Troubleshoot Tip: SSH Key fails login to FortiGate
| Description | This article describes that the SSH key is failing when logging to a FortiGate. As a result, the FortiGate generates an error message after the initial failed login.
date=2024-11-12 time=17:58:11 devid="FG6H1ETB20902023" devname="FW1" eventtime=1731455892002430126 tz="-0600" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="ssh(192.168.100.1)" method="ssh" srcip=192.168.100.1 dstip=192.168.27.251 action="login" status="failed" reason="ssh_key_invalid" msg="Administrator admin login failed from ssh(192.168.100.1) because of invalid ssh key" |
| Scope | FortiNAC v7.6.3 or earlier. |
| Solution | By default, if there is an SSH key-pair configured for the server (/bsc/.ssh/id_ed25519, /bsc/.ssh/id_rsa, /bsc/.ssh/id_dsa), SSH to a device will first attempt to log in using the SSH key public key and fall back to using the CLI password if it fails.
As a result, the FortiGate is recording this first attempt using the SSH key when it fails.
To disable the public key authentication:
device -ip <IP> -setAttr -name SSH_PUBLICKEY_AUTH_ENABLED -value false
Example:
execute enter-shell
Fix: Upgrade to v7.2.9, v7.4.1, v7.6.3. |