Configure SSH Key-Based Administrator Authentication to the CLI
For administrators who use Secure Shell (SSH) to access the CLI of a Palo Alto Networks firewall, SSH keys provide a more secure authentication method than passwords. SSH keys almost eliminate the risk of brute-force attacks, provide the option for two-factor authentication (key and passphrase), and don’t send passwords over the network. SSH keys also enable automated scripts to access the CLI.
- Use an SSH key generation tool to create an asymmetric
keypair on the client system of the administrator.The supported key formats are IETF SECSH and Open SSH. The supported algorithms are DSA (1,024 bits) and RSA (768-4,096 bits).For the commands to generate the keypair, refer to your SSH client documentation.The public key and private key are separate files. Save both to a location that the firewall can access. For added security, enter a passphrase to encrypt the private key. The firewall prompts the administrator for this passphrase during login.
- Configure the administrator account to use public key
a Firewall Administrator Account.
- Configure the authentication method to use as a fallback if SSH key authentication fails. If you configured an Authentication Profile for the administrator, select it in the drop-down. If you select None, you must enter a Password and Confirm Password.
- Select Use Public Key Authentication (SSH), then Import Key, Browse to the public key you just generated, and click OK.
- Commit your changes.
- Configure a Firewall Administrator Account.
- Configure the SSH client to use the private key to authenticate
to the firewall.Perform this task on the client system of the administrator. For the steps, refer to your SSH client documentation.
- Verify that the administrator can access the firewall
CLI using SSH key authentication.
- Use a browser on the client system of the administrator to go to the firewall IP address.
- Log in to the firewall CLI as the administrator. After
entering a username, you will see the following output (the key
value is an example):
Authenticating with public key “dsa-key-20130415”
- If prompted, enter the passphrase you defined when creating the keys.
Configure an Administrator with SSH Key-Based Authenticatio...
Configure an Administrator with SSH Key-Based Authentication for the CLI For administrators who use Secure Shell (SSH) to access the Panorama CLI, SSH keys provide ...
Configure Administrative Accounts and Authentication
Configure Administrative Accounts and Authentication If you have already configured an authentication profile (see Configure an Authentication Profile and Sequence ) or you don’t require ...
Export a Certificate and Private Key
Export a Certificate and Private Key Palo Alto Networks recommends that you use your enterprise public key infrastructure (PKI) to distribute a certificate and private ...
HA1 SSH Key Refresh
Refresh SSH host keys and set other SSH key options for an HA1 control link and re-establish HA1 sessions between HA peers so the new ...
Configure Administrative Access Per Virtual System or Firew...
Configure Administrative Access Per Virtual System or Firewall If you have a superuser administrative account, you can create and configure granular permissions for a vsysadmin ...
Refresh SSH Keys and Configure Key Options for Management Interface Connection
Regenerate SSH keys and configure other key options for the connection to the management interface on the firewall. ...
Administrative Authentication You can configure the following types of authentication and authorization (role and access domain assignment) for firewall administrators: Authentication Method Authorization Method Description ...
Device > Administrators
Device > Administrators Administrator accounts control access to firewalls and Panorama. A firewall administrator can have full or read-only access to a single firewall or ...
Administrative Authentication You can configure the following types of authentication and authorization ( Administrative Roles and Access Domains ) for Panorama administrators: Authentication Method Authorization ...