Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3144
Views
0
Helpful
6
Replies

Login to FTD via SSH with Public/Private Key

kostasthedelegate
Level 4
Level 4

‎02-10-2020 04:47 AM

Hello, 

 

I have two FTD 2110 in high availability.

I have a script that needs to log in to the ssh of the FTD. 

 

I would like to ask if there is a way the login process to use a pair of public/private key instead of username and password.

 

Thanks and regards, 

Konstantinos

Labels:
0 Helpful
6 Replies 6

Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎02-10-2020 05:21 AM

Hi,

 

There is no way login using private/public certificates instead of username/password.

 

But what is the issue using username/password in the script you are using ?

0 Helpful

kostasthedelegate
Level 4
Level 4
In response to Muhammad Awais Khan

‎02-10-2020 05:27 AM

They are plain text
I would like to hide them somehow
0 Helpful

Muhammad Awais Khan
Cisco Employee
Cisco Employee
In response to kostasthedelegate

‎02-10-2020 05:32 PM

I don't think it can be done.

 

or make a script in a way that you will be entering password manually once. 

0 Helpful

kostasthedelegate
Level 4
Level 4
In response to Muhammad Awais Khan

‎02-10-2020 10:59 PM

ok!
Thanks!!
0 Helpful

leszek.sroka
Level 1
Level 1

‎10-29-2021 08:54 AM

Hello, 

 

sure, it can be done.

 

on your FTD:

 

1. make a local user

 

configure user add user1 basic

or

configure user add user1 config

 

2. go into "expert" mode and issue "sudo su"

 

expert

sudo su

 

3. generate public and private key:

 

ssh-keygen -t rsa -b 2048

/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): [zostawić puste]
Enter same passphrase again: [zostawić puste]
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:v++aukga9RZhTONHweTN6oybKjeP876IOBZ59xNy5mM root@firepower
The key's randomart image is:
+---[RSA 2048]----+
| oo+. |
| + +.o |
| = o o |
| . o . |
| . . S . |
| o ..o.+* |
| o...*+.+ |
| o..=+=Eo o |
| ...oo=OX*++o |
+----[SHA256]-----+

 

4. make catalog .ssh in the user1's home catalog

 

mkdir -p /home/user1/.ssh

 

5. copy the generated public key to file authorized_keys in the /home/user1/.ssh directory:

 

cp /root/.ssh/id_rsa.pub /home/user1/.ssh/authorized_keys

 

 

Now you can use the id_rsa file (which contains private key) in your script for user "user1" - below an example:

 

ssh user1@192.168.0.1 -i /id_rsa

 

 

PS: change permission level for the file id_rsa using "chmod 400 id_rsa" command in case you get an error regarding the permission to id_rsa file like below:

 

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0666 for '/bootflash/id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "/bootflash/id_rsa": bad permissions

 

0 Helpful

atsukane
Level 1
Level 1
In response to leszek.sroka

‎06-20-2022 03:11 AM

hi,

 

I've tried this, but even though Ieft the password blank I'm prompted with enter password and can't proceed.

Anny ideas?

 

Thanks,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card