Description
FortiGate can use a public-private key pair to authenticate up to three administrators who connect to the CLI using an SSH client.
This article describes how to configure a Windows SSH Secure Shell client and a FortiGate unit for public-private key authentication.
Scope
Any supported version of FortiGate.
Solution
1. Generating the key.
There are multiple options to generate a public-private key pair.
In this article, a common tool that comes with PuTTY will be used. If the key has already been generated, skip to the next step
Launch puttygen.exe.
For the type of key to generate, select between RSA, DSA, or Ed25519. For some types, the length of key can be changed (the default option of 2048 bit is generally suitable).
Select Generate and move the mouse over the blank area to generate randomness in the keys:
Once the key is generated, optionally enter a password before saving it.
This prevents the key from being imported (and used) elsewhere without this password.
The Public key is used on the FortiGate and the Private key is used on the local machine.
Select 'Save private key' to name and save the private key file to use on the PC.
Select 'Save public key' to name and save the public key file to access later.
Edit the public key file with notepad and delete the following three lines:
This prevents the key from being imported (and used) elsewhere without this password.
The Public key is used on the FortiGate and the Private key is used on the local machine.
Select 'Save private key' to name and save the private key file to use on the PC.
Select 'Save public key' to name and save the public key file to access later.
Edit the public key file with notepad and delete the following three lines:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: “ …….”
---- END SSH2 PUBLIC KEY ----
Comment: “ …….”
---- END SSH2 PUBLIC KEY ----
After deleting these lines, only the key will remain, formatted over multiple lines.
The key must have only one line to be used in FortiGate. Use the backspace/delete keys to remove the carriage return at the end of line.
2. Add the key to the admin profile through the FortiGate command line.
Connect to the FortiGate with the super-admin account and run the following commands to assign the ssh key to an administrator:
config system admin
edit admin (or another user to assign the key to)
set ssh-public-key1 "<key-type> <key-value>"
<key-type> <- Must be one of these values, as suggested by FortiGate: ssh-rsa, ssh-dss, ssh-ed25519
<key-value> <- Copy and paste here the one-line public key from the notepad
end
There are a few things to consider while copying the key via the CLI:
- Make sure the key is on one line only. Usually, copying the key will result in multiple lines.
- While copying, use the double quotation marks ("") in the beginning and at the end of the key in the notepad, and paste the content between them.
3. Add the key to known keys on the PC.
There are multiple ways to do this. This article focuses on PuTTY, so another utility that comes with the program will be used: pageant.exe.
There are multiple ways to do this. This article focuses on PuTTY, so another utility that comes with the program will be used: pageant.exe.
Start pageant.exe and import the key from the file that was saved in step 1 - 'Save private key'. The file has a *.ppk extension.
This program will minimize to System tray to keep the keys available:
Once imported, it will be possible to connect to the FortiGate without typing the admin password:
The username (admin) can be changed under Connection -> Data -> Auto-login username.
Related articles:
