SSH Key-Based Administrator Authentication to the CLI
For administrators who use Secure Shell (SSH)
to access the CLI of a Palo Alto Networks firewall, SSH keys provide
a more secure authentication method than passwords. SSH keys almost
eliminate the risk of brute-force attacks, provide the option for
two-factor authentication (key and passphrase), and don’t send passwords
over the network. SSH keys also enable automated scripts to access
Use an SSH key generation tool to create an asymmetric
keypair on the client system of the administrator.
The supported key formats are IETF SECSH and Open SSH. The
supported algorithms are DSA (1,024 bits) and RSA (768-4,096 bits).
the commands to generate the keypair, refer to your SSH client documentation.
public key and private key are separate files. Save both to a location
that the firewall can access. For added security, enter a passphrase
to encrypt the private key. The firewall prompts the administrator
for this passphrase during login.
Configure the administrator account to use public key