PDA

View Full Version : configure ssh login without password



archie100
2013-02-18, 22:05
Hi guys,
I am running R71.20 on my Checkpoint Smart Center and Gateways.

My goal is to login from Smart Center to gateways via SSH without entering password.

I have read the SK30366 and performed the steps provided in it.
Now I am able to login using the command below:

ssh -l admin -i $HOME/.ssh/id_dsa <server IP>

However, my goal is to login using the following command:

ssh <ip address>

=================


Can you please advise what I need to to do to make it possible?
Cheers, Aun

northlandboy
2013-02-18, 22:54
ssh should try and use your username, and your own private key (in ~/.ssh/id_dsa). But if always want to use a different username, or a different key location, then the best thing to do is to create ~/.ssh/config. In there, you can over-ride defaults, on a per host, or all host basis.

You might have something in it like this:
Host <firewall_hostname>
User admin
IdentityFile /home/admin/.ssh/id_dsa


Take a look at man ssh_config for more options.

archie100
2013-02-18, 23:29
Thanks, I created the file "config in .ssh folder, do I need to call it somewhere? How does SSH knows to read this file?

Secondly, I am working in my lab environment, I have a similar working scenario in production and I have looked at the .ssh folder, and there is no other config file in .ssh folder except for public and private keys.

Also, my user id is admin, and I have logged in as admin on Smart Centro.
when I try to ssh to gateway using command "ssh x.x.x.x" I get following prompt:

[Expert@TestSmart]ssh x.x.x.x
[Expert@TestSmart]root@x.x.x.x's password:

It seems like I am trying to login as user "admin" but Smart Center is looking for user "root"s password? I think this is a problem...not sure why its happening...

northlandboy
2013-02-18, 23:49
Thanks, I created the file "config in .ssh folder, do I need to call it somewhere? How does SSH knows to read this file?

Secondly, I am working in my lab environment, I have a similar working scenario in production and I have looked at the .ssh folder, and there is no other config file in .ssh folder except for public and private keys.

Also, my user id is admin, and I have logged in as admin on Smart Centro.
when I try to ssh to gateway using command "ssh x.x.x.x" I get following prompt:

[Expert@TestSmart]ssh x.x.x.x
[Expert@TestSmart]root@x.x.x.x's password:

It seems like I am trying to login as user "admin" but Smart Center is looking for user "root"s password? I think this is a problem...not sure why its happening...

Read the manpage for ssh_config. It explains how SSH looks at config files.

It gets a bit messed up by Check Point's use of the "admin" account. The problem is that the UID on that account is 0. In Unix terms, 0 is the root account. You may find that you need to put the config file into root's ~/.ssh/ folder.

cciesec2006
2013-02-19, 07:11
Read the manpage for ssh_config. It explains how SSH looks at config files.

It gets a bit messed up by Check Point's use of the "admin" account. The problem is that the UID on that account is 0. In Unix terms, 0 is the root account. You may find that you need to put the config file into root's ~/.ssh/ folder.

Northlandboy,
Have you ever managed get it to work? If so, please share what you find here instead of try this and try that :cool:

here is what you need to do:

1- on the server:
a) ssh-keygen -t rsa 2048
b) transfer the id_rsa.pub from the smartcenter to gateway /tmp directory

2- on the gateway:
a) edit the /etc/ssh/sshd_config as follows:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
DenyUsers shutdown halt nobody ntp pcap rpm
AllowGroups root admin

b) restart ssh with "service sshd restart"

c) in the /root/.ssh directory, do this: cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys

d) chmod 700 /root/.ssh/authorized_keys

now you can log into the gateway directly from the smartcenter using this command ssh root@ip_gateway without using password.


Easy right?

alienbaby
2013-02-19, 14:25
I have a script that will take care of this for you.

It also edits scpusers, and installs a banner.

I'll make it more supportable and post it soon..

alienbaby
2013-02-19, 15:50
The following script can be used on a Management server to install it's SSH identity onto remote SecurePlatform gateway/hosts.

Assumes the remote gateway is SecurePlatform and the username is 'admin'.
The script takes advantage of the UID zero problem in SecurePlatform but does not require it..
The script does not assume it is being executed on a SecurePlatform management server. Note the AUTHSTRING variable pulls in whatever ssh would choose as it's default identity. Hence you don't have to use the -i option everytime to execute ssh or scp.
The script also has the added functionality of installing a banner, which everyone should have configured for legal reasons.

Usage is ./scriptname <hostname | IP_address>

Example:

./configssh londonfw01
./configssh 10.100.2.252


Let me know if it works or doesn't work for you. It's always nice to know one way or the other.

As always.. No warranty is given or implied. Use at your own risk.




#!/bin/bash

# This program is distributed in the
# hope that it will be useful, but WITHOUT ANY WARRANTY; without
# even the implied warranty of MERCHANTABILITY or FITNESS FOR
# A PARTICULAR PURPOSE.



# Be sure you have provided a banner, if you haven't, then this step will be skipped.
BANNERFILE="/etc/banner"

# Validate a hostname attribute was provided
if [ -z "$1" ]; then
echo "Usage:"
echo
echo "$0 <hostname>"
echo
echo "Install default SSH identity into a remote SecurePlatform gateways authorized_keys, enables banner and adds admin user to /etc/scpusers."
echo "Assumes remote system is CheckPoint SecurePlatform."
echo
exit
fi

# Check for identities.
AUTHSTRING=`echo "" | ssh-keygen -y 2> /dev/null`
return_val=$?

if [ "$return_val" -lt "1" ]; then
echo "++ Found identity."
else
echo -e "FATAL: No recognized identities found; id_dsa.pub or id_rsa.pub required.\n\nRunning the following command should resolve the issue:\n ssh-keygen -b 2048 -t rsa -N \"\"\n\n "
exit
fi


# Upload the found identifty pub to the remote authorized keys file
echo "++ Beginning process to install identity into remote authorized_keys"
echo
echo "++ Please accept the fingerprint and enter the password for admin."
echo
echo
{ eval echo ${AUTHSTRING} ; } | ssh admin@${1} "umask 077; test -d .ssh || mkdir .ssh ; cat >> .ssh/authorized_keys" || exit 1

# add admin to scpusers
echo "++ Putting admin into /etc/scpusers"
ssh -q admin@$1 "echo admin > /etc/scpusers"

# upload a banner, dont if one does not exist on the current system
if [ -e "$BANNERFILE" ]; then

echo "++ Uploading Banner file"
scp -q ${BANNERFILE} admin@${1}:/etc/banner

# Change the banner statement in the default sshd_config
echo "++ Modifying /etc/ssh/sshd_config to enable Banner feature"
ssh -q admin@$1 "sed -i.orig 's/#Banner \/some\/path/Banner \/etc\/banner/'" /etc/ssh/sshd_config
fi

# restart sshd
ssh -q admin@$1 /etc/init.d/sshd restart

echo
echo "Test by sshing into the remote gateway. ssh admin@${1}"

archie100
2013-02-20, 00:14
Thanks Guys, for all your assistance.
I fixed it and its all good now!
This forum rocks!
Cheers, Archie :)

northlandboy
2013-02-20, 05:33
Northlandboy,
Have you ever managed get it to work?

Yes, I have done this sort of thing, many times. I don't do it on a daily basis now though, so I don't recall the exact magic spell. What I do remember is the concepts, and I know which documentation I need to look at, so I can always figure it out again in future.

archie100
2013-02-22, 02:10
Hi guys, its all working sweet, but have one more query.

I can now login to my gw from expert mode, even without user id.
I can simply type ssh x.x.x.x and it works!

does this also allows me to scp to gateways without using the password?

Is there any change I need to do to automate it?

I have a tripwire script that runs on smart center and scp an encrypted file on gateways, so I need it to be able to do so without using password.

cheers :)

northlandboy
2013-02-22, 14:24
Hi guys, its all working sweet, but have one more query.

I can now login to my gw from expert mode, even without user id.
I can simply type ssh x.x.x.x and it works!

does this also allows me to scp to gateways without using the password?

Is there any change I need to do to automate it?

I have a tripwire script that runs on smart center and scp an encrypted file on gateways, so I need it to be able to do so without using password.

cheers :)

Have you configured /etc/scpusers ? See alienbaby's post above.

You should then be able to test out using SCP.