Configure SSH Key-Based Administrator Authentication to the CLI
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure SSH Key-Based Administrator Authentication to the CLI
For administrators who use Secure Shell (SSH)
to access the CLI of a Palo Alto Networks firewall, SSH keys provide
a more secure authentication method than passwords. SSH keys almost
eliminate the risk of brute-force attacks, provide the option for
two-factor authentication (key and passphrase), and don’t send passwords
over the network. SSH keys also enable automated scripts to access the
CLI.
- Use an SSH key generation tool to create an asymmetric keypair on the client system of the administrator.The supported key formats are IETF SECSH and Open SSH. The supported algorithm is RSA (768-4,096 bits).For the commands to generate the keypair, refer to your SSH client documentation.The public key and private key are separate files. Save both to a location that the firewall can access. For added security, enter a passphrase to encrypt the private key. The firewall prompts the administrator for this passphrase during login.Configure the administrator account to use public key authentication.
- Configure a Firewall Administrator Account.
- Configure the authentication method to use as a fallback if SSH key authentication fails. If you configured an Authentication Profile for the administrator, select it in the drop-down. If you select None, you must enter a Password and Confirm Password.
- Select Use Public Key Authentication (SSH), then Import Key, Browse to the public key you just generated, and click OK.
Commit your changes.Configure the SSH client to use the private key to authenticate to the firewall.Perform this task on the client system of the administrator. For the steps, refer to your SSH client documentation.Verify that the administrator can access the firewall CLI using SSH key authentication.- Use a browser on the client system of the administrator to go to the firewall IP address.Log in to the firewall CLI as the administrator. After entering a username, you will see the following output (the key value is an example):
Authenticating with public key “rsa-key-20130415”
If prompted, enter the passphrase you defined when creating the keys.