Hello,
Does anybody know how to generate a FortiGate SSH Server new RSA Key Pair - if it is possible at all.
Where is the default RSA key pair located on a FortiGate?
$ ssh -l admin x.x.x.x The authenticity of host 'x.x.x.x (x.x.x.x)' can't be established. RSA key fingerprint is 69:b7:62:fe:57:0b:bb:db:c3:87:bf:12:95:d0:c5:5d.
Are you sure you want to continue connecting (yes/no)?
Thanks.
AtiT
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello, have you found an answer?
I'm looking how to align ssh key between firewalls in the same cluster.
thank you, regards.
NSE 7
You can upgrade the unit that will create a new key, if you swap act/std ( assuming ACT/STD ) that would present the new cert. So why do you need to create a new ssh-key ?
As far as the key it's stored locally in the file path and not directly accessible ( look at the RSA key )
http://socpuppet.blogspot.com/2014/08/your-fortigate-is-not-as-secured-as-you.html
Ken Felix
PCNSE
NSE
StrongSwan
The article you posted is regarding the https private key.
I'm looking to ssh fingerprint and for sync it in the cluster. This because I have scripts that logging to the firewall to get ore set the config, but if the firewalls swap from active/backup the ssh key will change and the script doesn't work
NSE 7
The article you posted is regarding the https private key.
Correct, read the article and look at the screenshot the RSA pub/priv key is in the same path. Again for the OP, whey does he need to rebuild a key-pair ?
Ken Felix
PCNSE
NSE
StrongSwan
Looked at ssh_host_rsa_key, but this file is removed in newer OS (from 5.0 I think).
Anyway, I don't want to generate a new ssh key, I only want that this key is aligned (the same) in all firewalls in the HA cluster.
NSE 7
I only want that this key is aligned (the same) in all firewalls in the HA cluster.
That's impossible and no reason should ever exist or warrant that need imho
Ken Felix
PCNSE
NSE
StrongSwan
I second your need for automated ssh to an A/P cluster regardless of which node is currently active.
Unfortunately ssh-ed25519 keys are ephemeral. Ssh-rsa keys should be persistent and consistent across the cluster, but the ssh deamon reads them only when restarted. In another words, the new host key is only visible after the fortigate/sshd is restarted.
Hi user185953!
I'm not sure understand your answer.
Do you mean that after HA cluster is done and after a reboot of boot units the SSH-rsa key are the same and I will not obtain the security alert?
NSE 7
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1709 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.