Difference between revisions of "creating a new user on Gaia via CLI"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
 
(One intermediate revision by one user not shown)
Line 1: Line 1:
where jsmith should be replace with your username
+
==version==
 +
tested below commands on R75.40
  
  
Line 12: Line 13:
 
== add user ==
 
== add user ==
 
  > add user jsmith uid 0 homedir /home/jsmith
 
  > add user jsmith uid 0 homedir /home/jsmith
 +
 +
(where jsmith should be replace with your username)
  
 
== set optional parameters ==
 
== set optional parameters ==
Line 26: Line 29:
  
  
I don't like setting the user to the root UID.  I think Check Point made a mess of the auth permissions as they have in the past.  Without setting the root uid above, a user can't run fw commmands like "fw stat".  
+
I don't like setting the user to the root UID, but this is how you get an account with root access.  When adding via the web interfaces, it does the same thing.  I think Check Point made a mess of the auth permissions as they have in the past.  Without setting the root uid above, a user can't run fw commmands like "fw stat" and you get error upon login.
 
   
 
   
error:
+
example login error:
 
+
 
  /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied
 
  /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied
  

Latest revision as of 19:59, 24 May 2016

Contents

version

tested below commands on R75.40


switch to clish shell

if you aren't here already or are at the expert prompt, just type...

[Expert@myfirewall]# clish
myfirewall>

Clish will give you the > prompt

add user

> add user jsmith uid 0 homedir /home/jsmith

(where jsmith should be replace with your username)

set optional parameters

> set user jsmith realname 'john smith' shell /bin/bash gid 100

set password

> set user jsmith password

set roles

> add rba user jsmith roles adminRole

set access

> add rba user jsmith access-mechanisms Web-UI,CLI


I don't like setting the user to the root UID, but this is how you get an account with root access. When adding via the web interfaces, it does the same thing. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat" and you get error upon login.

example login error:

/opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied
# ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh
-rwxrwx--- 1 admin bin 82 Apr  4  2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh

The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me.


When adding via the WebUI

  1. cat /etc/passwd|grep jsmith
jsmith:x:0:100:john smith:/home/jsmith:/bin/bash