Hello, if an admin account has two factor enabled, it appears to only apply to https access, but not SSH. I just enabled it for myself, was able to log out and back in via https, it required the token as expected. I SSH in, and I'm in without two factor; was hoping it would authenticate me via SSH first, then require my two factor before actually completing the login. Is that not available?
I just tried this on a box running 5.2.10 and it works as expected. I get a password prompt and then a prompt for "Email Token". Do you have any more details on the setup such as the type of 2 factor and what version it's running on?
Yeah, CLI should require 2FA as well depending on the type of 2FA you are running. I know for a fact if you are getting a token emailed or texted to you that the CLI will prompt you for the code when using SSH.
Yep I agree, I think we'll have to stop using key-based though on the FortiGates. The concern is the fact that operating systems like MacOS keep an unlocked key in memory if someone hasn't explicitly run ssh-add -D after they're done, so even closing the terminal / iterm would allow a stolen laptop, for example, to open it back up and start ssh'ing to things without knowing the key's pass phrase. I'll file a request to have fortitoken support added for even when ssh-public-key1 is defined; maybe I'll get lucky lol.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.