FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
syordanov
Staff
Staff
Article Id 249038
Description

This article describes how to generate ssh keys on the Linux SSH host and use it for public-private key authentication to the FortiGate unit.

Scope FortiOS 6.4, 7.0.x, 7.2.x.
Solution

1) Generate the public-private key pair on the Linux host.


Before starting with generating the ssh public-private key pair, it is good to mention that the user used for generating the ssh pair keys needs to be added to FortiGate.

 

On the Linux host, it is possible to use the 'ssh-keygen' command/tool as follow :


admin_ro@LinuxPC:~ $ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/admin_ro/.ssh/id_rsa):
Created directory '/home/admin_ro/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/admin_ro/.ssh/id_rsa.
Your public key has been saved in /home/admin_ro/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:CI0hLqFLNVDl8aVlHNud7tlUeVV6vjduqltZ20r+9Po admin_ro@LinuxPC
The key's randomart image is:
+---[RSA 2048]----+
|..++oo .=. +|
|.o..o+o =.o . ..o|
|o.. o..o . . o..+|
|.o . . . oo|
|. . S . o.|
| . * +|
| =.=+|
| .o.++|
| oo.*=E|
+----[SHA256]-----+

 

Public-private keys are stored under /home/admin_ro/.ssh/ , 'id_rsa' is the private key, and 'id_rsa.pub' is the public key.


Public keys need to be imported into FortiGate, private keys need to stay on the Linux host.

 

Keep in mind that the private key is kept on the client's machine and should never be shared with anyone.

The public key is copied to the remote server and can be freely shared.

 

admin_ro@LinuxPC:~ $ cd /home/admin_ro/.
admin_ro@LinuxPC:~ $ cd /home/admin_ro/.ssh/
admin_ro@LinuxPC:~/.ssh $ ls -lh
total 8.0K


-rw--- 1 admin_ro admin_ro 1.8K Mar 13 10:21 id_rsa <- private key
-rw-r--r-- 1 admin_ro admin_ro 402 Mar 13 10:21 id_rsa.pub <- public key

 

2) Add the public key to the FortiGate:

 

Login with the super-admin account and create a new account with a username that should be the same as the one used in the Linux host for generating the ssh key pairs.

 

In this case, the username is 'admin_ro'.

 

# config system admin

    edit "admin_ro"
        set accprofile "super_admin_readonly"
        set vdom "root"
        set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc.....0ialO9MROH"
    next
end

 

In the example above as an account profile is used 'super_admin_readonly' but it is possible to use any other profile.


set set ssh-public-key1 "<key-type> <key-value>" has 2 parameters,

first is the key-type and second is the public-key generated on the Linux host.

 

It is possible to use 'cat'  to read and get the public key value.

 

3) Login to FortiGate via SSH without using a user/password, only using the generated public-private key pair:


admin_ro@LinuxPC:~$ ssh 192.168.1.99
FW_prod $ c global
FW_prod (global) $

 

Related Article:

How to authenticate an admin user to FortiGate via CLI using SSH keys