Fortinet black logo

New Features

Restrict SSH and telnet jump host capabilities 7.2.1

Copy Link
Copy Doc ID 77966226-6996-11ec-bdf2-fa163e15d75b:936614
Download PDF

Restrict SSH and telnet jump host capabilities 7.2.1

Jump hosts are used to access devices in separate security zones, such as the internet and an internal network. Administrator access profiles can be configured to prevent administrators from using the FortiGate as a jump host for SSH and telnet connections.

To configure permission to execute SSH or telnet commands in an access profile:
config system accprofile
    edit <name>
        set system-execute-ssh {enable | disable}
        set system-execute-telnet {enable | disable}
    next
end
To block SSH and telnet connections for an administrator:
  1. Disable permission to execute SSH or telnet commands in an administrator access profile:

    config system accprofile
        edit "test_accprofile"
            set system-execute-ssh disable
            set system-execute-telnet disable
        next
    end
  2. Configure an administrator in the profile:

    config system admin
        edit "admin1"
            set accprofile "test_accprofile"
            set vdom "root"
            set password **********
        next
    end
  3. Log in as the new administrator, and attempt to connect to another host using SSH or telnet:

    # execute ssh root@172.16.200.55
    You are not entitled to run the command.
    Command fail. Return code -37
    # execute ssh6 root@2000:172:16:200::55
    You are not entitled to run the command.
    Command fail. Return code -37
    # execute telnet 172.16.200.55
    You are not entitled to run the command.
    Command fail. Return code -37

Restrict SSH and telnet jump host capabilities 7.2.1

Jump hosts are used to access devices in separate security zones, such as the internet and an internal network. Administrator access profiles can be configured to prevent administrators from using the FortiGate as a jump host for SSH and telnet connections.

To configure permission to execute SSH or telnet commands in an access profile:
config system accprofile
    edit <name>
        set system-execute-ssh {enable | disable}
        set system-execute-telnet {enable | disable}
    next
end
To block SSH and telnet connections for an administrator:
  1. Disable permission to execute SSH or telnet commands in an administrator access profile:

    config system accprofile
        edit "test_accprofile"
            set system-execute-ssh disable
            set system-execute-telnet disable
        next
    end
  2. Configure an administrator in the profile:

    config system admin
        edit "admin1"
            set accprofile "test_accprofile"
            set vdom "root"
            set password **********
        next
    end
  3. Log in as the new administrator, and attempt to connect to another host using SSH or telnet:

    # execute ssh root@172.16.200.55
    You are not entitled to run the command.
    Command fail. Return code -37
    # execute ssh6 root@2000:172:16:200::55
    You are not entitled to run the command.
    Command fail. Return code -37
    # execute telnet 172.16.200.55
    You are not entitled to run the command.
    Command fail. Return code -37