Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ede_pfau
Esteemed Contributor III

Admin auth per SSH key and LDAP

Hello fellows,

 

for simplicity, I often use my private SSH key to log in into my local admin account on various FGTs (I mean, CLI access via SSH). Now, if instead of a local admin account I use a wildcard admin account against LDAP/MS AD in the background, I cannot use this anymore.

Any ideas how to work around this?

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
5 REPLIES 5
xsilver_FTNT
Staff
Staff

Hi Ede,

how do you expect it to work ? Like one public key for everyone eligible to login through LDAP ?

 

In this type of remote users is password, and so I believe key as well, used as fallback option if remote server is not reachable or do not respond to authentication attempts.

 

Workaround might be in the way that remote server will read and use provided password as key.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

ede_pfau
Esteemed Contributor III

You're right, "how do you expect it to work?" Seems you can't have the pudding and eat it.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
xsilver_FTNT

yes.

Seems to me that all the modern tech is about the same ... options are "cheap", "fast" and "reliable/robust", and you can choose two but newer be able to get all three in one product.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

emnoc
Esteemed Contributor III

I'm sure you can do this in LDAP  but it take works maybe a fork of  RADIUS or  TACAS.

I would look at . jirutka/ssh-ldap-pubkey

 

You will need custom attributes and then you can deploy what you want. Certificate would be much much much better imho YMMV

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

Thanks Ken, I will look into certs then.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors