ECDSA (Elliptic Curve Digital Signature Algorithm) is supported in SSH administrative access. Administrative users can connect using an ECDSA key pair or an ECDSA-based certificate.
To log in to the FortiGate with an ECDSA public key:
- On the PC, use a key generator (such as PuTTY) to generate an SSH public/private key pair using ECDSA encryption.
- In FortiOS, configure the key for ssh-public-key1:
config system admin edit "admin1" set accprofile "prof_admin" set vdom "root" set ssh-public-key1 "ecdsa-sha2-nistp256 ************/*******= root@PC05.qa.fortinet.com" set password ************ next end - On the PC, verify that the administrator can log in to the FortiGate with the private key:
# ssh -o StrictHostKeyChecking=no admin1@172.16.200.1 -i ./.ssh/id_ecdsa FortiGate-101F $ get system status Version: FortiGate-101F v7.0.2,build0234,211019 (GA)
To log in to the FortiGate with a certificate private key:
- On the PC, generate a certificate with keys encrypted by ECDSA.
- In FortiOS, import the PEM file for the remote certificate:
# execute vpn certificate remote import tftp certificate.pem 172.16.200.55
- Display the imported remote certificate:
config certificate remote edit "REMOTE_Cert_1" next end - Apply the remote certificate to the administrative user:
config system admin edit "admin1" set accprofile "prof_admin" set vdom "root" set ssh-certificate "REMOTE_Cert_1" set password ************ next end - On the PC, verify that the administrator can log in to the FortiGate with the SSH certificate:
root@PC05:~# ssh -i certificate-private.pem admin1@172.16.200.1 FortiGate-101F $ get system status Version: FortiGate-101F v7.0.2,build0234,211019 (GA)