Using WinSCP with SecurePlatform

Here we'll show you how to configure SecurePlatform to allow WinSCP (and other SCP clients) to connect successfully for the purpose of uploading and downloading files.


Solution

You can see in 'The Error' screen shot that if you try to connect to SecurePlatform via SCP as the admin user it will fail with a an error. This is because the default shell for the user admin is cpshell, Check Points restricted shell and SCP requires the bash shell to work properly. 

To remedy the problem, we log on and use the 'adduser' command to add a user specifically for SCP access to the device (see Adding an SCP Account). Once added, we go into expert mode and edit the passwd file (vi /etc/passwd) and on the line which stars 'scpuser' we replace 'cpshell' with 'bash' (see Changing the Users Shell). 


We now test! This time we log in as 'scpuser' (see Tesing). Lo and behold! It works! (see Sucess).


Warning: Security Implication

This solution is by no means perfect, as the scpuser can now log into the console or via ssh as root. For all intents and purposes scpuser IS root. As such the scpuser account is more privileged than the admin account requiring no expert most password to reach a root prompt (See Danger!). 

A stronger configuration should be explored. I would suggest either creating scpuser as a radius user and using a OTP token and server, or enabling/disabling the scp user account before and after use. 

Also you could explore creating a non-root user on SecurePlatform and enabling SCP support for that user only, and then harden up that account to prevent the use of the CLI. However, that's a great deal or work, to test, prove, and ensure it was secure and is beyond the scope of this article.

As a final alternative, you might consider using 'scponly' which, as you would expect, is a shell that allows only scp and no command execution.

Do keep in mind, though, that the more changes you make to SecurePlatform, the less supportable it might be. At this point the usefulness of Redhat Enterprise Linux and Solaris as an operating system for Check Point gateways becomes much more apparent. 


Warning: Technical Support Implication

It's it not confirmed whether or not Check Point would support these modifications





Please feel welcome to leave comments