cannot access SecurePlatform through winSCP

[cosufw1]

I´m trying to connect to a SecurePlatform R60 smartcenter with winSCP3, to get log files easily, but the SCP client finishes with error:
Error skipping startup message. Your shell is probably incompatible with the application (BASH is recommended).

The session log shows this message:
stty: standard input: Invalid argument

Anyway, I can transfer files to the Secureplatform SCP server from another Secureplatform, using command "scp file1 admin@smartcenter:"

The file /etc/scpusers is already created with the admin user.

Thanks.

[stuartgreen]

not 100% sure but it may be a problem with the restricted shell that is usually given to the admin user on secureplatform.
in that shell you only get basic checkpoint commands, and although i have no idea what the software you are using actually does i would guess it needs access to an unrestricted shell. it might work if you create a new user whose default shell is bash and not cpshell (which i think by default is given to the admin user before entering expert mode)
hope this helps!

[cosufw1]

Yes, it is working now.
I have created a new user with bash shell, added him to a few groups and to /etc/scpusers, and worked fine.

Thanks a lot.

[zencoder]

Can you provide some insight on HOW you gave the user BASH instead of CPShell? I am finding SPLAT to be ridiculously cumbersome. I'd rather put VPN-1 on a nice hardened Debian platform, personally.

[cosufw1]

Once you have created the user, edit /etc/passwd and change "cpshell" to "bash" at the end of the user line. It should look like this:
user1:x:0:0::/home/user1:/bin/bash

Then edit /etc/group and add the user to the appropriated groups, separated with comma:
root:x:0:root,user1

Don´t forget to create /etc/scpusers with the user name, if you want SCP access.

[zencoder]

Thanks for the quick reply. Let me apologize...I didn't provide nearly enough information. My problem has been *using* that damned CPShell. Any user I add automatically gets that shell. I am not certain what CLI text editor to use to for changing conf files. "vi" isn't available, that I can tell.

I feel like I'm working on a broken *NIX platform with both hands tied behind my back and a blindfold over my eyes.

What editor is available in CPShell? Pico? Emacs? Or is it something proprietary?

[czech12]

It sounds to me like you are never making it into "Expert" mode in SPLAT. When you log into the cpshell, it is really scaled down to just check point commands and a few troubleshooting tools like ping and traceroute. To get to the file structure and the other features of the Red Hat Linux kernel it runs on, type "expert" (without the quotes, of course). This will make you put in the expert password (or make you create one if you've never logged into expert mode) and will give you access to all the normal Linux commands you are used to.

Let me know if this helps.

[zencoder]

cosufw1 and czech12, thank you both very much. That last bit was it, I didn't realize I wasn't GETTING to expert mode for the regular system shell I needed. Your help is greatly appreciated.

I'm still having MAJOR issues (major in my book...perhaps not major in the grand scheme of things) and am still pretty unhappy with SPLAT as an OS, but it certainly does seem to be secure. To the point of making it unusable in a test environment, where frequent changes may need to be made. But oh well, Check Point has made *there* money...guess I'll slough along.

Thanks again.

[zencoder]

Quote:

Originally Posted by zencoder

cosufw1 and czech12, thank you both very much. That last bit was it, I didn't realize I wasn't GETTING to expert mode for the regular system shell I needed. Your help is greatly appreciated.

I'm still having MAJOR issues (major in my book...perhaps not major in the grand scheme of things) and am still pretty unhappy with SPLAT as an OS, but it certainly does seem to be secure. To the point of making it unusable in a test environment, where frequent changes may need to be made. But oh well, Check Point has made *there* money...guess I'll slough along.

Thanks again.

FYI, I never was able to push a file to the SPLAT system. My workaround was to SSH-in (with my user who had a BASH shell by default) and scp the file off of another Linux system on the network. A *real* pain in the ass.

[czech12]

What I normally do is SSH to the SPLAT box, get into Expert mode, then FTP from the SPLAT box to an ftp server. If you do not require the traffic to be encrypted, it is an easy way to get files on and off the SPLAT box...

[kapeman]

Quote:

Originally Posted by czech12

What I normally do is SSH to the SPLAT box, get into Expert mode, then FTP from the SPLAT box to an ftp server. If you do not require the traffic to be encrypted, it is an easy way to get files on and off the SPLAT box...

I have tried that and get the following error:

"Passive mode address scan failure. Shouldn't happen!"

I am sure I'm missing something, but I don't know what it is.

Thanks

Also: I have performed all the steps listed above and when using WinSCP, the Splat box won't take my password.

[rogermilla]

I am a CheckPoint newbies. Could you please guide me step by step procedure to create a SCP user? Thanks.

Quote:

Originally Posted by cosufw1

Once you have created the user, edit /etc/passwd and change "cpshell" to "bash" at the end of the user line. It should look like this:
user1:x:0:0::/home/user1:/bin/bash

Then edit /etc/group and add the user to the appropriated groups, separated with comma:
root:x:0:root,user1

Don´t forget to create /etc/scpusers with the user name, if you want SCP access.

[chillyjim]

Quote:

Originally Posted by rogermilla

I am a CheckPoint newbies. Could you please guide me step by step procedure to create a SCP user? Thanks.

Log into your SPLAT box (This has to be done on each box) then

expert <cr>
password: <expert password><cr>
cat > /etc/scpusers <cr>
<username><cr> [for each user]
<Ctrl-D>

That's all

[mdiot]

You can create a new user with the wed ui and then you go to ssh and you can use this command to do not edit anything :
chsh -s /bin/bash username > user directly connect to bash (expert mode)
chsh -s /bin/cphsell username > user connct and use cpshell

[chillyjim]

This will do nothing for SCP. SCP access is controlled only by the /etc/scpusers file. Your commands will only change the shell the user gets.