- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Authenticate via SSH on the firewall with private ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Authenticate via SSH on the firewall with private certificate
I would like to know if anyone has already managed by SSH to enable in fortigate authentication via SSH with local certificate
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's actual quite easy
1: have signed certificate created by the CA
e.g
here's my with a cn=kenfelix
2: import the CA certificate as "CA" certificate in the fortigate
3: import the admin user certificates as local-certs ( PKCS aka pfx is preferred )
in my example;
The user-certificate was imported as a pfx as local certificate name "kenfelix" ( the FGT name is the name you give it but to make it simpler name the certificate the same as the user imho )
config system admin
edit "kenfelix"
set accprofile "super_admin"
set vdom "root"
set ssh-certificate "kenfelix"
set password ENC AK18aQFToT6tNApJ943A/YRIVnY+j/uQ7Texdw5UQbRm3w=
next
end
Now, follow these instructions if your never used openssl and don't know how to extract a private-key
https://trueg.wordpress.com/2012/09/06/use-an-x-509-certificate-for-ssh-login/
Use the cli cmd get sys admin list for validation
FGW (root) # get sys admin list
username local device vdom profile remote started
kenfelix ssh wan1:x.x.x.x.x.x:22 root super_admin 70.195.210.178:2552 2017-07-27 22:34:55
It's best to ensure the permission on the private-key are set as 700 ( for us unix/linux guys ;) )
Run the ssh-client in verbose mode for further diagnostics
e.g
macbook:ssh kfelix$ ssh -v -i kenfelix.pem kenfelix@xx.xx.xx.xx
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file kenfelix.pem type -1
debug1: identity file kenfelix.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version q5baLW
debug1: no match: q5baLW
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA c6:d7:bd:7f:60:0d:49:c4:10:e4:b6:0f:c4:a7:98:3a
debug1: Host 'xx.xx.xx.xxx' is known and matches the RSA host key.
debug1: Found key in /Users/kfelix/.ssh/known_hosts:9
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: kenfelix.pem
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to xxxxxxxx ([xxxxxxxx]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
FGW # debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
If all was done right, you should have "password-less" login.
if all goes bad, fallback is your set password
I hope this helps
;)
ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's actual quite easy
1: have signed certificate created by the CA
e.g
here's my with a cn=kenfelix
2: import the CA certificate as "CA" certificate in the fortigate
3: import the admin user certificates as local-certs ( PKCS aka pfx is preferred )
in my example;
The user-certificate was imported as a pfx as local certificate name "kenfelix" ( the FGT name is the name you give it but to make it simpler name the certificate the same as the user imho )
config system admin
edit "kenfelix"
set accprofile "super_admin"
set vdom "root"
set ssh-certificate "kenfelix"
set password ENC AK18aQFToT6tNApJ943A/YRIVnY+j/uQ7Texdw5UQbRm3w=
next
end
Now, follow these instructions if your never used openssl and don't know how to extract a private-key
https://trueg.wordpress.com/2012/09/06/use-an-x-509-certificate-for-ssh-login/
Use the cli cmd get sys admin list for validation
FGW (root) # get sys admin list
username local device vdom profile remote started
kenfelix ssh wan1:x.x.x.x.x.x:22 root super_admin 70.195.210.178:2552 2017-07-27 22:34:55
It's best to ensure the permission on the private-key are set as 700 ( for us unix/linux guys ;) )
Run the ssh-client in verbose mode for further diagnostics
e.g
macbook:ssh kfelix$ ssh -v -i kenfelix.pem kenfelix@xx.xx.xx.xx
OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file kenfelix.pem type -1
debug1: identity file kenfelix.pem-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version q5baLW
debug1: no match: q5baLW
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA c6:d7:bd:7f:60:0d:49:c4:10:e4:b6:0f:c4:a7:98:3a
debug1: Host 'xx.xx.xx.xxx' is known and matches the RSA host key.
debug1: Found key in /Users/kfelix/.ssh/known_hosts:9
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: kenfelix.pem
debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to xxxxxxxx ([xxxxxxxx]:22).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
FGW # debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
If all was done right, you should have "password-less" login.
if all goes bad, fallback is your set password
I hope this helps
;)
ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Related Posts
- VS SSL offloading with deep inspection 49 Views
- IPSEC VPN stopped working under Windows... 179 Views
- Virtual server and SSL inspection 136 Views
- 2FA SSL VPN with LDAP authentication 275 Views
- Solution for Article 239709 not working... 196 Views
Labels
-
FortiGate
6,816 -
FortiClient
1,353 -
5.2
801 -
5.4
639 -
FortiManager
585 -
FortiAnalyzer
431 -
6.0
416 -
5.6
362 -
FortiAP
352 -
FortiSwitch
348 -
FortiClient EMS
277 -
FortiMail
266 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
165 -
6.4
128 -
FortiNAC
114 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
90 -
IPsec
90 -
FortiCloud Products
85 -
FortiToken
74 -
SSL-VPN
73 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
37 -
FortiDNS
35 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
LDAP
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.