Fortinet black logo

New Features

ECDSA in SSH administrative access 7.0.2

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:153747
Download PDF

ECDSA (Elliptic Curve Digital Signature Algorithm) is now supported in SSH administrative access. Administrative users can connect using an ECDSA key pair or an ECDSA-based certificate.

To log in to the FortiGate with an ECDSA public key:
  1. On the PC, use a key generator (such as PuTTY) to generate an SSH public/private key pair using ECDSA encryption.

  2. In FortiOS, configure the key for ssh-public-key1:
    config system admin
        edit "admin1"
            set accprofile "prof_admin"
            set vdom "root"
            set ssh-public-key1 "ecdsa-sha2-nistp256 ************/*******= root@PC05.qa.fortinet.com"
            set password ************
        next
    end
  3. On the PC, verify that the administrator can log in to the FortiGate with the private key:
    # ssh -o StrictHostKeyChecking=no admin1@172.16.200.1 -i ./.ssh/id_ecdsa
      FortiGate-101F $ get system status
      Version: FortiGate-101F v7.0.2,build0206,210910 (interim)
To log in to the FortiGate with a certificate private key:
  1. On the PC, generate a certificate with keys encrypted by ECDSA.
  2. In FortiOS, import the PEM file for the remote certificate:
    # execute vpn certificate remote import tftp certificate.pem 172.16.200.55
  3. Display the imported remote certificate:
    config certificate remote
        edit "REMOTE_Cert_1"
        next
    end
  4. Apply the remote certificate to the administrative user:
    config system admin
        edit "admin1"
            set accprofile "prof_admin"
            set vdom "root"
            set ssh-certificate "REMOTE_Cert_1"
            set password ************
        next
    end
  5. On the PC, verify that the administrator can log in to the FortiGate with the SSH certificate:
    root@PC05:~# ssh -i certificate-private.pem admin1@172.16.200.1
    FortiGate-101F $ get system status
    Version: FortiGate-101F v7.0.2,build0206,210910 (interim)

ECDSA (Elliptic Curve Digital Signature Algorithm) is now supported in SSH administrative access. Administrative users can connect using an ECDSA key pair or an ECDSA-based certificate.

To log in to the FortiGate with an ECDSA public key:
  1. On the PC, use a key generator (such as PuTTY) to generate an SSH public/private key pair using ECDSA encryption.

  2. In FortiOS, configure the key for ssh-public-key1:
    config system admin
        edit "admin1"
            set accprofile "prof_admin"
            set vdom "root"
            set ssh-public-key1 "ecdsa-sha2-nistp256 ************/*******= root@PC05.qa.fortinet.com"
            set password ************
        next
    end
  3. On the PC, verify that the administrator can log in to the FortiGate with the private key:
    # ssh -o StrictHostKeyChecking=no admin1@172.16.200.1 -i ./.ssh/id_ecdsa
      FortiGate-101F $ get system status
      Version: FortiGate-101F v7.0.2,build0206,210910 (interim)
To log in to the FortiGate with a certificate private key:
  1. On the PC, generate a certificate with keys encrypted by ECDSA.
  2. In FortiOS, import the PEM file for the remote certificate:
    # execute vpn certificate remote import tftp certificate.pem 172.16.200.55
  3. Display the imported remote certificate:
    config certificate remote
        edit "REMOTE_Cert_1"
        next
    end
  4. Apply the remote certificate to the administrative user:
    config system admin
        edit "admin1"
            set accprofile "prof_admin"
            set vdom "root"
            set ssh-certificate "REMOTE_Cert_1"
            set password ************
        next
    end
  5. On the PC, verify that the administrator can log in to the FortiGate with the SSH certificate:
    root@PC05:~# ssh -i certificate-private.pem admin1@172.16.200.1
    FortiGate-101F $ get system status
    Version: FortiGate-101F v7.0.2,build0206,210910 (interim)