Difference between revisions of "creating a new user on secureplatform via CLI"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(add user group to ssh AllowGroups)
(creating the user account)
Line 13: Line 13:
 
1) create user account with the standard linux useradd command...
 
1) create user account with the standard linux useradd command...
 
  [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith
 
  [Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith
 
+
[Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -g wheel -m jsmith
 
2) set the user password
 
2) set the user password
 
  [Expert@chkpfw]# /usr/bin/passwd jsmith
 
  [Expert@chkpfw]# /usr/bin/passwd jsmith

Revision as of 16:59, 5 April 2014

The following instructions are performed using the admin account in expert mode. We will create a regular user account with restricted priveleges in cpshell. Full expert access will be gained by the user by entering expert mode. It is possible to have a regular user with a bash shell. The problem is Check Point makes a mess of file and directory permissions, mangles shell environments, ect... This makes creating such a user more work. That won't be covered here.

fix /etc/profile permissions

Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod.

[Expert@chkpfw1]# chmod 644 /etc/profile

add user group to ssh AllowGroups

By default, SPLAT only allows members of the root group to ssh in. We will try to be secure and another group to the allowed list. I am being old fashioned, and using the legacy Unix wheel group

[Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config

creating the user account

1) create user account with the standard linux useradd command...

[Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith
[Expert@chkpfw]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -g wheel -m jsmith

2) set the user password

[Expert@chkpfw]# /usr/bin/passwd jsmith
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

*** note *** the full path is required in the above command because Check Point aliases passwd to...

alias passwd='/bin/expert_passwd'

If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account


Example of the incorrect way to reset a user password from the root (Expert) account:

[Expert@chkpfw]# passwd jsmith
Enter new expert password:          <<< if you see this prompt you messed up!

3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure.

Example /etc/passwd lines

before editing

john:x:1002:1002::/home/admin:/bin/bash

what is should look like after editing

john:x:0:0::/home/admin:/bin/cpshell

4) test your login with ssh. after a successful login, execute the "expert" command to gain root.