Saturday, July 29, 2017

public certificate for ssh FortiOS

Here's how you  enable the  PEM public-certificate  for ssh authentication & with a fortigate.

You can use   public or private sign-certificate for  ssh-authentications by using the private-key for the   ssh-client.

Here's the steps in-ordered to use   x509 certificate component for  ssh-clients

1:  Draft a  certificate-sign-request, and have a certificate sign. In my case the CN value was simplified as  "kenfelix" this value DOES NOT NEED TO MATCH THE LOCAL  ACCOUNT NAME USED ON THE FORTIGATE, but it would help form  audit and management standpoint



2nd:

You need to import that  certificate into the  fortigate, I  prefer  to import it as a pkcs12  and let it be.





3rd



Now you can define the system admin name and select the certificate that you import as shown above or below.











NOTE:  On the   certificate  I like o upload the CA certificate if you are  the "signer for   actual system_admin  certificate but this is optional and not required ".


4th, now for the  actual  ssh-client you only need the private-key component  from the certificate. This should be in a PEM format btw.

e.g ( a RSA encrypted prig-key based on the above  certificate named "kenfelix"  )

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2FD1E9D43D98C8AB

793wP7Gokz5RgZ7ojGoxvWAAOqZo1gCsIwvgXh7gvlqhYztvW1zdFI8qC4wSlTQX
pLiU+aTVoySLY1p7bg//MuISEGnbotA04JipRB8UznVQBVFNNVq7RQQPkPYxz3xM
UrkgNvzkxWI3/Rqa8QMfT0msrE+dwcGVIfJ940LwGgr5pFO1MbJZZVfYgnnAdL3F
m55Pv1hamT0Qs6TD8vsrWt2AU4yOx6I4JhH/ylFe23fQW6bGpfysX4VuZk/z/KdD
JlAZUFn8kMLra+HAUUjVm7s0MHeb3Zu4bK7nw+6NTDeAj9RpLxga1CmCxomAQ6+q
Ls4Pl5ldShuOT0+PnYly337gKrjTrVUFQQ90sQawK5kSEEhrAgatJ+1GYaLos5Al
pE3BtCymsxkihx+KgvDhBF+VN+ZBgArycKz4p8s5L4z/WXqKpbJud/H8BvwU/aVe
J8/x1ypLCgscJvzTidw9o+mXZvzDrdcGNGJOv9nny5MMXBSz3sg19KALK5KLW6tS
U7kQs5zk9N9UiE0jcp6rdR+wlAfYrkapLP5bVPTMitIJcJgdt4nZSQTX6VR06NA8
d5arGS1EkDgQcmRHuq95L33eAkG/ec0Fl+uF6pz5nW6nTNZ9EZ8e8+58DoBqP4ng
PsklUuiJ1EFHoXl1Gq/KgBapWFxH73UlzZFqa/1LfsXoU1TMvvRAvjXWRr5202Xs
utGv6zMhogFIFktKPPG6Udom6x0x6aDKU7TW2PLLLYELVAz36wAa35LDrDVHXf9c
sxwyiIDYu2CYcPinCP1nbByubgvbCt5cclBCy+tUR3HwQhTPH9cCbwQgq4/nhF5t
GB26VWzN4LU56fYClugDH59U+xrWlV5486g9p6CMIUTMcepzuVx0qIpfVwAi4mCL
icXMm/Fi/qeAXVDsYQOOWqZqxxkfmhJ3P3vlv84j9Nz9rTrUnMmuaeeY/v2OxFIs
6v1ISnzsKJyyopu8LZTbjQdubpLdzn17uv3avs6rcmYZpkh9PF0/lLi0+w1/X64S
ueZ14zrZ9UtdAN9IDMNwMgB69l+hhBRMnhRc9pxilnvVZrqlQf+0894JVVsRT0y3
v3zAhYq6Zk+F2qLu2Bm6bZ4z5oLr0AxV6AcpsHU5d8CqRg++4rSVxcet80to0bqH
zhIJY1qQrN/4xIWke2qbt3992TduwYreLBgyAHhEaS51gSE1QU34rkq1a/MX+jU3
mNraIHLogthwGGRjpHSzmStgNRoL/PyXeNdNfffO9WSFvH46PKRBI+rNtZEmJ9Zl
BQM5qbtGdh/U8PiO7779gVUDQ0+pqMCKdQfrYWJsZLNwe/399Rqc9qM7q91GJ/fu
Irn8IafbZ4M/jjVEMMidnFrCxqxA8P9k8VnwhGaeKhmDqlF9/l76CJk6kXaK4fvu
imMu2QXALgV+k2M5Wsefb9t550YvgTWj+/SIB/jhE59Dm78FhJ9DXcLsNjVxX50O
ZmWYlpAEf/48/JVqAW4e7hNBocqhNwCfJps4Caz7Tz6fuhUC2bgvDOzFmghHItnR
hYtDwIotFZRLt0OF8Jk2aEIOjunBYYAdeP3FqU2xqHWGE7pKdPDMdQ==

-----END RSA PRIVATE KEY-----



The easiest and laziest approach would be to take a Pfx file and output  the cert and private-key  into a single  file or just extract the private-key


At this point, you could  passphrase the priv-key which would challenge you  every time you execute the ssh-client session, which is shown above with the DES-encrypted key.



Here's a means for  extracting the priv-key with certificate  using openssl;









Okay now you can test the access by  using the  named "mayflile.pem" and the   " -i  " switch with OPENssh or your ssh-client


e.g


NOTE: if your priv-key is encrypted , than you must use the  passphrase for the privy-key


e.g





KenFelix





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 

        /  \

No comments:

Post a Comment