As seen many times Checkpoint has its own way of doing otherwise simple and straightforward tasks. Changing
password for shell account is another example.
By default, when installed, Splat creates two console/OS users – admin and root. You can’t login remotely
(i.e. by ssh) with root as /etc/ssh/sshd_config contains this:
DenyUsers root shutdown halt nobody ntp pcap rpm
AllowGroups root
So , basically you are left with admin user to do all command line tasks (Expert mode) – security flaw by itself, but even more,
when you try to change the password of this user by passwd command
Checkpoint doesn’t let you to. Even worse, it happily goes ahead and notifies you that password has been
successfully changed and … you can still log in only with the old password. The reason is here:
[Expert@cp]# which passwd
alias passwd=’/bin/expert_passwd’
/bin/expert_passwd
[Expert@cp]#
This way Splat tricks you into running some dummy ‘passw’ of its own that is only good for CPshell
environment. So to really change password of Expert user you have 2 options:
1) Through Web device management GUI (not covered her)
2) Use native passwd , see below
[Expert@cp]# /usr/bin/passwd rambo
Changing password for user rambo.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[Expert@cp]#
Here:
/usr/bin/passwd – Linux native passwd utility
rambo – Expert user I added to the system and then blocked remote login for user admin (or type
admin for default user).
Adding Expert user:
To add another user with id = 0 use switch -o:
[Expert@cp]# useradd -u 0 -g 0 -o -s /bin/bash rambo
Then change password as per above and fix /etc/ssh/sshd_config to allow rambo login and block
admin login
DenyUsers root shutdown halt nobody ntp pcap rpm admin
AllowGroups root
I don’t get it. What’s a problem to change expert password on the first place? Yes, changing admin password does not affect expert password, it is like that by design. The idea is to have both admin and expert passwords that might be different. Executing passwd from expert mode does change expert password.
What do you mena by “first place” ?
Nope, if you log in directly to expert mode , running passwd doesn’t change pass for reason above. In no place i refer to admin user as SmartConsole user , only ssh users
Yesterday I saw a case when changing password of user via HTTPS (webui) didnt change pass ofr SSH user ! only chnaging the way I usually do it helped.
Hi Yuri,
changing the admin user on a SPLAT box is done using: cpconfig
If you want to change that admins password its: passwd
if you want to change the expert password its: expert_passwd
HTH, Daniel