Focus

Next-Generation Firewall

Configure SSH Key-Based Administrator Authentication to the CLI

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1 (EoL)
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure API Key Lifetime

Configure SSH Key-Based Administrator Authentication to the CLI

Configure SSH key-based authentication for administrator access to the PAN-OS CLI instead of using password authentication.

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama)	No prerequisites needed

For administrators who use Secure Shell (SSH) to access the CLI of a Palo Alto Networks firewall, SSH keys provide a more secure authentication method than passwords. SSH keys almost eliminate the risk of brute-force attacks, provide the option for two-factor authentication (key and passphrase), and don’t send passwords over the network. SSH keys also enable automated scripts to access the CLI.

Use an SSH key generation tool to create an asymmetric keypair on the client system of the administrator.
The supported key formats are IETF SECSH and Open SSH. The supported algorithms are Ed25519 (256 bits) and RSA (768-4,096 bits).
For the commands to generate the keypair, refer to your SSH client documentation.
The public key and private key are separate files. Save both to a location that the firewall can access. For added security, enter a passphrase to encrypt the private key. The firewall prompts the administrator for this passphrase during login.
Configure the administrator account to use public key authentication.
1. Configure a Firewall Administrator Account.
  Configure the authentication method to use as a fallback if SSH key authentication fails. If you configured an Authentication Profile for the administrator, select it in the drop-down. If you select None, you must enter a Password and Confirm Password.
  Select Use Public Key Authentication (SSH), then Import Key, Browse to the public key you just generated, and click OK.
2. Commit your changes.
Configure the SSH client to use the private key to authenticate to the firewall.
Perform this task on the client system of the administrator. For the steps, refer to your SSH client documentation.
Verify that the administrator can access the firewall CLI using SSH key authentication.
1. Use a browser on the client system of the administrator to go to the firewall IP address.
2. Log in to the firewall CLI as the administrator. After entering a username, you will see the following output (the key value is an example):
  Authenticating with public key “rsa-key-20130415”
3. If prompted, enter the passphrase you defined when creating the keys.

Configure Certificate-Based Administrator Authentication to the Web Interface

Configure API Key Lifetime

Next-Generation Firewall Docs

Configure SSH Key-Based Administrator Authentication to the CLI

Next-Generation Firewall Docs

Configure SSH Key-Based Administrator Authentication to the CLI

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner