Fortigate ssh access with public key authentication


Entering each time username and password isn’t fun when doing it daily to the same equipment. Saving password in some automated script (Paramiko, Expect, etc) is not very secure per se. Using the SSH private/public key pair, on the other hand, answers all the needs – easy, secure, time saving. Here is how to enable SSH authentication for an admin user in Fortigate:

Step1: Create public and private keys.
On linux command line we run: $ ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/myuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/myuser/.ssh/id_rsa.
Your public key has been saved in /home/myuser/.ssh/id_rsa.pub.
The key fingerprint is:
be:1b:3c:e0:1e:7d:1e:29:04:27:1d:1d:11:41:33:54 myuser@myhost
The key's randomart image is:
+--[ RSA 2048]----+ 

Step 2. Import PUBLIC key saved in Step 1 in the file id_rsa.pub to the Fortigate:

config system admin
(config)# edit myuser
(myuser)# set ssh-public-key1 "ssh-rsa AAAAB3Nza .. … … …. 0lTo9P myuser"

Step 3. Connect using the the generated keys:
ssh -i /home/myuser/.ssh/id_rsa ip-of-the-fortigate

Step 4 (Optional, but recommended). Disable password-based authentication for admin user altogether

You still can connect with a password, even if a public key authenticaiton is enabled. The one does not disable the other. But for better security you could disable password authentication for an admin user and leave only public key-based one. First, make sure you can connect with your public key just fine. Then:

# config sys global
(global) # set admin-ssh-password disable
(global) # end

That is it, of course it will work for other Fortinet products having SSH access like Fortimail, FortiAnalyzer, etc .

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.