Difference between revisions of "creating a new user on Gaia via CLI"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
 
(6 intermediate revisions by one user not shown)
Line 1: Line 1:
where jsmith should be replace with your username
+
==version==
 +
tested below commands on R75.40
 +
 
 +
 
 +
== switch to clish shell ==
 +
if you aren't here already or are at the expert prompt, just type...
 +
 
 +
[Expert@myfirewall]# clish
 +
myfirewall>
 +
 
 +
Clish will give you the > prompt
  
 
== add user ==
 
== add user ==
  > add user jsmith uid 1005 homedir /home/jsmith
+
  > add user jsmith uid 0 homedir /home/jsmith
  
== set parameters ==
+
(where jsmith should be replace with your username)
 +
 
 +
== set optional parameters ==
 +
> set user jsmith realname 'john smith' shell /bin/bash gid 100
 +
 
 +
== set password ==
 
  > set user jsmith password
 
  > set user jsmith password
+
 
 
== set roles ==
 
== set roles ==
 
  > add rba user jsmith roles adminRole
 
  > add rba user jsmith roles adminRole
Line 13: Line 28:
 
  > add rba user jsmith access-mechanisms Web-UI,CLI
 
  > add rba user jsmith access-mechanisms Web-UI,CLI
  
== set uid to root ==
 
# set user jsmith uid 0
 
  
I don't like setting the user to the root UID.  I think Check Point made a mess of the auth permissions as they have in the past.  Without setting the root uid above, a user can't run fw commmands like "fw stat".  
+
I don't like setting the user to the root UID, but this is how you get an account with root access.  When adding via the web interfaces, it does the same thing.  I think Check Point made a mess of the auth permissions as they have in the past.  Without setting the root uid above, a user can't run fw commmands like "fw stat" and you get error upon login.
 
   
 
   
error:
+
example login error:
 
+
 
  /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied
 
  /opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied
  
 +
# ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh
 +
-rwxrwx--- 1 admin bin 82 Apr  4  2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh
 +
 +
The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line.  All check point allows there is the root group.  Go figure.  Sounds insecure to me.
 
   
 
   
 +
 +
When adding via the WebUI
 +
# cat /etc/passwd|grep jsmith
 +
jsmith:x:0:100:john smith:/home/jsmith:/bin/bash
 +
  
 
[[category:gaia]]
 
[[category:gaia]]

Latest revision as of 19:59, 24 May 2016

Contents

version

tested below commands on R75.40


switch to clish shell

if you aren't here already or are at the expert prompt, just type...

[Expert@myfirewall]# clish
myfirewall>

Clish will give you the > prompt

add user

> add user jsmith uid 0 homedir /home/jsmith

(where jsmith should be replace with your username)

set optional parameters

> set user jsmith realname 'john smith' shell /bin/bash gid 100

set password

> set user jsmith password

set roles

> add rba user jsmith roles adminRole

set access

> add rba user jsmith access-mechanisms Web-UI,CLI


I don't like setting the user to the root UID, but this is how you get an account with root access. When adding via the web interfaces, it does the same thing. I think Check Point made a mess of the auth permissions as they have in the past. Without setting the root uid above, a user can't run fw commmands like "fw stat" and you get error upon login.

example login error:

/opt/CPshrd-R75.40/tmp/.CPprofile.sh: line 96: /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh: Permission denied
# ls -l /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh
-rwxrwx--- 1 admin bin 82 Apr  4  2012 /opt/CPcvpn-R75.40/scripts/CVPNprofile.sh

The users group needs to be added to /etc/ssh/sshd_config "AllowedGroups" line. All check point allows there is the root group. Go figure. Sounds insecure to me.


When adding via the WebUI

  1. cat /etc/passwd|grep jsmith
jsmith:x:0:100:john smith:/home/jsmith:/bin/bash