- Z e d d -

Quite a mouthfull, but it is exactly what I’ve been trying to accomplish the past few weeks. Not an easy thing, or so it turned out.

Apart from the CheckPoint Management interface, an Edge has two interfaces accessible by normal human beings.

• HTTPS (port 981, mostly)
• SSH

When being responsible for management on and monitoring of a large number of Edges, automation of the monitoring process becomes essential. In our company we have the obligation to log in every day and check if the loads aren’t too high, if the number of connections and connected computers is within limits, and so on. A tedious job, loging in to dozens of Edges!

SmartView Monitor proves to be quite lazy, not to mention totally useless for this purpose. The amount of connected computers to the Edge should be checked because the license limits this and the number of connections is a good indication of the load of the unit. Both are not displayed by SV Monitor. As far as I could see only one solution fits here: my own script.

Scripting means you have to log in to the Edge and find your way through that interface. Although HTTPS is fairly easy to catch in a script, even when you have to log in, that interface changes often between different versions. Of course we try to keep all units on the same version but new units tend to be delivered with the latest and greatest… HTTPS is out.

That leaves SSH. I’m not going into detail how SSH actually works and how safe it is. Roughly there are two ways to authenticate: PKI and password. Both ways can be split up into several different flavours but all depends on the what the server supports. Looking at the ssh-client logs, this isn’t much: just passwords.

Feeding a password to a script is pretty straight forward. Just pipe it in and all is well. A simple

echo "mypass"|script.sh
usually works. Not with SSH. SSH does all kinds of exciting things with terminals, emulations, pseudo-terminals and God knows what else. To not confuse you to much, the summary is: it's not this simple. Again, I will not bother you with the complete research, but the solution evantually was found in (fuck RTFM) the man-page.

When the following three conditions are met, and I say all three, scripting becomes plausible:

The script does NOT run in a terminal;
The variable SSH_ASKPASS contains the path and name of an executable that can cough-up the password;
The variable DISPLAY is set. With what is unimportant in this case.


The first you can accomplish by running the script via setsid (thanks Zlo).
For the second, create a script that simply does "echo mypass" and put the name of that script in SSH_ASKPASS.
The third is the easiest. A "DISPLAY=ZeddRules export DISPLAY" is sufficient.

Quite possibly this all is not as clear as it is in my head, so let me blow away the smoke with some example scripts.

Create an executable file "passspitter":

echo mypassword

Create another script, named “edge_login”:

#!/bin/bash
SSH_ASKPASS="/home/zedd/passspitter"
DISPLAY=ZeddRules
export SSH_ASKPASS DISPLAY

ssh admin@edge.foo.bar info device

That’s it. Now run the script with the command ‘setsid edge_login’ and watch how the device information runs over your screen.

Just some things to keep in mind:

• The first connection to the Edge should be made manually, so you can accept the Edge’s public key;
• This is not the most secure way to log in to devices! Remember: the password is there in plain sight, for everyone with the right rights…
• Edges are fragile and will break sooner rather than late. I’ve had to reboot my test-Edge several times because the SSH server apparently died on me, probably due to the large amount of session I fired at it. Keep it in min nontheless.

Good luck and leave me a comment if you have anything usefull to add!

Tags: check point, cp, LinkedIn, Nokia, ssh