Disable SSH Password Authentication in Azure Fortigate VM

Hi, this is possible, but make sure you can connect with your SSH public key before configuring it, so not to lock yourself out.

# config sys global (global) # set admin-ssh-password disable (global) # end

Few notes:

• It disables SSH password-based access to ALL admin accounts, not only specific one.
• Admin trying to authenticate with password will get an error  Permission denied (publickey).
• This does not affect console access (just in case).
• You don't have access to sshd_conf on the Fortigate.
• I did not test it specifically with Azure FW, but it works on physical + usual VM FGT, so should work on Azure as well.

Thanks Yurisk for the update, We are also trying to confirm whether this is recommended for FortiGate/FortiAnalyzer VMs to only have public key authentication and completely disable password authentication?. Is it something you can help? How we can recover the VM SSH access if incase we have any issue with key authentication in future?

Recover - as long as you have access to web GUI of the Fortigate you can undo this command in Console web applet. 

Recommended - not that I can recall any Fortinet docs recommending to disable password access on SSH. Personally, I don't think it is a first line of defense - it prevents brute forcing the password. But if you have an admin interface opened to brute force attempts, the situation is already bad. I'd say limiting access by trusthost/Local-in policy, enabling MFA like Fortitoken for admin account(s), setting auto-alerts on admin interface successful/failed attempts, moving admin interface to a separate from regular data traffic network will do much more to securing the admin access than switching from password-based to key-based authentication. Of course YMMV, so your context matters as opposed to general recommendations.

HTH