Configure SSH Key-Based Administrator Authentication to the CLI

For administrators who use Secure Shell (SSH) to access the CLI of a Palo Alto Networks firewall, SSH keys provide a more secure authentication method than passwords. SSH keys almost eliminate the risk of brute-force attacks, provide the option for two-factor authentication (key and passphrase), and don’t send passwords over the network. SSH keys also enable automated scripts to access the CLI.
  1. Use an SSH key generation tool to create an asymmetric keypair on the client system of the administrator.
    The supported key formats are IETF SECSH and Open SSH. The supported algorithms are DSA (1,024 bits) and RSA (768-4,096 bits).
    For the commands to generate the keypair, refer to your SSH client documentation.
    The public key and private key are separate files. Save both to a location that the firewall can access. For added security, enter a passphrase to encrypt the private key. The firewall prompts the administrator for this passphrase during login.
  2. Configure the administrator account to use public key authentication.
      • Configure the authentication method to use as a fallback if SSH key authentication fails. If you configured an
        Authentication Profile
        for the administrator, select it in the drop-down. If you select
        None
        , you must enter a
        Password
        and
        Confirm Password
        .
      • Select
        Use Public Key Authentication (SSH)
        , then
        Import Key
        ,
        Browse
        to the public key you just generated, and click
        OK
        .
    1. Commit
      your changes.
  3. Configure the SSH client to use the private key to authenticate to the firewall.
    Perform this task on the client system of the administrator. For the steps, refer to your SSH client documentation.
  4. Verify that the administrator can access the firewall CLI using SSH key authentication.
    1. Use a browser on the client system of the administrator to go to the firewall IP address.
    2. Log in to the firewall CLI as the administrator. After entering a username, you will see the following output (the key value is an example):
      Authenticating with public key “dsa-key-20130415”
    3. If prompted, enter the passphrase you defined when creating the keys.

Related Documentation