Helpful ReplyHot!System Backup SCP Cert

Author
FatalHalt
Gold Member
  • Total Posts : 122
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/06/11 08:51:54
  • Status: offline
2015/03/02 09:19:56 (permalink) 5.0
0

System Backup SCP Cert

Hey guys. I'm trying to get my FAZ to backup its settings to an SCP server of mine. However I want to make sure I'm on the right path. I've set up SCP on my FortiGates, so I assume it can't be too much different. 
 
config system backup all settings
set cert : 
set crptpasswd :
 
So are these the Private key and the password used to unlock the key? I've tried generating a keypair with PuttyGen, but not sure how to apply it to these settings. 
 
Can anyone point me in the right direction?
#1
FatalHalt
Gold Member
  • Total Posts : 122
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/06/11 08:51:54
  • Status: offline
Re: System Backup SCP Cert 2015/03/03 09:44:11 (permalink)
0
Anyone have any insight on this?
#2
FortiAdam
Silver Member
  • Total Posts : 103
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/04/21 07:32:57
  • Status: offline
Re: System Backup SCP Cert 2015/03/03 09:56:24 (permalink)
0
Not a solution but I would like to share my experience . . .
 
When I proposed this question to Fortinet TAC, they tried to turn me away from using SCP and suggested I use SFTP as an alternative.  I'm going to give VSFTP a try on my linux machine and see if that meets my needs better than SCP as a method for secure file transfer.  I'm not sure if I will even bother with SCP if SFTP turns out to be an acceptable solution.
#3
scao_FTNT
optimizzz
  • Total Posts : 478
  • Scores: 27
  • Reward points: 0
  • Joined: 2012/08/27 11:39:44
  • Status: offline
Re: System Backup SCP Cert 2015/03/03 12:18:34 (permalink) ☄ Helpfulby FortiAdam 2015/03/04 14:16:24
0
please use below instruction for the feature, thanks
 
Simon
 
###############
 
To support ssh certificate, you need OpenSSH 5.4 or higher.

Suppose SSH server is on a Linux machine, do the following steps to provide FMG with "scp + certificate" backup & restore.

1) set up CA key

Just like any normal ssh key, use the ssh-keygen command to generate CA key.

$ ssh-keygen -f ca-key

CA private/public key pair are saved in current directory: "ca-key" is private key, "ca-key.pub" is public key.

2) set up ssh server to trust the CA key.

do this at the individual account level, or at a server-wide level.

(individual account): let any key signed by the CA key log into one specific user account.

add the CA public key(prefix it with the "cert-authority" directive) to .ssh/authorized_keys file in user account's home directory. Take 'qa' as an example, it is /home/qa.

$ echo "cert-authority $(cat ca-key.pub)" >> /home/qa/.ssh/authorized_keys

(server wide): let user keys signed by the CA key log into any account on the server.

add the line "TrustedUserCAKeys /etc/ssh/ca-key.pub" to /etc/ssh/sshd_config file, then copy the ca-key.pub file to /ect/ssh directory.

3) create a user key or use any existing key.

$ ssh-keygen -f user-key

user private/public key pair are saved in current directory: "user-key" is private key, "user-key.pub" is public key.

4) sign the user key with the CA key.

$ ssh-keygen -s ca-key -I <key_id> user-key.pub

<key_id> is a "key identity" that is logged by the server when the certificate is used for authentication, for example, "qa's key".

a separate certificate file called user-key-cert.pub will be created.

5) create a ssh certificate entry on FMG

config system certificate ssh
   edit "<cert-name>"
       set comment "any string"
       set private-key "<copy from user-key>"
       set certigicate "<copy from user-key-cert.pub>"
   next
end

after all of above steps have finished, user can do the following using the ssh certificate:

a)backup all-settings to scp server.

# "exec backup all-settings scp <scp server ip>, <path/filename> <username> <ssh-cert>".

<username> is a user account on scp server, which trusts the CA key.
<ssh-cert> is the ssh certificate created above.

b) restore all-settings from scp server.

# "exec restore all-settings scp <scp server ip>, <path/filename> <username> <ssh-cert>".

c) configure scheduled all-settings backup
config system backup all-settings
   set status enable
   set user "<username>"
   set protocol scp
   set cert "<ssh-cert>"
...
end
#4
FatalHalt
Gold Member
  • Total Posts : 122
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/06/11 08:51:54
  • Status: offline
Re: System Backup SCP Cert 2015/03/03 12:24:33 (permalink)
0
Thanks a ton Simon, exactly what I needed. Going to give this a shot later today!
#5
scao_FTNT
optimizzz
  • Total Posts : 478
  • Scores: 27
  • Reward points: 0
  • Joined: 2012/08/27 11:39:44
  • Status: offline
Re: System Backup SCP Cert 2015/03/04 14:21:54 (permalink)
0
Hi, FatalHalt, sorry, I just got update that this SCP feature may not work in 5.0.10 and 5.2.1, but has been fixed for next patch (5.0.11 and 5.2.2).
 
For 5.0.10/5.2.1, you may need to use SFTP function
 
Thanks
 
Simon
#6
AtiT
Gold Member
  • Total Posts : 443
  • Scores: 34
  • Reward points: 0
  • Joined: 2012/04/18 12:13:27
  • Location: Prague / Czech Republic
  • Status: offline
Re: System Backup SCP Cert 2018/12/05 06:18:40 (permalink)
0
Hello,
I am setting up the FAZ backup over SCP but I have a problem to set the certificate on the FAZ.
Issuing the command: set certficate "<the user certificate here>" returns me the message:
Invalid certificate.
Command fail. Return code -61
 
The documentation says that it sould be a PEM certificate. When I create a PEM ceritificate it seems like:
-----BEGIN CERTIFICATE-----
.......
-----END CERTIFICATE-----
 
Is it a correct one?
The private key is imported successfully only the public key has a problem.
Tested on FAZVM 5.6.5 and 6.0.2.

AtiT
--------------------
NSE 8, CCNP R+S
#7
Jump to:
© 2018 APG vNext Commercial Version 5.5