Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ispcolohost
Contributor

Two-Factor for SSH?

Hello, if an admin account has two factor enabled, it appears to only apply to https access, but not SSH.  I just enabled it for myself, was able to log out and back in via https, it required the token as expected.  I SSH in, and I'm in without two factor; was hoping it would authenticate me via SSH first, then require my two factor before actually completing the login.  Is that not available?

6 REPLIES 6
Kenundrum
Contributor III

I just tried this on a box running 5.2.10 and it works as expected. I get a password prompt and then a prompt for "Email Token". Do you have any more details on the setup such as the type of 2 factor and what version it's running on?

CISSP, NSE4

 

CISSP, NSE4
MikePruett

Yeah, CLI should require 2FA as well depending on the type of 2FA you are running. I know for a fact if you are getting a token emailed or texted to you that the CLI will prompt you for the code when using SSH.

Mike Pruett Fortinet GURU | Fortinet Training Videos
ispcolohost

Ah, I see it now; apparently two factor does not occur if you're using key-based SSH authentication.

Kenundrum

For what it's worth- key based SSH is technically two factor(when used with a password). It's just not "one time password" two factor.

CISSP, NSE4

 

CISSP, NSE4
ispcolohost

Yep I agree, I think we'll have to stop using key-based though on the FortiGates.  The concern is the fact that operating systems like MacOS keep an unlocked key in memory if someone hasn't explicitly run ssh-add -D after they're done, so even closing the terminal / iterm would allow a stolen laptop, for example, to open it back up and start ssh'ing to things without knowing the key's pass phrase.  I'll file a request to have fortitoken support added for even when ssh-public-key1 is defined; maybe I'll get lucky lol.

scerazy
New Contributor III

I see nothing came out of this request/feature, because it is still behaving the same way in FortiOS 7.2 .....

Labels
Top Kudoed Authors