|
If a public key SSH access (Key File) has been set up to disable SSH password authentication or limit the authentication mechanism that SSH uses to only use ‘key-files’ and not passwords.
Note:
Make sure to be connected with the SSH public key before disabling SSH.
SSH works with both public key and password methods
- ssh -v username@FortigateIPaddress:
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey, password
Run following commands:
# config sys global
(global) # set admin-ssh-password disable
(global) # end
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
By disabling SSH password:
It will disable all SSH password-based access to ALL admin accounts. But this will not affect console access.
- Admin trying to authenticate with the password will get an error Permission denied (publickey).
To recover the SSH password, use 'enable ssh'.
If the web GUI of the Fortigate is accessible, undo this command by 'enabling ssh':
# config sys global
(global) # set admin-ssh-password enable
(global) # end
If SSH is disabled for strengthening the security of the network, then following are the other ways to protect the network:
- Limit access by creating a trusting host.
- Create a Local-in policy.
- Enabling MFA like Fortitoken for admin account(s).
- 'setting auto-alerts' on admin interface successful/failed attempts.
- Moving admin interface to a separate from regular data traffic network will do much more to secure the admin access than switching from password-based to key-based authentication
|
