Re: System Backup SCP Cert
☄ Helpfulby FortiAdam 2015/03/04 14:16:24
please use below instruction for the feature, thanks
To support ssh certificate, you need OpenSSH 5.4 or higher.
Suppose SSH server is on a Linux machine, do the following steps to provide FMG with "scp + certificate" backup & restore.
1) set up CA key
Just like any normal ssh key, use the ssh-keygen command to generate CA key.
$ ssh-keygen -f ca-key
CA private/public key pair are saved in current directory: "ca-key" is private key, "ca-key.pub" is public key.
2) set up ssh server to trust the CA key.
do this at the individual account level, or at a server-wide level.
(individual account): let any key signed by the CA key log into one specific user account.
add the CA public key(prefix it with the "cert-authority" directive) to .ssh/authorized_keys file in user account's home directory. Take 'qa' as an example, it is /home/qa.
$ echo "cert-authority $(cat ca-key.pub)" >> /home/qa/.ssh/authorized_keys
(server wide): let user keys signed by the CA key log into any account on the server.
add the line "TrustedUserCAKeys /etc/ssh/ca-key.pub" to /etc/ssh/sshd_config file, then copy the ca-key.pub file to /ect/ssh directory.
3) create a user key or use any existing key.
$ ssh-keygen -f user-key
user private/public key pair are saved in current directory: "user-key" is private key, "user-key.pub" is public key.
4) sign the user key with the CA key.
$ ssh-keygen -s ca-key -I <key_id> user-key.pub
<key_id> is a "key identity" that is logged by the server when the certificate is used for authentication, for example, "qa's key".
a separate certificate file called user-key-cert.pub will be created.
5) create a ssh certificate entry on FMG
config system certificate ssh
set comment "any string"
set private-key "<copy from user-key>"
set certigicate "<copy from user-key-cert.pub>"
after all of above steps have finished, user can do the following using the ssh certificate:
a)backup all-settings to scp server.
# "exec backup all-settings scp <scp server ip>, <path/filename> <username> <ssh-cert>".
<username> is a user account on scp server, which trusts the CA key.
<ssh-cert> is the ssh certificate created above.
b) restore all-settings from scp server.
# "exec restore all-settings scp <scp server ip>, <path/filename> <username> <ssh-cert>".
c) configure scheduled all-settings backup
config system backup all-settings
set status enable
set user "<username>"
set protocol scp
set cert "<ssh-cert>"