Difference between revisions of "creating a new user on Gaia via CLI"
From cpwiki.net
(→set parameters) |
|||
| (4 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
| − | + | ==version== | |
| + | tested below commands on R75.40 | ||
| + | |||
| + | |||
| + | == switch to clish shell == | ||
| + | if you aren't here already or are at the expert prompt, just type... | ||
| + | |||
| + | [Expert@myfirewall]# clish | ||
| + | myfirewall> | ||
| + | |||
| + | Clish will give you the > prompt | ||
== add user == | == add user == | ||
| − | > add user jsmith uid | + | > add user jsmith uid 0 homedir /home/jsmith |
| + | |||
| + | (where jsmith should be replace with your username) | ||
| + | |||
| + | == set optional parameters == | ||
| + | > set user jsmith realname 'john smith' shell /bin/bash gid 100 | ||
== set password == | == set password == | ||
| Line 13: | Line 28: | ||
> add rba user jsmith access-mechanisms Web-UI,CLI | > add rba user jsmith access-mechanisms Web-UI,CLI | ||
| − | |||
| − | |||
| − | I don't like setting the user to the root UID. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat". | + | I don't like setting the user to the root UID, but this is how you get an account with root access. When adding via the web interfaces, it does the same thing. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat" and you get error upon login. |
| − | error: | + | example login error: |
| − | + | ||
/opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied | /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied | ||
| Line 25: | Line 37: | ||
-rwxrwx--- 1 admin bin 82 Apr 4 2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh | -rwxrwx--- 1 admin bin 82 Apr 4 2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh | ||
| − | + | The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me. | |
| + | |||
| + | When adding via the WebUI | ||
| + | # cat /etc/passwd|grep jsmith | ||
| + | jsmith:x:0:100:john smith:/home/jsmith:/bin/bash | ||
| − | |||
[[category:gaia]] | [[category:gaia]] | ||
Latest revision as of 19:59, 24 May 2016
Contents |
version
tested below commands on R75.40
switch to clish shell
if you aren't here already or are at the expert prompt, just type...
[Expert@myfirewall]# clish myfirewall>
Clish will give you the > prompt
add user
> add user jsmith uid 0 homedir /home/jsmith
(where jsmith should be replace with your username)
set optional parameters
> set user jsmith realname 'john smith' shell /bin/bash gid 100
set password
> set user jsmith password
set roles
> add rba user jsmith roles adminRole
set access
> add rba user jsmith access-mechanisms Web-UI,CLI
I don't like setting the user to the root UID, but this is how you get an account with root access. When adding via the web interfaces, it does the same thing. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat" and you get error upon login.
example login error:
/opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied
# ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh -rwxrwx--- 1 admin bin 82 Apr 4 2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh
The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me.
When adding via the WebUI
- cat /etc/passwd|grep jsmith
jsmith:x:0:100:john smith:/home/jsmith:/bin/bash
