🧐Checkpoint已完全禁用通过passwd更改Expert密码，运行该命令会出现错误提示，只能在Gaia的clish或WebUI中更改密码

😮Splat默认安装时创建admin和root两个用户，远程登录受限制，且尝试用passwd更改admin用户密码时会出现问题

💡要真正更改Expert用户密码，有两种选择：通过Web设备管理GUI（文中未提及具体内容）或使用/usr/bin/passwd，文中还介绍了添加Expert用户及修改ssh配置的方法

Update 2022: Checkpoint has disabled changing Expert password with passwd altogether. When trying to run the command, no matter what you enter the result will be an error "bad credentials" and "Authentication token manipulation error". You can only change Expert password in Gaia, either in clish, or the WebUI.

As seen many times Checkpoint has its own way of doing otherwise simple and straightforward tasks. Changing password for shell account is another example.By default, when installed, Splat creates two console/OS users - admin and root. You can't login remotely (i.e. by ssh) with root as /etc/ssh/sshd_config contains this:

DenyUsers root shutdown halt nobody ntp pcap rpm  AllowGroups root

So , basically you are left with admin user to do all command line tasks (Expert mode) - security flaw by itself, but even more, when you try to change the password of this user by passwd command Checkpoint doesn't let you to. Even worse, it happily goes ahead and notifies you that password has been successfully changed and ... you can still log in only with the old password. The reason is here:

[Expert@cp]# which passwdalias passwd='/bin/expert_passwd'        /bin/expert_passwd[Expert@cp]#

This way Splat tricks you into running some dummy 'passw' of its own that is only good for CPshellenvironment. So to really change password of Expert user you have 2 options:
1. Through Web device management GUI (not covered her)2. Use native passwd , see below

[Expert@cp]# /usr/bin/passwd ramboChanging password for user rambo.New UNIX password:Retype new UNIX password:passwd: all authentication tokens updated successfully.[Expert@cp]#

Here:
/usr/bin/passwd - Linux native passwd utility
rambo - Expert user I added to the system and then blocked remote login for user admin (or type ** admin** for default user).

Adding Expert user.
To add another user with id = 0 use switch -o:

[Expert@cp]# useradd -u 0 -g 0 -o -s /bin/bash rambo
Then change password as per above and fix /etc/ssh/sshd_config to allow rambo login and blockadmin login:

DenyUsers root shutdown halt nobody ntp pcap rpm adminAllowGroups root 

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.