CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 14 of 14

Thread: unable to use clish

  1. #1
    Join Date
    2014-11-23
    Posts
    32
    Rep Power
    0

    Default unable to use clish

    I have a management server running R80.10. When I try to invoke clish I get the message "CLINFR0479 you can't start an interactive session from another interactive session". The default shell for the admin account is /etc/cli.sh, however when I log on a get a bash shell

    I have tried creating another user account with the web GUI with a default shell of /etc/cli.sh and I have ticked the box "clish access". However I am still getting the same CLINFR0479 error message. If I do echo $SHELL I can see it's /bin/bash

    Wondered if anyone has had similar issues? I've looked on the Checkpoint website but I can't find anything for this error in version R80.10

  2. #2
    Join Date
    2014-09-02
    Posts
    339
    Rep Power
    10

    Default Re: unable to use clish

    I remember there be something about clish lock files in /tmp. Are there files in there? Try deleting (or temporarily moving them elsewhere).

    -E

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,615
    Rep Power
    8

    Default Re: unable to use clish

    Quote Originally Posted by PeterSmith78 View Post
    I have a management server running R80.10. When I try to invoke clish I get the message "CLINFR0479 you can't start an interactive session from another interactive session". The default shell for the admin account is /etc/cli.sh, however when I log on a get a bash shell

    I have tried creating another user account with the web GUI with a default shell of /etc/cli.sh and I have ticked the box "clish access". However I am still getting the same CLINFR0479 error message. If I do echo $SHELL I can see it's /bin/bash

    Wondered if anyone has had similar issues? I've looked on the Checkpoint website but I can't find anything for this error in version R80.10
    What does
    md5sum /etc/cli.sh /bin/bash
    Return?

    What does
    egrep admin /etc/passwd
    Return?


    Hmm maybe
    egrep admin /etc/config/active
    As well

  4. #4
    Join Date
    2014-11-23
    Posts
    32
    Rep Power
    0

    Default Re: unable to use clish

    Many thanks for replies, the output of the commands are shown below (the last command "egrep admin /etc/config/active does not produce any output)

    [Expert@FWMANAGE01:0]# md5sum /etc/cli.sh
    b9ee9652eafefbe055aeb953a77df62b /etc/cli.sh
    [Expert@FWMANAGE01:0]#
    [Expert@FWMANAGE01:0]# egrep admin /etc/passwd
    admin:x:0:0::/home/admin:/etc/cli.sh
    [Expert@FWMANAGE01:0]#
    [Expert@FWMANAGE01:0]# egrep /etc/config/active

    [Expert@FWMANAGE01:0]#

  5. #5
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,136
    Rep Power
    11

    Default Re: unable to use clish

    What is the prompt when you get when you logon in ssh?
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,615
    Rep Power
    8

    Default Re: unable to use clish

    Quote Originally Posted by PeterSmith78 View Post
    Many thanks for replies, the output of the commands are shown below (the last command "egrep admin /etc/config/active does not produce any output)

    [Expert@FWMANAGE01:0]# md5sum /etc/cli.sh
    b9ee9652eafefbe055aeb953a77df62b /etc/cli.sh
    [Expert@FWMANAGE01:0]#
    [Expert@FWMANAGE01:0]# egrep admin /etc/passwd
    admin:x:0:0::/home/admin:/etc/cli.sh
    [Expert@FWMANAGE01:0]#
    [Expert@FWMANAGE01:0]# egrep /etc/config/active

    [Expert@FWMANAGE01:0]#
    Are you using tacacs or radius for logins? BTW you left off md5sum of /bin/bash

  7. #7
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,615
    Rep Power
    8

    Default Re: unable to use clish

    BTW i think the locks Eric was talking about are in sk108058.

    rm -i /tmp/clish.*

  8. #8
    Join Date
    2014-11-23
    Posts
    32
    Rep Power
    0

    Default Re: unable to use clish

    Thanks for replies:

    - The MD5 of /bin/bash is as follows:
    [Expert@FWMANAGE01:0]# md5sum /bin/bash
    4d51f636f07ff89cd5a556a821d2fd1e /bin/bash

    - I am using a TACACS server for administrator accounts for users who connect via Smart Console. Will this affect the admin account? (I set up the admin account password locally on the management server when prompted. I thought that this was simply a local account on the server itself. There is no other user called "admin")

    - What login do I get when I connect via SSH ? I get the following:
    login as: admin
    This system is for authorized use only.
    admin@xxxxxxx's password:
    Last login: Sun Apr 8 09:42:44 2018 from xxxx.xxxx.net
    FWMANAGE01> expert
    Enter expert password:

    Warning! All configurations should be done through clish
    You are in expert mode now.

    [Expert@FWMANAGE01:0]#
    [Expert@FWMANAGE01:0]# echo $SHELL
    /bin/bash


    - Should I try the command rm -I /tmp/clish.* ? It seems odd because if I look in the /tmp area I can't see any files with that name
    [Expert@FWMANAGE01:0]# cd /tmp
    [Expert@FWMANAGE01:0]# ls | grep cli
    cliapi.sock
    clishd.sock
    clisrvr.sock
    gui_clients_commands_file
    gui_clients_output_file
    iclid
    [Expert@FWMANAGE01:0]#



    Thanks








    [Expert@FWMANAGE01:0]#

  9. #9
    Join Date
    2008-07-31
    Location
    Netherlands, Europe
    Posts
    1,136
    Rep Power
    11

    Default Re: unable to use clish

    Quote Originally Posted by PeterSmith78 View Post
    - What login do I get when I connect via SSH ? I get the following:
    login as: admin
    This system is for authorized use only.
    admin@xxxxxxx's password:
    Last login: Sun Apr 8 09:42:44 2018 from xxxx.xxxx.net
    FWMANAGE01> expert
    Enter expert password:

    Warning! All configurations should be done through clish
    You are in expert mode now.

    [Expert@FWMANAGE01:0]#
    So, you login, into clish, you instantly go into expert mode and try to get back to clish mode. Then it all works as designed.
    When you start in CLISH, the FWMANAGE01> prompt, shows you are in CLISH mode, then move to expert mode (/bin/bash), you get the FWMANAGE01# prompt, now when you want to go to clish again, just exit expert mode by pressing <Ctrl>-D.

    Typing clish in expert mode to go back will give you the exact error you showed in your first post: "CLINFR0479 you can't start an interactive session from another interactive session"
    Last edited by msjouw; 2018-04-08 at 16:49.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  10. #10
    Join Date
    2014-11-23
    Posts
    32
    Rep Power
    0

    Default Re: unable to use clish

    Thanks for your reply. yes you are quite right! ( I was expecting a clish prompt )

  11. #11
    Join Date
    2014-09-02
    Posts
    339
    Rep Power
    10

    Default Re: unable to use clish

    So, you were trying to go from clish >to> bash >to> clish? Definite no-go.

    However, if your default shell is bash, you can launch clish as a secondary shell. Very common/useful for those who find themselves automatically going into "expert" every time they log in.

    -E

  12. #12
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    223
    Rep Power
    12

    Default Re: unable to use clish

    Quote Originally Posted by EricAnderson View Post
    So, you were trying to go from clish >to> bash >to> clish? Definite no-go.

    However, if your default shell is bash, you can launch clish as a secondary shell. Very common/useful for those who find themselves automatically going into "expert" every time they log in.

    -E
    This is how my systems are set up. I find it useful to be able to run 'ssh user@someSystem netstat -rn' and the like, so my default shell is BASH. When I need to make certain config changes, I use 'sudo -u admin -s' to elevate, then I enter CLISH.
    Zimmie

  13. #13
    Join Date
    2014-09-02
    Posts
    339
    Rep Power
    10

    Default Re: unable to use clish

    Quote Originally Posted by Bob_Zimmerman View Post
    This is how my systems are set up. I find it useful to be able to run 'ssh user@someSystem netstat -rn' and the like, so my default shell is BASH. When I need to make certain config changes, I use 'sudo -u admin -s' to elevate, then I enter CLISH.
    Understood, and completely valid. I didn't mean to imply otherwise.

    My preferred solution is to create a separate account (i like to use "adminbash") that defaults to /bin/bash. For a larger organization with many admins, it's better practice (but not very realistic) to have individual accounts for everyone, and maybe have a shared "bash" account (used for scp and the like) that uses the same password that's used for "expert" mode.

    I'm sure there are plenty of other good ideas/uses out there. My question is, does anyone use any of the other shells offered in Gaia (like maybe "scponly")?

    -E

  14. #14
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    223
    Rep Power
    12

    Default Re: unable to use clish

    Quote Originally Posted by EricAnderson View Post
    Understood, and completely valid. I didn't mean to imply otherwise.

    My preferred solution is to create a separate account (i like to use "adminbash") that defaults to /bin/bash. For a larger organization with many admins, it's better practice (but not very realistic) to have individual accounts for everyone, and maybe have a shared "bash" account (used for scp and the like) that uses the same password that's used for "expert" mode.

    I'm sure there are plenty of other good ideas/uses out there. My question is, does anyone use any of the other shells offered in Gaia (like maybe "scponly")?

    -E
    I didnít think you were implying it was bad. I was just providing some context in an attempt to explain why someone might set up a system that way.

    Your response touches on another big reason I like the setup I use. I have around 30 people who make changes on the firewalls and who log into them for troubleshooting. Setting them up this way lets everyone log in, copy files, elevate to root privileges, run debugs, and so on with no shared credentials. I really like being able to declare that a non-issue on audits.

    I actually do create an individual account per admin. I use TACACS for authentication, but I donít allow generic identification. A user defined on the ACS server but not on the firewalls canít log in. I then manage permissions using the userís local account. A given user gets the same, unique UID across the board. It can be a little tedious, and I wish Check Point offered a Salt minion, but itís not that bad.
    Zimmie

Similar Threads

  1. VPN PreShare Key cmd/clish
    By jessiastanson in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2018-03-09, 02:39
  2. GAiA: no sysconfig for you, use clish
    By varera in forum R75.40 (GAiA)
    Replies: 2
    Last Post: 2012-05-14, 11:03
  3. clish backup
    By Felix001 in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 9
    Last Post: 2009-09-10, 15:43
  4. clish: unable to set interface
    By muddie in forum Check Point IP Appliances and IPSO (Formerly Sold By Nokia)
    Replies: 3
    Last Post: 2009-06-09, 17:01
  5. setting interface - clish help plz.
    By humayun in forum Miscellaneous
    Replies: 3
    Last Post: 2008-03-05, 16:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •