Technical Tip: How to authenticate an admin user to FortiAnalyzer or FortiManager through the CLI using only SSH keys

Description

In FortiManager and FortiAnalyzer, up to three administrators connected to the CLI can be authenticated with public-private key pairs without being asked for the administrator password. The public-private key pair must be created in the SSH client application. This article explains how to generate the key pair using PuTTYgen and how to specify the public key in FortiManager or FortiAnalyzer.

Scope

FortiManager and FortiAnalyzer, version 4 or later.

Solution

Follow the steps used to authenticate an admin user with an SSH key in FortiGate, but select between the SSH-1(RSA), SSH-2RSA or SSH-2 DSA formats when creating the key.

Complete the CLI configuration steps in FortiManager or FortiAnalyzer under the following:

config sys admin user

    edit <Username>

        set ssh-public-key1 "...."

Do so with a key in one of the three formats mentioned above instead of in the ssh-rsa, ssh-dss, or ssh-ed25519 formats.

The SSH key-based user had no expiration time.

The password policy does not cause an administrator's SSH key to expire.

Related article:

How to generate ssh keys on Linux host and use it for public-private key authentication to FortiGate