Leveraging ssh-agent and Junos based routers

There I was with 12 J-Series routers equipped with 12 dual T1 cards each. That’s 144 T1 ports = 12 routers * (12 ports = 2 ports per PIM * 6 PIMs). I needed to quickly search the description field of each interface to find a particular circuit ID.

Our standard operating policy was to include the circuit ID in the description field among other descriptive items. By doing this we had another method of checks and balances to work with while on the phone with a co-worker or on the phone with the customer. After all, how many times have you run into having the right information but the wrong physical circuit? In the ten years I worked for a small 100-plus year old independent telephone company it was not uncommon. Adding this information was just another effort to ensure we were helping the right customer.

Junos allows for a configured user to authenticate using an SSH public-key. Have a look at this reference in Juniper’s docs.

If you are familiar with SSH and have used public-key authentication in the past then the benefits in using public-key authentication on the router should seem obvious. If it doesn’t seem obvious consider this – the ability to issue several commands remotely at the same time and have the results neatly returned, quickly. More to the point, there is a degree of time saved, which is better realized by experiencing it than trying to imagine it from a theoretical point of view.

Here are the generic steps,

  1. Create a SSH public-key
  2. Configure your workstation’s SSH client to use ssh-agent (Mac, Linux or Windows)
  3. Add the public-key to the Junos configuration
  4. Load the public key into your workstation’s ssh-agent
  5. Connect to the Junos based router using SSH. The expectation is that you are not presented a password prompt and you are now directly on the CLI of the router. If you are presented a password prompt something is wrong with the configuration.

If everything works you should be able to load your ssh public-key into the local ssh-agent by providing your passphrase one time… after that any remote Junos device that has the public key installed will provide direct CLI access without prompting for a passphrase.

While this may seem mundane and “so what”… the power of this is fully realized when issuing multiple commands in succession to many Junos based routers. I’ve taken this a step further to combine many commands into a script, which can be configured in a number of ways. The script is executed by having ARGS passed to it, or by embedding prepopulated VARs.

I’ll post a script I used for years that I used in just the way it has been described in this post. I used this technique for BGP operations, Routing operations and Circuit operations.

More to come…

3 comments

  1. Howdy! I simply wish to give an enormous thumbs
    up for the nice information you’ve gotten right here on this post.

    I can be coming back to your blog for more soon.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s