Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AtiT
Valued Contributor

Fortigate SSH Server Generate New RSA Key Pair

Hello,

Does anybody know how to generate a FortiGate SSH Server new RSA Key Pair - if it is possible at all.

Where is the default RSA key pair located on a FortiGate?

 

$ ssh -l admin x.x.x.x The authenticity of host 'x.x.x.x (x.x.x.x)' can't be established. RSA key fingerprint is 69:b7:62:fe:57:0b:bb:db:c3:87:bf:12:95:d0:c5:5d.

Are you sure you want to continue connecting (yes/no)? 

 

Thanks.

AtiT

AtiT
28 REPLIES 28
virtualj
New Contributor

Hello, have you found an answer?

I'm looking how to align ssh key between firewalls in the same cluster.

 

thank you, regards.

NSE 7

NSE 7
emnoc
Esteemed Contributor III

You can upgrade the unit that will create a new key, if you swap act/std ( assuming  ACT/STD ) that would present the new  cert. So why do you need to  create a new  ssh-key ?

 

As far as the key it's stored locally  in the  file path   and not  directly accessible ( look at the  RSA key )

 

http://socpuppet.blogspot.com/2014/08/your-fortigate-is-not-as-secured-as-you.html

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
virtualj
New Contributor

The article you posted is regarding the https private key.

I'm looking to ssh fingerprint and for sync it in the cluster. This because I have scripts that logging to the firewall to get ore set the config, but if the firewalls swap from active/backup the ssh key will change and the script doesn't work

NSE 7

NSE 7
emnoc
Esteemed Contributor III

The article you posted is regarding the https private key.

 

Correct, read the article and look at the screenshot the RSA pub/priv key is in the same path.  Again for the OP, whey does he need to  rebuild a key-pair ? 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
virtualj
New Contributor

Looked at ssh_host_rsa_key, but this file is removed in newer OS (from 5.0 I think).

Anyway, I don't want to generate a new ssh key, I only want that this key is aligned (the same) in all firewalls in the HA cluster.

NSE 7

NSE 7
emnoc
Esteemed Contributor III

I only want that this key is aligned (the same) in all firewalls in the HA cluster.

 

That's impossible and no reason should ever exist or warrant that  need imho

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
virtualj
New Contributor

As reported before:

virtualj wrote:

This because I have scripts that logging into the firewall to get ore set the config, but if the firewalls swap from active/backup the ssh key will change and the script doesn't work

 Added the message error when the unit swap

NSE 7

NSE 7
user185953

I second your need for automated ssh to an A/P cluster regardless of which node is currently active.

Unfortunately ssh-ed25519 keys are ephemeral. Ssh-rsa keys should be persistent and consistent across the cluster, but the ssh deamon reads them only when restarted. In another words, the new host key is only visible after the fortigate/sshd is restarted.

virtualj

Hi user185953!

I'm not sure understand your answer.

Do you mean that after HA cluster is done and after a reboot of boot units the SSH-rsa key are the same and I will not obtain the security alert?

NSE 7

NSE 7
Labels
Top Kudoed Authors