SSH Pubkey Login

(2018-12-19)

Problem

Want SSH Pubkey authentication for my AD-backed administrative user. Specifically because having to have my AD password in plaintext in my home directory in order for rancid to work is stupid, security-wise.

Solution

conf global
conf sys admin
edit "dave"
set remote-auth enable
set trusthost1 10.30.1.0 255.255.255.0
set accprofile "super_admin"
set vdom "root" "Primary" "Edge"
set ssh-public-key1 "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAgEAr8/DqD4U932SnoA1Kdqyphz2g2w8xQBdbyqcT69HWLJjMhlRgtV9ihjx+Y4Di4FwOaKRiAamrad5I5VodpkYyDWi5hAd9zepv/g8mtNfVnnyws0qg58tABp2Q1xFvbRvm8dh4NNqX3sVUXXBphmGl9BZeHtCEcLh0aLgSU5nbtDDVVtrvqWu6QvdGTvZrkyi9junmOPExL6aboFBzzVxxixkpJ7GxZnOS91KIi97AaE0j595HucxBLY43JBndOxRcV35TRQt0mbNDu4RNh4YO4Z5DWnrnH0o0AdtICXoZDOFLwtK0ewyNeTD4utaggHZTCf5JY84A/37GitdR8iayofSggpmt8QhPR11wSlO5SZ7XIavl4KQMWPaj+pi+gg7CYWl8UqG0TYnSHwC40VTTONzqOK4qQKVwbqXACloUKGQBNnD+v824o41TkJ8s49RO0RzBAK2W5pH8MvzC32r3HW1mHV7fZimTOno4536Nffkzx5cX89iBLBPLcb3m3okgGpktRfLwPNMSmEMeqYpwz3RvpvPzBt+L53pUwQuCBL7tBYsMMgD4ej5RJvtoEsQeP2LMn50Mk3BrdgjSbYxv3haZsUKAz9OfvgoRYW98L8ScJU3ONvCPC/L3stKfZoEftl7TUUooqqa1mCI08pM9Biyby0vkGJNhmun3RZi4ak= dave@store02"
set remote-group "AD-Administrators"
next
end
end

Now I can log in passwordless via ssh, and I still get challenged for my AD password when I use the web interface.

arp

Backup ISP with some traffic selection

crashlog

DHCP and PPPoE

DHCP Client Leases

DHCP Reservation

HA Cluster Member Firmware Revisions

Interface Duplex

Interface Mode

Interface Status

Memory Logging

Packet Capture

Radius Server Definition

Reset Admin Password

Reset to Factory Defaults

Routing Table

Simple Commands

Syslog

Test Authentication Servers

Configuration Preparation

DHCP Reservation

Dual-WAN Gateways

EXT3 fs error (device)

HA Cluster Status

HA Cluster Synchronization

Management Access

VoIP Clients with Fortigates

VPN Fragmentation

VPN Tunnel Details

CLI Disk Scan FSCK

CLI Upgrade Firmware

Connecting Multiple vDOMs to the same VLAN

CPU is pinned

Debug Flow

Debug Session

Debug Sniffer

Factory Reset

Fixing HA Sync Problems

Forticlient Registering To Fortigate

List DHCP Client Leases

List SSLVPN Users

RTC Power Status Failed

SSLVPN Logs Out After 8 Hours

System Time

VPN Flapping Leads To Bogus Routing

Wifi Clients Connect But Can't Get DHCP Lease

BGP Neighbors

BGP Sessions

DH Selection for VPNs

FortiCloud Debug Commands

FortiOS LLDP

IPsec Not Passing Packets

List DHCP Clients CLI

Microsoft Office Whitelisting

Routing Table

SSH Pubkey Login

SSL Security Settings

SSLVPN DNS Suffix

System Version from CLI

Traffic Shaping Policy

CLI Restore Configuration

Displaying Logs From Console

iPerf3 on Fortigates

IPSA self test failed, disable IPSA!

LDAP lookup account considerations

List Connected Users

Read-Only Admin Profile

SD-WAN Diagnostics

VPN Debug

VPN Tunnel Interface Address

Wifi 802.1x with LDAP Groups

FortiClient Error Codes

Device Table Size Maximum

Device-Local Certificate Expired

CLI Policy Lookup

IPsec MTU Adjustments

IPsec MTU Varies By Encryption Algorythm

Link Monitor

Looking at logs via CLI

Check Geo-IP Region For A Specific IP