FortiToken 300 and SSH in Linux

You have your FortiToken 300 up and running with the Windows middleware but maybe you’d like to also use it with Linux in your browser or for SSH login to your Fortigate or other servers.
I don’t recommend trying to use the opensc/pkcs15 suite for use with your FortiToken 300. The Fortinet middleware is very easy to use. The three files you’ll be looking to use are libcastle.so.1.0.0, pkimanager and pkimanager_admin

I typically copy the library module libcastle.so.1.0.0 to /usr/lib/ on each of my Linux systems where it can then be referenced by the program of your choosing. The pkimanager executables perform the same function as the Windows middleware if you prefer to import your certificates in Linux.

For getting your FTK300 running with Firefox I have some instructions here.

In order for your SSH client to use the FortiToken when connecting to a remote system you’ll need to add the following line to /etc/ssh/ssh_config:

PKCS11Provider /usr/lib/libcastle.so.1.0.0

When you initiate an SSH connection to a remote system the token will be checked for the appropriate SSH key.

You would normally use ssh-keygen to create your rsa keypair where the private key is stored on the client system while you copy the public key to the authorized_keys file on the remote server. When using the FortiToken you can instead generate a public key from an existing private key already stored on the token using the following:

ssh-keygen -D /usr/lib/libcastle.so.1.0.0

The resulting public key should be copied to the /home/user/.ssh/authorized_keys file on the remote SSH server.

The public key can also be added to a Fortigate so you can use the FortiToken to SSH into your security appliance:

config system admin
edit admin     (or other user)
set ssh-public-key1 "ssh rsa AAADSB..... "
end

Leave a Reply