Difference between revisions of "creating a new user on secureplatform via CLI"
| Line 1: | Line 1: | ||
The following instructions are performed using the root (Expert) account. | The following instructions are performed using the root (Expert) account. | ||
| + | |||
| + | == fix /etc/profile permissions == | ||
| + | Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod. | ||
| + | [Expert@chkpfw1]# chmod 644 /etc/profile | ||
| + | |||
| + | == add user group to ssh AllowGroups== | ||
| + | I am being old fashioned, and using the legacy Unix wheel group | ||
| + | [Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config | ||
| + | |||
| + | |||
| + | == creating the user account == | ||
1) create user account with the standard linux useradd command... | 1) create user account with the standard linux useradd command... | ||
| − | [Expert@ | + | [Expert@argo]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith |
2) set the user password | 2) set the user password | ||
| − | [Expert@chkpfw]# /usr/bin/passwd | + | [Expert@chkpfw]# /usr/bin/passwd jsmith |
New UNIX password: | New UNIX password: | ||
Retype new UNIX password: | Retype new UNIX password: | ||
| Line 16: | Line 27: | ||
Example of the incorrect way to reset a user password from the root (Expert) account: | Example of the incorrect way to reset a user password from the root (Expert) account: | ||
| − | [Expert@chkpfw]# '''passwd | + | [Expert@chkpfw]# '''passwd jsmith''' |
Enter new expert password: <<< if you see this prompt you messed up! | Enter new expert password: <<< if you see this prompt you messed up! | ||
Revision as of 15:51, 16 December 2013
The following instructions are performed using the root (Expert) account.
fix /etc/profile permissions
Check Point screws up the permissions on /etc/profile in SPLAT. In Gaia, it appears to be fixed. Regular users should have read access. Check /etc/profile permissions, if users don't have read access, set it with chmod.
[Expert@chkpfw1]# chmod 644 /etc/profile
add user group to ssh AllowGroups
I am being old fashioned, and using the legacy Unix wheel group
[Expert@chkpfw1]# sed -i -e 's/AllowGroups root/AllowGroups root wheel/' /etc/ssh/sshd_config
creating the user account
1) create user account with the standard linux useradd command...
[Expert@argo]# useradd -d /home/jsmith -s /bin/cpshell -G wheel -o -u 0 -g wheel -m jsmith
2) set the user password
[Expert@chkpfw]# /usr/bin/passwd jsmith New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully.
*** note *** the full path is required in the above command because Check Point aliases passwd to...
alias passwd='/bin/expert_passwd'
If you fail to execute the passwd binary by using the full path, you most likely won't be setting the user password, but the expert password... which is actually the password for the root account
Example of the incorrect way to reset a user password from the root (Expert) account:
[Expert@chkpfw]# passwd jsmith Enter new expert password: <<< if you see this prompt you messed up!
3) edit /etc/passwd...set UID and GUID to zero and default shell to /bin/cpshell. Failure to set the shell to cpshell will allow the user account root privileges immediately upon login. This would not be secure.
Example /etc/passwd lines
before editing
john:x:1002:1002::/home/admin:/bin/bash
what is should look like after editing
john:x:0:0::/home/admin:/bin/cpshell
4) test your login with ssh. after a successful login, execute the "expert" command to gain root.
