Month: April 2012

Leveraging ssh-agent and Junos based routers

There I was with 12 J-Series routers equipped with 12 dual T1 cards each. That’s 144 T1 ports = 12 routers * (12 ports = 2 ports per PIM * 6 PIMs). I needed to quickly search the description field of each interface to find a particular circuit ID.

Our standard operating policy was to include the circuit ID in the description field among other descriptive items. By doing this we had another method of checks and balances to work with while on the phone with a co-worker or on the phone with the customer. After all, how many times have you run into having the right information but the wrong physical circuit? In the ten years I worked for a small 100-plus year old independent telephone company it was not uncommon. Adding this information was just another effort to ensure we were helping the right customer.

Junos allows for a configured user to authenticate using an SSH public-key. Have a look at this reference in Juniper’s docs.

If you are familiar with SSH and have used public-key authentication in the past then the benefits in using public-key authentication on the router should seem obvious. If it doesn’t seem obvious consider this – the ability to issue several commands remotely at the same time and have the results neatly returned, quickly. More to the point, there is a degree of time saved, which is better realized by experiencing it than trying to imagine it from a theoretical point of view.

Here are the generic steps,

  1. Create a SSH public-key
  2. Configure your workstation’s SSH client to use ssh-agent (Mac, Linux or Windows)
  3. Add the public-key to the Junos configuration
  4. Load the public key into your workstation’s ssh-agent
  5. Connect to the Junos based router using SSH. The expectation is that you are not presented a password prompt and you are now directly on the CLI of the router. If you are presented a password prompt something is wrong with the configuration.

If everything works you should be able to load your ssh public-key into the local ssh-agent by providing your passphrase one time… after that any remote Junos device that has the public key installed will provide direct CLI access without prompting for a passphrase.

While this may seem mundane and “so what”… the power of this is fully realized when issuing multiple commands in succession to many Junos based routers. I’ve taken this a step further to combine many commands into a script, which can be configured in a number of ways. The script is executed by having ARGS passed to it, or by embedding prepopulated VARs.

I’ll post a script I used for years that I used in just the way it has been described in this post. I used this technique for BGP operations, Routing operations and Circuit operations.

More to come…