Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

ECDSA in SSH administrative access 7.0.2

ECDSA (Elliptic Curve Digital Signature Algorithm) is now supported in SSH administrative access. Administrative users can connect using an ECDSA key pair or an ECDSA-based certificate.

To log in to the FortiGate with an ECDSA public key:
  1. On the PC, use a key generator (such as PuTTY) to generate an SSH public/private key pair using ECDSA encryption.

  2. In FortiOS, configure the key for ssh-public-key1:
    config system admin
        edit "admin1"
            set accprofile "prof_admin"
            set vdom "root"
            set ssh-public-key1 "ecdsa-sha2-nistp256 ************/*******= root@PC05.qa.fortinet.com"
            set password ************
        next
    end
  3. On the PC, verify that the administrator can log in to the FortiGate with the private key:
    # ssh -o StrictHostKeyChecking=no admin1@172.16.200.1 -i ./.ssh/id_ecdsa
      FortiGate-101F $ get system status
      Version: FortiGate-101F v7.0.2,build0206,210910 (interim)
To log in to the FortiGate with a certificate private key:
  1. On the PC, generate a certificate with keys encrypted by ECDSA.
  2. In FortiOS, import the PEM file for the remote certificate:
    # execute vpn certificate remote import tftp certificate.pem 172.16.200.55
  3. Display the imported remote certificate:
    config certificate remote
        edit "REMOTE_Cert_1"
        next
    end
  4. Apply the remote certificate to the administrative user:
    config system admin
        edit "admin1"
            set accprofile "prof_admin"
            set vdom "root"
            set ssh-certificate "REMOTE_Cert_1"
            set password ************
        next
    end
  5. On the PC, verify that the administrator can log in to the FortiGate with the SSH certificate:
    root@PC05:~# ssh -i certificate-private.pem admin1@172.16.200.1
    FortiGate-101F $ get system status
    Version: FortiGate-101F v7.0.2,build0206,210910 (interim)

ECDSA in SSH administrative access 7.0.2

ECDSA (Elliptic Curve Digital Signature Algorithm) is now supported in SSH administrative access. Administrative users can connect using an ECDSA key pair or an ECDSA-based certificate.

To log in to the FortiGate with an ECDSA public key:
  1. On the PC, use a key generator (such as PuTTY) to generate an SSH public/private key pair using ECDSA encryption.

  2. In FortiOS, configure the key for ssh-public-key1:
    config system admin
        edit "admin1"
            set accprofile "prof_admin"
            set vdom "root"
            set ssh-public-key1 "ecdsa-sha2-nistp256 ************/*******= root@PC05.qa.fortinet.com"
            set password ************
        next
    end
  3. On the PC, verify that the administrator can log in to the FortiGate with the private key:
    # ssh -o StrictHostKeyChecking=no admin1@172.16.200.1 -i ./.ssh/id_ecdsa
      FortiGate-101F $ get system status
      Version: FortiGate-101F v7.0.2,build0206,210910 (interim)
To log in to the FortiGate with a certificate private key:
  1. On the PC, generate a certificate with keys encrypted by ECDSA.
  2. In FortiOS, import the PEM file for the remote certificate:
    # execute vpn certificate remote import tftp certificate.pem 172.16.200.55
  3. Display the imported remote certificate:
    config certificate remote
        edit "REMOTE_Cert_1"
        next
    end
  4. Apply the remote certificate to the administrative user:
    config system admin
        edit "admin1"
            set accprofile "prof_admin"
            set vdom "root"
            set ssh-certificate "REMOTE_Cert_1"
            set password ************
        next
    end
  5. On the PC, verify that the administrator can log in to the FortiGate with the SSH certificate:
    root@PC05:~# ssh -i certificate-private.pem admin1@172.16.200.1
    FortiGate-101F $ get system status
    Version: FortiGate-101F v7.0.2,build0206,210910 (interim)