JUNOS, SSH-KEY Authentication

In an earlier post I spoke of leveraging ssh-agent for accessing Junos based platforms. This blog post takes that earlier blog entry a step further.

There are scripting benefits to using an ssh-agent but if scripting is not your concern then at the very least there is a convenience factor when accessing the Junos based router.

The following is a summery of the detail described in this blog post,

  1. Creating SSH keys
  2. Installing SSH keys onto the Junos based router
  3. Configure your terminal emulator (SSH client) to use ssh-keys
  4. Accessing the Junos router with the new keys from OSX Terminal
  5. Example of issuing a router command from your workstation

Before we can login or run scripts against a Junos based platform we have to setup Junos to use ssh-keys.

The example below uses the following,
Junos 10.4r10.7
OS X 10.8.2 (OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011)

Step 1: Create a SSH public-key

ssh-keygen –t rsa –b 2048

junos ssh-key authentication 1

Step 2: Add ssh public-key to Junos
Here is what the ssh public-key looks like on the workstation.
junos ssh-key authentication 2

Copy the contents of the id_rsa.pub file. Log into Junos and move into configure mode; navigate to system -> login -> user -> SOMEUSERNAME -> authentication. Under the authentication section is where the ssh-key will reside.

[edit system login user jneuffer authentication]
jneuffer@Router_1#

The contents of what I copied from the ssh_rsa.pub file looks like this (one 1 line),

“ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC7lirM72mQsu0RBPfned6ehxmY3oUFBQaHzYE+uxmRWc
3cQQBshMDVpA2CHlTlTOJJKnZwUYPPf2dzbyE/iGy9hBs8CI7NCposxMc85Xckhhu11T0hFQoh
n97izVqdpHF6DGT0Sz+d0oHLZf9lkjd+gAPtFPtII18DnsW8JF38UXiG7CaLTNwbdSbgpYakDS
u9sxhhkKKN7hC6YIwdiISyb+LqV4jLCEbeZyRvb30dZb25AMwPAEazzRh1APF4viWtFmJroh+F
HhipIIpfW7fiHofICIgvh9BOYe8F8+Nye7NiZJ8miqw9/tC1Sz5nMv43ualOHD+JbrlOnq/kK8v
jneuffer@Kodiak.local”

The following shows the above on one line with the set syntax. The below abbreviates the entire key for brevity sake.

[edit system login user jneuffer authentication]
jneuffer@Router_1# set ssh-rsa “ssh-rsa AAAAB3NzaC1…”

Step 3: Configure your terminal emulator (SSH client) to use ssh-keys

If using a terminal emulator which supports the SSH protocol, tell the terminal emulator where the SSH keys reside should be all that is needed. In the following screen shot I’m telling the terminal emulator I like to use where the SSH private key file is located. It should be obvious that the below screen shot is an example and may not look like what you use… my terminal emulator did not come with OSX and a license to use the terminal emulator was purchased from a developer.

junos ssh-key authentication 3

Step 4: Accessing the Junos router with the new keys from OSX Terminal

Open the Terminal application
junos ssh-key authentication 7

On my Mac with OSX 10.8.2 the ssh-agent will automatically acknowledge that within my user directory resides ssh-keys; the result is the ssh-agent asking for the private ssh-key password to be entered once.
junos ssh-key authentication 4

Once the password is provided the ssh-agent will keep the password in memory. By doing this subsequent logins to routers or servers that have your ssh-key installed will not prompt for a password, rather the ssh-agent will provide the password to the remote host dynamically. This is very convenient.

This is what the first remote login looks like after the ssh-agent asked for the password.
junos ssh-key authentication 5

Here is what it looks like after logging out of the above session and then logging back in again. The purpose of showing the below is to demonstrate that the password prompt from the ssh-agent is not displayed… once the ssh-agent is provided the password the ssh session is quickly and conveniently started.
junos ssh-key authentication 6

Step 5: Example of issuing a router command from your workstation

The real power of leveraging the ssh-agent with Junos devices is efficiency. Efficiency with either scripts or manual commands issued from your workstation.

For example, let’s say I want to verify the IP addresses on the interfaces. Here is what it looks like using ssh-agent.
junos ssh-key authentication 8

Commands can be chained together as shown in the following screen shot.
junos ssh-key authentication 10

In another blog post I’ll cover scripting and using the ssh-agent.

One comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s