topic Login to FTD via SSH with Public/Private Key in Network Security

Login to FTD via SSH with Public/Private Key

kostasthedelegate — Mon, 10 Feb 2020 12:47:45 GMT

Hello,

I have two FTD 2110 in high availability.

I have a script that needs to log in to the ssh of the FTD.

I would like to ask if there is a way the login process to use a pair of public/private key instead of username and password.

Thanks and regards,

Konstantinos

Re: Login to FTD via SSH with Public/Private Key

Muhammad Awais Khan — Mon, 10 Feb 2020 13:21:39 GMT

Hi,

There is no way login using private/public certificates instead of username/password.

But what is the issue using username/password in the script you are using ?

Re: Login to FTD via SSH with Public/Private Key

kostasthedelegate — Mon, 10 Feb 2020 13:27:28 GMT

They are plain text
I would like to hide them somehow

Re: Login to FTD via SSH with Public/Private Key

Muhammad Awais Khan — Tue, 11 Feb 2020 01:32:45 GMT

I don't think it can be done.

or make a script in a way that you will be entering password manually once.

Re: Login to FTD via SSH with Public/Private Key

kostasthedelegate — Tue, 11 Feb 2020 06:59:44 GMT

ok!
Thanks!!

Re: Login to FTD via SSH with Public/Private Key

leszek.sroka — Fri, 29 Oct 2021 15:54:48 GMT

Hello,

sure, it can be done.

on your FTD:

1. make a local user

configure user add user1 basic

configure user add user1 config

2. go into "expert" mode and issue "sudo su"

expert

sudo su

3. generate public and private key:

ssh-keygen -t rsa -b 2048

/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): [zostawić puste]
Enter same passphrase again: [zostawić puste]
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:v++aukga9RZhTONHweTN6oybKjeP876IOBZ59xNy5mM root@firepower
The key's randomart image is:
+---[RSA 2048]----+
| oo+. |
| + +.o |
| = o o |
| . o . |
| . . S . |
| o ..o.+* |
| o...*+.+ |
| o..=+=Eo o |
| ...oo=OX*++o |
+----[SHA256]-----+

4. make catalog .ssh in the user1's home catalog

mkdir -p /home/user1/.ssh

5. copy the generated public key to file authorized_keys in the /home/user1/.ssh directory:

cp /root/.ssh/id_rsa.pub /home/user1/.ssh/authorized_keys

Now you can use the id_rsa file (which contains private key) in your script for user "user1" - below an example:

ssh user1@192.168.0.1 -i /id_rsa

PS: change permission level for the file id_rsa using "chmod 400 id_rsa" command in case you get an error regarding the permission to id_rsa file like below:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0666 for '/bootflash/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/bootflash/id_rsa": bad permissions

Re: Login to FTD via SSH with Public/Private Key

atsukane — Mon, 20 Jun 2022 10:11:49 GMT

hi,

I've tried this, but even though Ieft the password blank I'm prompted with enter password and can't proceed.

Anny ideas?

Thanks,