|
List Info
Thread: Re: Adding paths on SPLAT
|
|
| Re: Adding paths on SPLAT |
 
United States |
2007-07-13 06:13:01 |
I've done this before with SecurePlatform NG Feature Pack 3
about 3 years ago.
1) on the linux client machine, generate a private/public
key with "ssh-keygen -t rsa"
2) in the /home/sergio/.ssh directory, copy the
id_rsa.pub over to the splat
box /root/.ssh/authorized_keys file (you may have to
create this file).
Name it like xxx
3) assign permission "chmod 700" to the
authorized_keys file.
4) cat xxx >> authorized_keys
5) you have to do something to the /etc/passwd file,
6) now from the linux client, do this: "ssh -v -l
root SmartCenter_IP_address"
now you can log into the smartcenter without password.
For extra protection,
you can use "passphrase" during the
"ssh-keygen -t rsa" key creation phrase.
Hope that help.
Sergio Alvarez <seralvar GMAIL.COM> wrote:
Thanks for your replies Francisco and David,
First of all, I´m very well aware of the fact that SPLAT is
not Red Hat, I
just mentioned it because I know it is based on it and there
are certain
things you can do on it as you would on RH.
I´m also very aware that SPLAT is a hardened OS and is not
intended for
anything else but running Check Point software, but I´m sure
you guys know
that sometimes you just need to bend things a bit when
working with limited
resources and require to achieve miracles on a network.
This SPLAT machine is NOT a firewall, it's just running a
SmartCenter and it
is located on a very protected area of this network. As I
mentioned before,
several options have been analyzed prior to decide to go
with the solution
we are trying to implement and be sure we really know what
we are doing.
Actually I did not give out all the details of the
deployment, so with all
due respect, I don't think you are in a position to judge if
I'm going in
the right direction or not.
Regarding the info you provided about the paths where I
could find the
CPprofile and about the fact that with the admin user you
are just getting a
cpshell and not bash will be of a big help, I had not
thought about that and
maybe what we need is to make a change in the /etc/passwd
file to allow for
admin to go straight to bash without having to use the
expert command.
Once again, I really appreciate the time you took to reply
to my posting.
Regards
On 7/12/07, David DeSimone wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sergio Alvarez wrote:
> >
> > OK, so nobody answered anything about my previous
posting (bellow),
> > but I found the SPLAT installation disc contains
an RPM for Telnet, so
> > we are going to try with that.
>
> I think nobody answered you because we may feel that
you are proceeding
> in the wrong direction. The solution you describe is
probably going to
> be fragile, and not really work as effectively as you
think it will.
>
> > This guy, obviously more Linux knowledgeable than
me, says he tried
> > adding the extra paths he needs using $path:, and
usually on any other
> > Red Hat, he adds that in .profile or etc/profile
so the changes are
> > not lost, but he did that in SPLAT and did not
work, so we need to
> > know how to go about that.
>
> SPLAT is not "just a red hat box with checkpoint
on it." It is a
> hardened OS platform. That means many features you find
on a generic
> Linux server will be missing, and that is BY DESIGN.
Missing components
> and services cannot be exploited. If you add them, you
are reducing the
> security of your box. This box is just a firewall, and
you would do
> better to treat it as just that.
>
> Your customer installed SPLAT for a reason. If he
wanted a regular Red
> Hat box running Checkpoint, then he should have
installed that. I guess
> he would have been happier that way.
>
> One of the problems you are likely running into is that
the admin
> account has a shell of /bin/cpshell, which cannot just
run standard
> commands. If you want to proceed with this, you might
need to create
> another account, or use the root account, which has a
shell of /bin/bash.
>
> The bash shell should obey your expecations about
reading .profile or
> /etc/profile in order to set paths correctly.
>
> The "expert" shell that you get is a
subshell, and so it does not read
> the .profile or /etc/profile, but that will not
necessarily be the case
> for a script that you launch via cron, or some other
mechanism.
>
> - --
> David DeSimone == Network Admin == foxverio.net
> "It took me fifteen years to discover that I had
no
> talent for writing, but I couldn't give it up because
> by that time I was too famous. -- Robert Benchley
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
>
iD8DBQFGlrACFSrKRjX5eCoRAiBLAJ0eiMpjWlGyakMHtVuvKKvxeOT39ACf
Q4md
> uj5aDH8GBH2GOBjSotQ7oxE=
> =DPD+
> -----END PGP SIGNATURE-----
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
---------------------------------
Choose the right car based on your needs. Check out Yahoo!
Autos new Car Finder tool.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Re: Adding paths on SPLAT |
|
2007-07-13 10:27:08 |
Hello cisco4ng,
I never thought it was possible to login to a splat machine
without
requiring a password. I already added your procedure to my
archive and for
sure will be of help at some point but right now what we are
trying to
achieve is to run a script on the spat machine that will
start a connection
to a layer 3 switch to make some changes in the static
routes when needed.
So as you see, here the splat box is the client.
We analyzed the possibility of using ssh, but the switch OS
does not allow
to add a key as you explain on your procedure, so the only
other way to go
is adding a Telnet client daemon on splat, for which someone
told me there
is an rpm in the SPLAT installation disc.
We haven't try it yet, but I'm hoping it will do the trick.
Thanks for your reply.
Regards
On 7/13/07, cisco4ng <cisco4ngyahoo.com> wrote:
>
> Here is the complete instruction:
>
> >1) on the linux machine, run "ssh-keygen -t
rsa"
> >2) on the secureplatform, in expert mode:
> > a) cd /root/.ssh
> > b) ssh-keygen -t rsa
> > c) touch authorized_keys
> > d) chmod 700 authorized_keys
> >3) copy the id_rsa.pub from the linux machine to
the SPLAT machine.
> > (I had to do this via scp with password FROM
the SPLAT box back
> > to the linux machine).
> >4) on the spat box, "cat id_rsa.pub >>
authorized_keys"
> >5) modify the sshd_config file on the SPLAT box as
follows:
> > DenyUsers shutdown halt nobody ntp pcap rpm
> > AllowGroups admin root
> >6) on the splat box, "service sshd
restart"
> >7) from the linux machine, I can do this:
> > [rootlinux-10g .ssh]# ssh -l root 192.168.1.2
> > Last login: Mon Feb 21 09:27:25 2005 from
192.168.1.100
> > [ExpertCheckpoint-cp01]#
>
>
> * { visibility: hidden; } document.write('* {
visibility: visible;
> }');
> .replbq{width:100%} var LetterVals = {
UIStrings :
> { __last : 'not used' },
StateDynamic : true,
> yplus_browser : false, premium_user : false,
smsintl : "",
> SidebarSyncActionType : "read",
SidebarSyncAuxActionType :
> "",
SidebarSyncUID : "12057",
> SidebarSyncAuxUID : "", getString :
function(id) { var
> result = this.UIStrings[id]; if ( result == null )
{ return
> "Not translated: '" + id + "'";
} return result;
> } } var YAHOO = window.YAHOO ? window.YAHOO :
{}; if (
> !YAHOO.ShortcutsExt ){ YAHOO.ShortcutsExt
= {};
> YAHOO.ShortcutsExt.CustomConfiguration = {}; }
> YAHOO.ShortcutsExt.CustomConfiguration.PartnerName =
"Yahoo!";
> YAHOO.ShortcutsExt.CustomConfiguration.HelpUrl =
"
> http:/
/help.yahoo.com/us/mail/shortcuts";
>
>
>
>
>
>
> cisco4ng <cisco4ngYAHOO.COM> wrote: I've
done this before with
> SecurePlatform NG Feature Pack 3 about 3 years ago.
>
> 1) on the linux client machine, generate a
private/public key with
> "ssh-keygen -t rsa"
> 2) in the /home/sergio/.ssh directory, copy the
id_rsa.pub over to the
> splat
> box /root/.ssh/authorized_keys file (you may have to
create this file).
> Name it like xxx
> 3) assign permission "chmod 700" to the
authorized_keys file.
> 4) cat xxx >> authorized_keys
> 5) you have to do something to the /etc/passwd file,
> 6) now from the linux client, do this: "ssh -v
-l root
> SmartCenter_IP_address"
>
> now you can log into the smartcenter without
password. For extra
> protection,
> you can use "passphrase" during the
"ssh-keygen -t rsa" key creation
> phrase.
>
> Hope that help.
>
> Sergio Alvarez wrote:
> Thanks for your replies Francisco and David,
>
> First of all, I´m very well aware of the fact that
SPLAT is not Red Hat, I
> just mentioned it because I know it is based on it and
there are certain
> things you can do on it as you would on RH.
> I´m also very aware that SPLAT is a hardened OS and is
not intended for
> anything else but running Check Point software, but I´m
sure you guys know
> that sometimes you just need to bend things a bit when
working with
> limited
> resources and require to achieve miracles on a
network.
>
> This SPLAT machine is NOT a firewall, it's just running
a SmartCenter and
> it
> is located on a very protected area of this network. As
I mentioned
> before,
> several options have been analyzed prior to decide to
go with the solution
> we are trying to implement and be sure we really know
what we are doing.
> Actually I did not give out all the details of the
deployment, so with all
> due respect, I don't think you are in a position to
judge if I'm going in
> the right direction or not.
>
> Regarding the info you provided about the paths where I
could find the
> CPprofile and about the fact that with the admin user
you are just getting
> a
> cpshell and not bash will be of a big help, I had not
thought about that
> and
> maybe what we need is to make a change in the
/etc/passwd file to allow
> for
> admin to go straight to bash without having to use the
expert command.
>
> Once again, I really appreciate the time you took to
reply to my posting.
>
> Regards
>
>
> On 7/12/07, David DeSimone wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Sergio Alvarez wrote:
> > >
> > > OK, so nobody answered anything about my
previous posting (bellow),
> > > but I found the SPLAT installation disc
contains an RPM for Telnet, so
> > > we are going to try with that.
> >
> > I think nobody answered you because we may feel
that you are proceeding
> > in the wrong direction. The solution you describe
is probably going to
> > be fragile, and not really work as effectively as
you think it will.
> >
> > > This guy, obviously more Linux knowledgeable
than me, says he tried
> > > adding the extra paths he needs using $path:,
and usually on any other
> > > Red Hat, he adds that in .profile or
etc/profile so the changes are
> > > not lost, but he did that in SPLAT and did
not work, so we need to
> > > know how to go about that.
> >
> > SPLAT is not "just a red hat box with
checkpoint on it." It is a
> > hardened OS platform. That means many features you
find on a generic
> > Linux server will be missing, and that is BY
DESIGN. Missing components
> > and services cannot be exploited. If you add them,
you are reducing the
> > security of your box. This box is just a firewall,
and you would do
> > better to treat it as just that.
> >
> > Your customer installed SPLAT for a reason. If he
wanted a regular Red
> > Hat box running Checkpoint, then he should have
installed that. I guess
> > he would have been happier that way.
> >
> > One of the problems you are likely running into is
that the admin
> > account has a shell of /bin/cpshell, which cannot
just run standard
> > commands. If you want to proceed with this, you
might need to create
> > another account, or use the root account, which
has a shell of
> /bin/bash.
> >
> > The bash shell should obey your expecations about
reading .profile or
> > /etc/profile in order to set paths correctly.
> >
> > The "expert" shell that you get is a
subshell, and so it does not read
> > the .profile or /etc/profile, but that will not
necessarily be the case
> > for a script that you launch via cron, or some
other mechanism.
> >
> > - --
> > David DeSimone == Network Admin == foxverio.net
> > "It took me fifteen years to discover that I
had no
> > talent for writing, but I couldn't give it up
because
> > by that time I was too famous. -- Robert Benchley
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.1 (GNU/Linux)
> >
> >
iD8DBQFGlrACFSrKRjX5eCoRAiBLAJ0eiMpjWlGyakMHtVuvKKvxeOT39ACf
Q4md
> > uj5aDH8GBH2GOBjSotQ7oxE=
> > =DPD+
> > -----END PGP SIGNATURE-----
> >
> > =================================================
> > To set vacation, Out-Of-Office, or away messages,
> > send an email to LISTSERVamadeus.us.checkpoint.com
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http:
//www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your
> > subscription options, email
> > fw-1-ownerts.checkpoint.com
> > =================================================
> >
>
>
>
> --
> Sergio Alvarez
> (506)8301342
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
>
>
> ---------------------------------
> Choose the right car based on your needs. Check out
Yahoo! Autos new Car
> Finder tool.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
>
>
> ---------------------------------
> Need a vacation? Get great deals to amazing places on
Yahoo! Travel.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Re: Adding paths on SPLAT |
|
2007-07-13 11:19:46 |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sergio Alvarez <seralvarGMAIL.COM> wrote:
>
> I never thought it was possible to login to a splat
machine without
> requiring a password.
In the given case you are logging in without a password
because you
configured the box to let you do that. However, not just
anyone can
login, because they have to have the specified RSA key that
you
generated. So you should keep the key safe since whoever
has it can
login.
The "root" account and "admin" account
both run with UID 0, so the only
real difference between them is that "admin" gets
a cpshell by default,
while "root" gets a bash shell.
> right now what we are trying to achieve is to run a
script on the spat
> machine that will start a connection to a layer 3
switch to make some
> changes in the static routes when needed. So as you
see, here the
> splat box is the client.
You will probably find it difficult to use just telnet
commands to
control a switch non-interactively, something like:
{ echo "username"; echo "password";
echo "show config" } | telnet switch
probably will not work, because the switch might be
sensitive to the
timing of the text you enter, because it expects a person to
be typing,
rather than a program.
You will probably need the "expect" package, which
allows you to write
interactive scripts that will stop and wait for prompts from
the switch
before sending the next command/input.
The "expect" package requires TCL, so you will
have to find a lot of
packages in order to install it. But it is probably what
you want.
Again I will repeat my point from my "judgmental"
post: If what you
really want is a box running Generic Linxu (RedHat), maybe
you should
install just that. If SPLAT is getting in your way because
it is
difficult to add these sorts of custom configuration,
perhaps you should
install a more malleable RedHat release, and then simply run
your
SmartCenter software on top of that. Just a suggestion.
- --
David DeSimone == Network Admin == foxverio.net
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGl6YiFSrKRjX5eCoRAkJyAJ4hLP2CSFgkLztX/wZ3SYjX58Ap7QCf
cb2q
gAFI29M72dgO4ly9w+Ipi7k=
=8QGA
-----END PGP SIGNATURE-----
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
| Re: Adding paths on SPLAT |
|
2007-07-13 11:43:50 |
Hello David,
Thanks for the tip about the expect package, I'll check it
out.
Your point about moving the SmartCenter to a Red Hat
machine, makes a lot of
sense now that I see it from a different perspective. Thanks
a lot for your
feedback.
Regards
On 7/13/07, David DeSimone <foxverio.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Sergio Alvarez <seralvarGMAIL.COM> wrote:
> >
> > I never thought it was possible to login to a
splat machine without
> > requiring a password.
>
> In the given case you are logging in without a password
because you
> configured the box to let you do that. However, not
just anyone can
> login, because they have to have the specified RSA key
that you
> generated. So you should keep the key safe since
whoever has it can
> login.
>
> The "root" account and "admin"
account both run with UID 0, so the only
> real difference between them is that "admin"
gets a cpshell by default,
> while "root" gets a bash shell.
>
> > right now what we are trying to achieve is to run
a script on the spat
> > machine that will start a connection to a layer 3
switch to make some
> > changes in the static routes when needed. So as
you see, here the
> > splat box is the client.
>
> You will probably find it difficult to use just telnet
commands to
> control a switch non-interactively, something like:
>
> { echo "username"; echo
"password"; echo "show config" } |
telnet
> switch
>
> probably will not work, because the switch might be
sensitive to the
> timing of the text you enter, because it expects a
person to be typing,
> rather than a program.
>
> You will probably need the "expect" package,
which allows you to write
> interactive scripts that will stop and wait for prompts
from the switch
> before sending the next command/input.
>
> The "expect" package requires TCL, so you
will have to find a lot of
> packages in order to install it. But it is probably
what you want.
>
> Again I will repeat my point from my
"judgmental" post: If what you
> really want is a box running Generic Linxu (RedHat),
maybe you should
> install just that. If SPLAT is getting in your way
because it is
> difficult to add these sorts of custom configuration,
perhaps you should
> install a more malleable RedHat release, and then
simply run your
> SmartCenter software on top of that. Just a
suggestion.
>
> - --
> David DeSimone == Network Admin == foxverio.net
> "It took me fifteen years to discover that I had
no
> talent for writing, but I couldn't give it up
because
> by that time I was too famous. -- Robert Benchley
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
>
iD8DBQFGl6YiFSrKRjX5eCoRAkJyAJ4hLP2CSFgkLztX/wZ3SYjX58Ap7QCf
cb2q
> gAFI29M72dgO4ly9w+Ipi7k=
> =8QGA
> -----END PGP SIGNATURE-----
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERVamadeus.us.checkpoint.com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http:
//www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-ownerts.checkpoint.com
> =================================================
>
--
Sergio Alvarez
(506)8301342
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERVamadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http:
//www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-ownerts.checkpoint.com
=================================================
|
|
[1-4]
|
|