Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Kenundrum
Contributor III

Minimum access for SSH?

I'm trying to set up a read only user that would be used to back up configurations and apparently setting read only rights on all options in the admin profile will cause it to deny SSH connections in from that user. Is there a specific access control item that needs to be read-write for you to be able to use the cli?

CISSP, NSE4

 

4 REPLIES 4
emnoc
Esteemed Contributor III

You have to look at the accessprofile and the categories. Just test it b4 you   release it. Keep in mind that they can still get access to fnsysctl and if you allow scp you can have anybody conduct a restoral.

 

I haven't found any method for a use to just "backup" only with no other means. Let us know what you do. In thelong run you would find the fortimanager a better solution for this  but at the cost of $$$$.$$ ;)

 

 

 

PCNSE 

NSE 

StrongSwan  

ede_pfau
Esteemed Contributor III

I don't think that getting hold of a firewall backup corresponds well to a 'I-dont-trust-you-so-you-work-readonly' admin. You can either have one or the other.

 

A backup file plus physical access is all one needs to get total control of a firewall.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Kenundrum

well it would be mostly for an automated tool to access the firewall and we want to have its own admin account. The desire to restrict access to that account is so that if someone were to get the password, they would have limited ability to do anything bad. The more likely scenario is that the software has some bug and causes a change in the configuration unexpectedly.

Either way, the admin guide specifically mentions that depending on your access level, parts of the cli structure may be unavailable but it does not specify that in order to access the CLI at all, you need x,y, and z permissions.

CISSP, NSE4

 

Kenundrum

Sorry!

Apparently the problem was we had the wrong line ending in the setup. read only access dumps you to the CLI with a $ at the end instead of the # a super user would get. That was the problem all along.

CISSP, NSE4