|
Administrator access profiles can be configured to prevent administrators from using the FortiGate as a jump host for SSH and telnet connections. This new feature is introduced in FortiOS 7.2.1. This option is useful in environments where it's desirable to restrict the ssh / telnet access initiated from FortiWeb for particular users.
To configure permissions to execute SSH or telnet commands in an access profile, run the following in the CLI:
# config system accprofile
edit <name>
set system-execute-ssh {enable | disable}
set system-execute-telnet {enable | disable}
next
end
To block SSH and telnet connections for an administrator, disable permission to execute SSH or telnet commands in the corresponding administrator access profile:
# config system accprofile
edit "prof_admin"
set system-execute-ssh disable
set system-execute-telnet disable
next
Configure an administrator in the profile:
# config system admin
edit "noc_user1"
set accprofile "prof_admin"
set vdom "root"
set password ENC SH2FGkJSJ3h1YgHaEeNmJQDU9xZd7bCcM2Jq3WKvPyu1N60nba0085X5Tri7pI=
next
end
Log in as the new administrator and attempt to connect to another host using SSH or telnet. The following output is expected:
# execute ssh rootuser@192.168.4.5
You are not entitled to run the command.
Command fail. Return code -37
# execute telnet 10.199.44.2
You are not entitled to run the command.
Command fail. Return code -37
The above output confirms the restrictions are working as intended.
|
