Members Login
Username 
 
Password 
    Remember Me  
FireWall-1 Gurus Forum -> FireWall-1 Gurus Forum -> log onto a Secureplatform box via key?
Post Info TOPIC: log onto a Secureplatform box via key?
ccseng2002


Status: Offline
Posts: 84
Date:
log onto a Secureplatform box via key?
Permalink  

All,
I am running Secureplatform NG with AI R55 with HFA 008.
From my linux workstation, I can log onto the the Secureplatform box just fine with password.  However, I would like to do via private/public key instead of password because I have scripts that need to copy files from the Splat box back to my linux workstation.  However, I just can not get the private/public key to work on the splat box.  I can get private/public key work from my linux workstation with the Nokia box just fine.  Furthermore, I can also get this to work between my linux workstation with another linux server so I don't understand why it doesn't work with the Splat box. Here are my steps:
on the linux workstation:
1) ssh-keygen -t rsa
2) copy the id_rsa.pub from my linux workstation into the authorized_keys on the Splat box
3) restart sshd on the splat box
4) connect from the linux workstation: 
ssh -l admin splat_IP_address
that doesn't work.. What am I doing wrong?
Help.
David
P.S. I notice that when I run "ssh-keygen -t rsa" on the Splat box, it put the "id_rsa" and "id_rsa.pub" under /root/.ssh directory.  Is it normal since "admin" is essentially "root" in splat?

__________________
ccseng2002


Status: Offline
Posts: 84
Date:
Permalink  

One other thing I forgot to mention is that from the Splat box, I can establish private/public key to other unix/linux boxes just fine.  I have problem when other unix/linux workstations want to log onto this splat box via public/private key authentication instead of password.


David



__________________
nox


Status: Offline
Posts: 9
Date:
Permalink  

Run ssh with the verbose option

-vv

to see whats goin on in the background, this should give you more info as to why it is failing....

ssh -l -vv

Hope it helps

__________________
RoxcoR Technologies www.pheusion.com Security / Cryptography / Application development
nox


Status: Offline
Posts: 9
Date:
Permalink  

Also,

if you are ssh'ing with the admin account, and the splat box is generating your RSA and DSA keys under root, then the ssh keys would not work for admin, as they are in the root account

*I think*

__________________
RoxcoR Technologies www.pheusion.com Security / Cryptography / Application development
ccseng2002


Status: Offline
Posts: 84
Date:
Permalink  

All,


I've finally solved this problem.  Essentially, this is what has to be done:


1) On the splat box, run "ssh-keygen -t dsa" and save it in /root/.ssh/ directory


2) create an authorized_keys file in /etc/.ssh/ directory, put the public key of the linux client box into this file


3) modify the /etc/ssh/sshd_config file on the splatbox, remove the "root" under the "Deny users line"


4) restart sshd, i.e. service sshd restart, on the splat box


5) on the linux client box: ssh -2 -v -l root splatbox_IP this will take you directly into the "expert" mode on the splat box.


 



__________________
rs904c


Status: Offline
Posts: 1
Date:
Permalink  

I spent some time writing and testing the instructions below.


Enjoy


-Robert H.


Using a Public-Private Key pair to connect as root to a Checkpoint Secureplatform (SPLAT) firewall from a Linux workstation via SSH


 


 



  1. Login as root on the linux workstation and type the following:

ssh-keygen -t rsa


 


The system responds with the following text:


Generating public/private rsa key pair.


Enter file in which to save the key (/root/.ssh/id_rsa):


 



  1. Continuing on the linux workstation, if you do not want the default path and/or name, type a new path and name for the file, then hit the enter key. Otherwise just hit the enter key.  These instructions assume that the default file name, “id_rsa” was used.

 


The system responds with the following text:


Created directory '/root/.ssh'.


Enter passphrase (empty for no passphrase):


 



  1. Continuing on the linux workstation, type a passphrase, if desired, then hit the enter key.

 


The system responds with the following text:


 


Enter same passphrase again:


 



  1. Continuing on the linux workstation, re-type the passphrase, then hit the enter key.

 


The system responds with something similar to the following text, if the default filenames are used.


 


Your identification has been saved in /root/.ssh/id_rsa.


Your public key has been saved in /root/.ssh/id_rsa.pub.


The key fingerprint is:


68:68:70:ff:a7:28:1a:06:71:9d:a4:37:f3:ab:24:34 root@localhost.localdomain


 



  1. Continuing on the linux workstation, edit the file /etc/ssh/ssh_config,  and set the following configuration item.

IdentityFile  ~/.ssh/id_rsa



  1. If you are not already connected to the SPLAT firewall, login.

7.      If you are not already in expert mode on the SPLAT firewall, switch to expert mode by typing the following:


expert



  1. Copy the public key that was generated in steps 1,2,3,4 above on the linux workstation, to the “/tmp” directory on the SPLAT firewall. 

 



  1. Continuing on the SPLAT firewall, type the following on the SPLAT firewall.  These instructions assume that root’s home directory is “/root” and the public key file is “id_rsa.pub”:

mkdir /root/.ssh


cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys


rm /tmp/id_rsa.pub


 



  1. Continuing on the SPLAT firewall, edit the file /etc/ssh/sshd_config. Make sure the “Port” and ListenAddress” are correct for your environment,  and set the following configuration items.

 


StrictModes no


PubkeyAuthentication yes


AuthorizedKeysFile      .ssh/authorized_keys


 



  1. If the username “root” is present on the “DenyUsers” line, remove it.

  2. Continuing on the SPLAT firewall, save and exit the file /etc/ssh/sshd_config.

  3. Continuing on the SPLAT firewall, type the following to restart the ssh daemon:

“service sshd restart”



  1. Make sure your firewall rules allow ssh from the linux workstation to the SPLAT firewall, or stop the firewall (for testing purposes only) by typing the following on the SPLAT firewall:   “cpstop” 

  2. On the linux workstation, type the following to connect to the SPLAT firewall with ssh:   

“ssh –l root  <IP address>”


( You should connect without typing a password)


 



  1. If you have trouble add a “-v” parameter to the above statement for troubleshooting on the linux workstation.

“ssh –v –l root  <IP address>”



__________________
Page 1 of 1  sorted by
 
Quick Reply

Please log in to post quick replies.
FireWall-1 Gurus Forum -> FireWall-1 Gurus Forum -> log onto a Secureplatform box via key?
Tweet this page Post to Digg Post to Del.icio.us


Create your own FREE Forum
Report Abuse 		Powered by ActiveBoard