Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Arunkumar1
New Contributor

Disable SSH Password Authentication in Azure Fortigate VM

Hi Team,

 

We have been asked to disable ssh password authentication in FortiGate VM deployed in Azure like how we do in normal Linux VMs.

 

  1. Edit /etc/ssh/sshd_config (with sudo) and update the value of "PasswordAuthentication" to "no".
  2. Restart the SSH service on the VM

 

Could you please confirm whether this is possible in FortiGate VM. Is there any way to keep only SSH key based authentication for admin users and disable password authentication.

3 REPLIES 3
Yurisk
Valued Contributor

Hi, this is possible, but make sure you can connect with your SSH public key before configuring it, so not to lock yourself out.

 

# config sys global
(global) # set admin-ssh-password disable
(global) # end

 

Few notes:

 

  • It disables SSH password-based access to ALL admin accounts, not only specific one.
  • Admin trying to authenticate with password will get an error  Permission denied (publickey).
  • This does not affect console access (just in case).
  • You don't have access to sshd_conf on the Fortigate.
  • I did not test it specifically with Azure FW, but it works on physical + usual VM FGT, so should work on Azure as well.
Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Arunkumar1
New Contributor

Thanks Yurisk for the update, We are also trying to confirm whether this is recommended for FortiGate/FortiAnalyzer VMs to only have public key authentication and completely disable password authentication?. Is it something you can help? How we can recover the VM SSH access if incase we have any issue with key authentication in future?

Yurisk
Valued Contributor

Recover - as long as you have access to web GUI of the Fortigate you can undo this command in Console web applet. 

Recommended - not that I can recall any Fortinet docs recommending to disable password access on SSH. Personally, I don't think it is a first line of defense - it prevents brute forcing the password. But if you have an admin interface opened to brute force attempts, the situation is already bad. I'd say limiting access by trusthost/Local-in policy, enabling MFA like Fortitoken for admin account(s), setting auto-alerts on admin interface successful/failed attempts, moving admin interface to a separate from regular data traffic network will do much more to securing the admin access than switching from password-based to key-based authentication. Of course YMMV, so your context matters as opposed to general recommendations.

 

HTH

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Labels
Top Kudoed Authors