Contents:
- About password hashes
- Change the administrative accounts R80
- Change the administrative accounts R81
- Restrict remote access
These steps are extracted from:
- Quantum Spark 1500, 1600 and 1800 Appliance Series R80.20.40 CLI Reference Guide
- CLI R81.10 Reference Guide
- Gaia R81.10 Administration Guide
Warning: After adding a new account for SSH access you should enable the authentication with public keys. See the CheckPoint SSH access with Public Key post.
Note: This document uses:
the_new_adminas the name of a new administrator.$1$xyz.....as a MD5 password hash$6$xyz.....as a SHA512 password hash
About password hashes
These are salted and hashed passwords. To check if they match between CheckPoint and a standard Linux distribution, using the salt
abc and the password abcd I’ve got the hash $1$abc$DxacYc10lOCxhylQ4UV6q0 with all these commands:
# from a Linux host
openssl passwd -salt abc -1 abcd
# from R80.20.40 Clish (Expert mode)
cryptpw --salt abc abcd
cryptpw --salt abc -m md5 abcd
cpopenssl passwd -salt abc -1 abcd
For R81 SHA512 salted hashes I’ve used:
# R81 Clish
cpopenssl passwd -6 -salt abcd your_password
# from a Linux host
openssl passwd -6 -salt abcd your_password
R80 password hashes
Generate a password hash with:
# form Clish
cryptpw -m md5 your_password
# or
cpopenssl passwd -1 your_password
# from a Linux host
openssl passwd -1 your_password
R81 password hashes
In R81 use:
# to see the configured hashing algorithm
show password-controls password-hash-type
# to change the hashing algorithm to SHA512
set password-controls password-hash-type SHA512
Generate a password hash with:
# form Clish
cpopenssl passwd -6 your_password
# from a Linux host
openssl passwd -6 your_password
Change the administrative accounts R80
Add a new administrator:
add administrator username the_new_admin permission read-write password-hash '$1$abc.....'
Test that you are able to connect with the new account.
If you want to login directly to expert mode, actually to switch to the Bash shell:
- login as the new user
- execute
expertcommand to go into expert mode - execute
bashUser oncommand
and your shell will be changed to /bin/bash.
bashUser off will restore the default shell to clish.
To change the password of the admin account and the password for expert mode use:
set administrator username admin permission read-write password-hash '$1$def.....'
set expert password-hash '$1$ghi.....'
Change the administrative accounts R81
Add a new administrator:
add user the_new_admin uid 0 homedir /home/the_new_admin
set user the_new_admin password-hash '$6$abc......'
add rba user the_new_admin roles adminRole
add rba user the_new_admin access-mechanisms CLI,Web-UI,Gaia-API
# (optional) set the shell to Bash
set user the_new_admin shell /bin/bash
Test that you are able to connect with the new account.
To change the password of the admin account and the password for expert mode use:
set user admin password-hash '$6$def......'
set expert-password-hash '$6$ghi......'
Test that you are able to connect with the admin account and that you can switch to expert mode.
Remember to save the configuration with:
save config
Restrict remote access
Restrict remote access R80
Restrict the administrative access to the gateway with:
# show the actual access rules based on IP address
show admin-access-ip-addresses
# add a new IPv4 address
add admin-access-ipv4-address single-ipv4-address 192.168.22.33
# add a new IPv4 network
add admin-access-ipv4-address network-ipv4-address 192.168.22.0 subnet-mask 255.255.255.0
# or
add admin-access-ipv4-address network-ipv4-address 192.168.22.0 mask-length 24
Restrict access R81
# show the actual allowed clients
show allowed-client all
# allow any host
add allowed-client host any-host
# add a new IPv4 address
add allowed-client host ipv4-address 192.168.22.33
# add a new IPv4 network
add allowed-client network ipv4-address 192.168.22.0 mask-length 24