Login and authentication of the administrative user root on a Barracuda CloudGen Firewall are processed using a two-factor authentication mechanism. The authenticity of the admin workstation is verified using a preferably encrypted certificate. In addition, the administrator has to authenticate himself or herself using a personal password. When creating new administrator profiles, Barracuda Networks recommends using certificates/keys instead of passwords whenever possible to avoid the exchange of security-relevant information when authenticating via public-key cryptography.
Creating and Importing Certificates
Create a certificate on the Barracuda CloudGen Firewall using Barracuda Firewall Admin:
- Open the OPTIONS tab in the top left corner of the screen and select Settings.
- Expand the Certificates and Private Keys section.
- Click Create New Certificate/Key.
- Fill in the certificate details (e.g., Country, State, Name, Expiring date) and click OK.
The certificate is generated by using Microsoft Strong Cryptographic Provider v1.0 and can be imported from the Microsoft Certificate Management Store. It is displayed in the certificates list and provides key information in the Hash and Public Key column.
Configure Certificate Based Authentication
To configure certificate authentication for the root user, import the root public RSA key. If a key for automated SSH login is required, add it to the authorized root keys.
- Go to CONFIGURATION > Configuration Tree > Box > Administrative Settings.
- From the Configuration Mode menu, select Switch to Advanced View.
- In the left navigation pane, click Advanced System Access.
- Click Lock.
- Select the Authentication Mode for system access.
- Import the Root Public RSA Key for the root user.
- In the Authorized Root Keys field, enter the public keys that are assigned to your root user in OpenSSH format, one key per line.
- Click Send Changes and Activate.