The following log message will be displayed under the system events logs when an admin login failed due to invalid SSH key:
Log Description: Admin login failed
Action: login
Status: failed
Reason: ssh_key_invalid
User Interface: ssh (172.25.181.252)
Message: Administrator admin login failed from ssh (172.25.181.252) because of invalid ssh key
An SSH application attempting to authenticate with FortiGate using public/private key pair and challenge/challenge-response messages, the above log message may be generated if the admin account on FortiGate is not configured to use SSH Keys for authentication or if the SSH key pair is incorrect.
For more information about its configuration, refer to Technical Tip: How to authenticate an admin user to FortiGate via CLI using SSH keys
In order to verify the error in the connection, the following SSH daemon debugs must be run on FortiGate:
# diag debug app sshd -1 # diag debug console timestamp enable # diag debug enable
The following debug messages indicate that the SSH authentication using public key method failed and during the third attempt, the SSH Client authenticated using the password method successfully.
SSH: userauth-request for user admin service ssh-connection method publickey <---- SSH: attempt 1 failures 0 SSH: input_userauth_request: try method publickey SSH: test whether pkalg/pkblob are acceptable SSH: temporarily_use_uid: 0/0 (e=0/0) SSH: trying public key file /etc/ssh/admin_auth_keys SSH: Could not open authorized keys '/etc/ssh/admin_auth_keys': No such file or directory SSH: restore_uid: 0/0 SSH: temporarily_use_uid: 0/0 (e=0/0) SSH: trying public key file (null)/.ssh/authorized_keys2 SSH: Could not open authorized keys '(null)/.ssh/authorized_keys2': No such file or directory SSH: restore_uid: 0/0 SSH: userauth_pubkey: authenticated 0 pkalg ssh-rsa SSH: userauth_finish: failure partial=0 next methods="publickey,password" SSH: userauth-request for user admin service ssh-connection method password <---- SSH: attempt 2 failures 1
SSH: input_userauth_request: try method password SSH: Accepted password for admin from 192.168.1.250 port 57906 ssh2 SSH: notify_hostkeys: key 0: ssh-rsa SHA256:VnzgZQymfLYwWwI8ZNJhv5zv2Q+diBL8HLhqMKZSYm0 SSH: notify_hostkeys: key 1: ssh-ed25519 SHA256:6XFL3Q2zqPzeVUOhlUSQgG3sKm7MgdL/NSEEFeQaMv
In such case, even though SSH access to FortiGate is successful FortiGate will log a message stating 'Administrator admin login failed from SSH because of invalid SSH key'.
There are 2 solutions to avoid generating such log messages on FortiGate:
1) Disable the SSH Public Key authentication method on SSH Client and FortiGate.
Use password authentication instead.
2) Provide correct public/private key pair to the FortiGate and SSH Client.
|