Troubleshoot Tip: SSH Key fails login to FortiGate

JordAnge · ‎08-13-2025

Description

This article describes that the SSH key is failing when logging to a FortiGate. As a result, the FortiGate generates an error message after the initial failed login.

date=2024-11-12 time=17:58:11 devid="FG6H1ETB20902023" devname="FW1" eventtime=1731455892002430126 tz="-0600" logid="0100032002" type="event" subtype="system" level="alert" vd="root" logdesc="Admin login failed" sn="0" user="admin" ui="ssh(192.168.100.1)" method="ssh" srcip=192.168.100.1 dstip=192.168.27.251 action="login" status="failed" reason="ssh_key_invalid" msg="Administrator admin login failed from ssh(192.168.100.1) because of invalid ssh key"

Scope

FortiNAC v7.6.3 or earlier.

Solution

By default, if there is an SSH key-pair configured for the server (/bsc/.ssh/id_ed25519, /bsc/.ssh/id_rsa, /bsc/.ssh/id_dsa), SSH to a device will first attempt to log in using the SSH key public key and fall back to using the CLI password if it fails.

As a result, the FortiGate is recording this first attempt using the SSH key when it fails.

To disable the public key authentication:

device -ip <IP> -setAttr -name SSH_PUBLICKEY_AUTH_ENABLED -value false

Example:

execute enter-shell
device -ip <IP of the FortiGate> -setAttr -name SSH_PUBLICKEY_AUTH_ENABLED -value "false"

Fix:

Upgrade to v7.2.9, v7.4.1, v7.6.3.

Related article:
Technical Tip: Implementing Public Key SSH Authentication from FortiNAC to FortiGate

Troubleshoot Tip: SSH Key fails login to FortiGate

You are leaving our website