Hello fellows,
for simplicity, I often use my private SSH key to log in into my local admin account on various FGTs (I mean, CLI access via SSH). Now, if instead of a local admin account I use a wildcard admin account against LDAP/MS AD in the background, I cannot use this anymore.
Any ideas how to work around this?
Hi Ede,
how do you expect it to work ? Like one public key for everyone eligible to login through LDAP ?
In this type of remote users is password, and so I believe key as well, used as fallback option if remote server is not reachable or do not respond to authentication attempts.
Workaround might be in the way that remote server will read and use provided password as key.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
You're right, "how do you expect it to work?" Seems you can't have the pudding and eat it.
yes.
Seems to me that all the modern tech is about the same ... options are "cheap", "fast" and "reliable/robust", and you can choose two but newer be able to get all three in one product.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
I'm sure you can do this in LDAP but it take works maybe a fork of RADIUS or TACAS.
I would look at . jirutka/ssh-ldap-pubkey
You will need custom attributes and then you can deploy what you want. Certificate would be much much much better imho YMMV
Ken Felix
PCNSE
NSE
StrongSwan
Thanks Ken, I will look into certs then.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.