Difference between revisions of "creating a new user on secureplatform via CLI"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(version)
 
(21 intermediate revisions by one user not shown)
Line 1: Line 1:
The following instructions are performed using the root (Expert) account.
+
==version==
  
1) create user account with the standard linux useradd command...
+
The following instructions are performed using the admin account in expert mode.  We will create a regular user account with restricted priveleges in cpshell.  Full expert access will be gained by the user by entering expert mode.  It is possible to have a regular user with a bash shell.  The problem is Check Point makes a mess of standard linux system file and directory permissions, shell environments, ect... This makes creating such a user more work. That won't be covered here.
  [Expert@chkpfw]# useradd -d /home/''username username''
+
  
2) set the user password
+
== creating the user account ==
  [Expert@chkpfw]# /usr/bin/passwd ''username''
+
 
 +
create user account with the standard linux useradd command...
 +
[Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G root -m jsmith
 +
 
 +
== set the user password ==
 +
 
 +
  [Expert@chkpfw]# /usr/bin/passwd jsmith
 +
New UNIX password:
 +
Retype new UNIX password:
 +
passwd: all authentication tokens updated successfully.
  
 
<p>*** note *** the full path is required in the above command because Check Point aliases passwd to...</p>
 
<p>*** note *** the full path is required in the above command because Check Point aliases passwd to...</p>
alias passwd='/bin/expert_passwd'
+
alias passwd='/bin/expert_passwd'
 
<p>If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account</p>
 
<p>If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account</p>
     
+
 
  [Expert@chkpfw]# '''passwd john'''
+
 +
Example of the incorrect way to reset a user password from the root (Expert) account:     
 +
  [Expert@chkpfw]# '''passwd jsmith'''
 
  Enter new expert password:          <<< if you see this prompt you messed up!
 
  Enter new expert password:          <<< if you see this prompt you messed up!
  
3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell.  Failure to set the shell to cpshell will allow the user account root privileges immediately upon loginThis would not be secure.
+
== test new user account access ==
john:x:0:0::/home/admin:/bin/cpshell
+
Test the account by connecting to the SPLAT device via ssh. After a successful login, you will have be rescrited to commands available inside the cpshell environmentJust type help at the prompt for list of available commandsRun the "expert" command and enter the expert password to gain full priveleges in a bash shell environment.
 +
 
 +
== troubleshooting ==
 +
 
 +
If login failures occur, examine /var/log/secure and /var/log/auth files for error messages.
  
4) test you login with ssh. after a successful login, execute the "expert" command to gain root.
 
 
[[category:sysadmin]]
 
[[category:sysadmin]]

Latest revision as of 19:57, 24 May 2016

Contents

version

The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of standard linux system file and directory permissions, shell environments, ect... This makes creating such a user more work. That won't be covered here.

creating the user account

create user account with the standard linux useradd command...

[Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -o -u 0 -G root -m jsmith

set the user password

[Expert@chkpfw]# /usr/bin/passwd jsmith
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

*** note *** the full path is required in the above command because Check Point aliases passwd to...

alias passwd='/bin/expert_passwd'

If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account


Example of the incorrect way to reset a user password from the root (Expert) account:

[Expert@chkpfw]# passwd jsmith
Enter new expert password:          <<< if you see this prompt you messed up!

test new user account access

Test the account by connecting to the SPLAT device via ssh. After a successful login, you will have be rescrited to commands available inside the cpshell environment. Just type help at the prompt for list of available commands. Run the "expert" command and enter the expert password to gain full priveleges in a bash shell environment.

troubleshooting

If login failures occur, examine /var/log/secure and /var/log/auth files for error messages.