Fortigate ssh access with certificate authentication


Entering each time username and password isn’t fun when doing it daily to the same equipment. Saving password in some automated script (Paramiko, Expect, etc) is not very secure per se. Using the SSH certificates, on the other hand, answers all the needs – easy, secure, time saving. Here is how to enable SSH authentication for a user in Fortigate:

Step1: Create certificate.
On linux command line we run: $ ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/myuser/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/myuser/.ssh/id_rsa.
Your public key has been saved in /home/myuser/.ssh/id_rsa.pub.
The key fingerprint is:
be:1b:3c:e0:1e:7d:1e:29:04:27:1d:1d:11:41:33:54 myuser@myhost
The key's randomart image is:
+--[ RSA 2048]----+ 

Step 2. Import PUBLIC key saved in Step 1 in the file id_rsa.pub to the Fortigate:

config system admin
(config)# edit myuser
(myuser)# set ssh-public-key1 "ssh-rsa AAAAB3Nza .. … … …. 0lTo9P myuser"

Step 3. Connect using the certificate:
ssh -i /home/myuser/.ssh/id_rsa ip-of-the-fortigate>

That is it, of course it will work for other Fortinet products having SSH access like Fortimail, FortiAnalyzer, etc .