

Your instructor is right. You need only to change shell in /etc/passwd file from /bin/cpshell to /bin/bash. I usually use this method. Also access to SCP is controlled by file /etc/scpusers. You can find this in SecurePlatform UserGuide. So you can use two methods to allow scp.
Now about your problem. What client do you use? Do you see anything about your ssh connection in Tracker? Can you see packets on server from client by tcpdump (for example)?

[tty35]

Ahhh...maybe I'm on to something here. I took a look at the SPLAT User Guide and I didn't find any reference to "etc/scpusers" in it. Now I'm running R55, so I took a look at the R60 SPLAT User Guide and it DOES have reference to "etc/scpusers", so does this apply to R55? And if not, do you know a work around in R55?

I did look in Tracker and the SSH traffic is logged and is passing. I haven't checked a TCPDUMP yet.

Thanks for your help!

[kva.kva]

I found SK26258 about scpusers, it applies to R55 HFA-04 or newer. I didn't use this feature on R55, so i'm not sure at 100%.
But changing shell to /bin/bash is working at R55, i used it.
What do you see in /var/log/secure on SPLAT?

[kva.kva]

And don't confuse - SFTP isn't equal SCP (I read header of your post :) ).

[tty35]

Good to know... i thought they were the same for some reason.

[tty35]

regarding /var/log/secure, it shows:

"User test3 not allowed because non of the user's groups are listed in AllowGroups"

then below that is:

"Failed password for illegal user test3 from 192.168.1.2 port 2762 ssh2"

This is using WinSCP3 as a client and it set to use SCP.

[kva.kva]

Try to find AllowGroups in /etc/ssh/ssd_config. What does it have?

[kva.kva]

On my server I have "AllowGroups root". So I think, group root should includes your user login test3. Or you can edit string to "AllowGroups root, test3".

[chillyjim]

Quote:

Originally Posted by kva.kva

And don't confuse - SFTP isn't equal SCP (I read header of your post :) ).

Check Point does not, for reasons unknown, support SFTP. Much to my dismay, VanDyke, who's ssh tools I've been using for years, doesn't support SCP :(

[tty35]

I ended up using OpenSSH and SCP'ing the file from the Mgmt Server to the SSH box. Thanks for your help.

[rjdriscoll]

Changing our shell from cpshell to bash allowed us to SCP files off of SPLAT in R61, but not in R55. For R55 we use /etc/scpusers.

[BruceR]

I use OpenSSH for Windows on my PC http://sshwindows.sourceforge.net/

C:\temp>scp filename user@hostname:/~
user@hostname's password:
filename 100% 3402 3.3KB/s 00:00

I also mourn the lack of compatible protocols between SPLAT and VanDyke.

This is on R55 and user is in /etc/scpusers. That's all I changed.

hth
Bruce

[colliardr]

I was trying to use SFTP but finally it is not needed... let me explain :

In fact Checkpoint doesn't support sftp in SPLAT.
To see by yourself have a look at /etc/ssh/sshd_config... at the end of the file sftp-subsystem is commented out, telling path of executable is /usr/libexec/openssh/sftp-server and there (in the given path) is NO such file... (so uncommenting it won't help).

BUT scp (securecopy) is supported, see SK26258.

And SK (secureknowledge) is telling that since NGX HFA04 SCP access through /etc/scpusers authorization will be mandatory :

Symptoms

* Error: "Lost connection" using scp with SecurePlatform, user is prompted for password. After entering password, connection drops with "lost connection" error message.
* Error occurred after applying HFA-04 or newer to SecurePlatform.

Cause
In HFA 04 the SSH package was hardened to prevent users with regular permissions from copying files to SecurePlatform from the outside
Solution
The Secure Copy Protocol, scp is an SSH protocol extension allowing for secure, encrypted connections to copy and or ftp files to or from a system that allows remote connections.


So after having added user "admin" in file /etc/scpusers, you will be able to SCP'ing to the SPLAT box with a gui client WinSCP like my old favorite Norton Commander which is supporting SCP connection (though sftp is default method, don't forget to change it on session options).

Another (cool) way to do it is through Cygwin linux on windows framework (see www.cygwin.com) also for free.

WinSCP homepage (free and opensource) :
http://winscp.net/eng/download.php

[wicked]

Here are some simple instructions for anyone to follow:

[munrog]

Wicked,

Your instructions are correct, however there are "more correct" ways of implementing this ie without the reboot.

1) Login with the admin account
2) Enter Expert mode
3) Type

adduser username -g root

4) Enter the password when prompted
5) Type

chsh -s /bin/bash username

Note that if you want tcsh replace "/bin/bash" with "/bin/tcsh" or if you wish to return the user back to using the Check Point shell "/bin/cpshell"

6) Type vi /etc/scpusers
7) Add the username on one line within this file
8) Type

service sshd restart

[jmhill1976]

Quote:

Originally Posted by BruceR

I use OpenSSH for Windows on my PC sshwindows.sf.net: OpenSSH for Windows

C:\temp>scp filename user@hostname:/~
user@hostname's password:
filename 100% 3402 3.3KB/s 00:00

I also mourn the lack of compatible protocols between SPLAT and VanDyke.

This is on R55 and user is in /etc/scpusers. That's all I changed.

hth
Bruce

Good stuff. I burned a couple of hours yesterday afternoon attempting to SCP some debug files over from my new UTM-1, using "vcp.exe" - VanDyke's SCP executable for Windows.

After reading this post I installed OpenSSH, edited the scpusers file, and was rolling in no time.

[rtfmoz]

Well,

Actually you can get sftp working but that involves getting a RHEL3 sftp-server binary and copy it into the correct location on your splat system. Then uncomment the sftp-subsystem option in sshd_config. It works and I use it but of course this means Checkpoint have every right to say they wont support your platform because you modified it. I figure the access control is managed by SSH so I don't see the problem but then I am no expert in this area. Like the original poster, I use Vandyke products and sftp is very useful.

Regards

rtfmoz