Chapter 10 Install and System Administration for FortiOS 5.0 : Basic Administration : Configuration backups : Backup and restore a configuration file using SCP : SCP public-private key authentication
  
SCP public-private key authentication
SCP authenticates itself to the FortiGate unit in the same way as an administrator using SSH accesses the CLI. Instead of using a password, you can configure the SCP client and the FortiGate unit with a public-private key pair.
To configure public-private key authentication
1. Create a public-private key pair using a key generator compatible with your SCP client.
2. Save the private key to the location on your computer where your SSH keys are stored.
This step depends on your SCP client. The Secure Shell key generator automatically stores the private key.
3. Copy the public key to the FortiGate unit using the CLI commands:
config system admin
edit admin
set ssh-public-key1 "<key-type> <key-value>"
end
<key-type> must be the ssh-dss for a DSA key or ssh-rsa for an RSA key. For the <key-value>, copy the public key data and paste it into the CLI command.
If you are copying the key data from Windows Notepad, copy one line at a time and ensure that you paste each line of key data at the end of the previously pasted data. As well:
Do not copy the end-of-line characters that appear as small rectangles in Notepad.
Do not copy the ---- BEGIN SSH2 PUBLIC KEY ---- or Comment: “[2048-bit dsa,...]” lines.
Do not copy the ---- END SSH2 PUBLIC KEY ---- line.
4 Type the closing quotation mark and press Enter.
Your SCP client can now authenticate to the FortiGate unit based on SSH keys rather than the administrator password.
See Also
Configuration backups
Backup and restore a configuration file using SCP
Enable SSH access on the interface
Using the SCP client
Restoring a configuration using SCP