CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 5 of 5

Thread: Login attempt for nonexistent user

  1. #1
    Join Date
    2014-10-10
    Posts
    250
    Rep Power
    5

    Default Login attempt for nonexistent user

    I have many cases where I can't login to existing account ('newadmin' below) on 1100 and at the same time /var/log/messages shows message 'authpriv.warn dropbear[640]: [SSH] Login attempt for nonexistent user'.

    Code:
    [irek@nms01m bin]$ ssh admin@10.199.246.1
    Warning: Permanently added '10.199.246.1' (RSA) to the list of known hosts.
    admin@10.199.246.1's password: 
    1100> show software-version 
    This is Check Point's 1100 Appliance R77.20.00 - Build 289
    1100> show administrators
    username   permission   
    ...    
    admin      read-write   
    newadmin     read-write   
    1100> set administrator username newadmin  password
    Enter password: 
    Enter password (again): 
    1100> exit
    Connection to 10.199.246.1 closed.
    [irek@nms01m bin]$ ssh newadmin@1.1.1.1
    Warning: Permanently added '1.1.1.1' (RSA) to the list of known hosts.
    newadmin@1.1.1.1's password: 
    Permission denied, please try again.
    newadmin@1.1.1.1's password: 
    Permission denied, please try again.
    newadmin@1.1.1.1's password: 
    Permission denied (publickey,password).

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: Login attempt for nonexistent user

    Did it add the user to /etc/passwd? Pretty sure that is what would cause it to throw that error.

    BTW this kind of thing is better done with radius. You can have the firewall send some radius attribute and then have the radius server thumbs up or down the login. This also means you have central user auth where you can turn up 2 factor auth as well and you don't have to mess with creating admins all over the place.

    I'd still ditch clish as the default shell. Its such a pain to automate stuff going through clish.

  3. #3
    Join Date
    2014-10-10
    Posts
    250
    Rep Power
    5

    Default Re: Login attempt for nonexistent user

    Correct, nothing in /etc/passwd. I was going to add user and make it using bash as default lol

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: Login attempt for nonexistent user

    FW> set administrator username newadmin password
    Enter password:
    Enter password (again):
    FW> exit
    [Expert@FW]# cat /etc/passwd
    ### Never edit this file manually. In order to login as expert and allow scp access, run "bashUser on" ###
    root:!:0:0:root:/:/bin/false
    nobody:x:99:99:nobody:/nonexistent:/bin/false
    ntp:x:38:38::/nonexistent:/bin/false
    rpm:x:37:37::/nonexistent:/bin/false
    pcap:x:77:77::/nonexistent:/bin/false
    admin:x:0:0:Linux User,,,:/:/bin/bash
    newadmin:x:0:0:Linux User,,,:/:/bin/clish
    [Expert@FWCKP750]# fw ver
    This is Check Point's 750 Appliance R77.20.31 - Build 952
    [Expert@FWCKP750]#

    Worked for me. Upgrade the image?

  5. #5
    Join Date
    2014-10-10
    Posts
    250
    Rep Power
    5

    Default Re: Login attempt for nonexistent user

    Yeah, looks like too many of these where clish doesn't create bash user are R77.20.00 - Build 289...I found 3 more. It doesn't happen on R75.x neither R77.20 except build 289 ;(

Similar Threads

  1. How to deny login for single ldap user?
    By kwarden in forum SmartDirectory/LDAP/Active Directory
    Replies: 3
    Last Post: 2014-03-11, 09:17
  2. Replies: 2
    Last Post: 2013-02-22, 16:51
  3. VPN Portal and LDAP authentication third login attempt successful
    By Kriss in forum Mobile Access Blade (Formerly Connectra)
    Replies: 0
    Last Post: 2012-01-16, 08:52
  4. User Login History
    By manuadoor in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 4
    Last Post: 2010-04-09, 10:54
  5. user's last login
    By HowdyHai in forum SecureClient/SecuRemote
    Replies: 1
    Last Post: 2006-08-11, 04:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •