I have a Fortiswitch 148E on FortiOS version 7.4.3 configured to accept public key authentication over SSH. I've found that I need to add "-o PubkeyAcceptedKeyTypes=+ssh-rsa" to my ssh command in order to successfully authenticate via public key as ssh-rsa is disabled by default in OpenSSH in favor of more secure algorithms. This seems like a bit of a security oversight on Fortinet's behalf. Is there any way to enable other public key algorithms in 7.4.3? Any chance this is resolved in 7.6?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
ssh-rsa will no longer be offered as the server key host algorithm after upgrading to FortiOS v7.0.13 or FortiOS 7.2.6 and only offer the ssh-ed25519 algorithm. Please refer this info in detail in the below doc.
Thanks,
I'm on 7.4.3. Also, I don't think that document is relevant to Fortiswitches.
FortiSwitch 7.6.0 CLI reference guide says below:
ssh-public-key1/2/3 "<key‑type> <key‑value>" |
|
You can specify the public keys of up to three SSH clients. These clients are authenticated without being asked for the administrator password. You must create the public-private key pair in the SSH client application.
<key type> is ssh-dss for a DSA key or ssh-rsa for an RSA key.
<key-value> is the public key string of the SSH client.
https://docs.fortinet.com/document/fortiswitch/7.6.0/fortiswitchos-cli-reference/500379/config-syste...
So only other option would be DSS/DSA.
Toshi
I should be a little clearer about what I want to accomplish here. It's not simply that I don't want to use rsa (although it would be preferable to use more secure algorithms like ecsda), it's that I don't want to use rsa-sha1 for public key authentication, which is what is enabled when you add the "-o PubkeyAcceptedKeyTypes=+ssh-rsa" option. Without that option, it is my understanding that OpenSSH will still try to use rsa-sha2-256 or rsa-sha2-512.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.