The Moose and Squirrel Files

August 28, 2008

Checkpoint Secureplatform Wisdom

Filed under: checkpoint — Tags: , — networknerd @ 8:22 pm

Enable SCP – sk26258

  • Go into expert mode and add users to the /etc/scpusers file.  Create the file if necessary.
  • Restart sshd using the command service sshd restart

Enable IP Forwarding – sk25818

  • Go into expert mode and type the command “echo 1 > /proc/sys/net/ipv4/ip_forward”

Enable SSH Public key Authentication – sk30366

  • Go into expert mode
  • mkdir  $HOME/.ssh
  • chmod 0700 $HOME/.ssh
  • touch $HOME/.ssh/authorized_keys
  • chmod 0600 $HOME/.ssh/authorized_keys
  • vi $HOME/.ssh/authorized_keys
  • :$ (goes to the last line of the file)
  • A (appends to the end of the line)
  • paste in the key that you have copied from the client
  • esc (get out of insert mode)
  • : x (save the file and exit)

To be able to match a login to a users key perform the following steps.

  • vi /etc/ssh/sshd_config
  • find the Logging section and add en entry LogLevel VERBOSE
  • Restart sshd using the command service sshd restart
  • The fingerprint of  the key used is then recorded in /var/log/secure
  • To check the fingerprints you can use the getfingerprints.sh script below
 
#! /bin/bash

#Generate fingerprints for ssh public keys so we can match logons to users

#Create a temp file and bail out if we can't
TMPFILE=`mktemp /tmp/fingerprint.XXXXXX` || exit 1
FPFILE=/home/admin/fingerprints.txt

#Check to see if a keyfile is specified
if [ -r "$1" ]; then
  KEYFILE=$1
else
  KEYFILE=/home/admin/.ssh/authorized_keys
fi

#Cleanup temp files on exit
trap "rm -f ${TMPFILE}" 0

#Truncate the output file
cat /dev/null >${FPFILE}

#Hook up the authorized_keys file to File descriptor 3
exec 3< ${KEYFILE}

#loop through each key in the file
while read <&3
do
        if (!(echo ${REPLY} | egrep "^\#"i)); then
                # If not a comment then save the key and generate a fingerprint
                echo "${REPLY}" >${TMPFILE}
                /usr/bin/ssh-keygen -l -f ${TMPFILE} >> ${FPFILE}
        fi
done

#Close FD 3
exec 3<&-
/bin/echo "The fingerprints for ${KEYFILE} have been saved in ${FPFILE}."

Convert a securecrt ssh public key for use with secureplatform.

This recipe converts IETF multiline key format to the single line format used by openssh on secureplatform.

  • Go into expert mode
  • create a new file on the firewall with vi.  For example vi mypubkey.txt
  • Paste in the new key, save the file and exit.
  • type “ssh-keygen -i -f mypubkey.txt >>/home/admin/.ssh/authorized_keys

Restrict a public key authentication to a single command

This recipe is useful if you want to restrict users to a particular operation such as shutdown or reboot.

  • Go into expert mode
  • edit /home/admin/.ssh/authorized_keys
  • Paste in the new key or modify the old key
  • At the beginning of the line containing the key insert command=”/sbin/shutdown -h now”
  • Save and exit
  • Change the shell for admin  using the command usermod -s /bin/bash -U admin
  • If you prefer to go into the cpshell when logging in interactively then execute the command “echo exec /bin/cpshell > /etc/profile.d/zchngshell.sh

Increase OSPF adjacency memberships on SecurePlatform Pro – sk32568

  • Go into expert mode
  • vi /etc/rc.d/rc.local
  • add the line ” echo 50 > /proc/sys/net/ipv4/igmp_max_memberships"
  • save and exit (: x)

Note the knowledgebase article suggest you add the command to /etc/rc.d/init.d/cpboot.  You could also add an entry directly to /etc/sysctl.conf net.ipv4.igmp_max_memberships= 50

Identify network adapters on Secureplatform/Linux

The recipe helps you identify which physical nic is mapped to an alias such as eth1 by flashing them in turn for 15 seconds.  Adjust the time to suit yourself

  • Go into expert mode
  • type the following command all on one line
  • for i in `egrep "eth[0-9]+" /etc/modules.conf | cut -f2 -d" "`; do echo $i;ethtool -p $i 15; done
Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: