JUNOS

JUNOS, Scripting and SSH-AGENT

In two previous blog entries I talked about leveraging ssh-agent with scripting. Below is an example script I use to run different commands on Junos based routers.

This particular script is menu driven from the terminal prompt. Beyond the menu the script is non-interactive. It is plausible to write a script that will request user input based on some condition learned by the script; so for this reason scripts can be interactive unlike the below script.

The way I see it, your imagination and vision is the only limit to what you can achieve in computing.

So, please reference the two following blog entries to setup the ssh-agent for accessing a Junos based platform.
JUNOS, SSH-KEY Authentication (the how)
Leveraging ssh-agent and Junos based routers (the why)

To run scripts against a Junos based router, the ssh-agent is not required; however using an ssh-agent is convenient and a time saver.

I have several lab routers that I work with and not all of them are always on and running. The following script does a ping across a range of IP addresses to check if they send an ICMP echo-reply. If they do, the script will log into the router and issue a command.

Here is the script.

#!/usr/bin/env bash
################################################
# File  Name: junos_request_system_halt.sh
# Created On: 11/17/2012 Jeff Neuffer Jr
# Updated On: $Id: junos_request_system_halt.sh 102 2012-11-21 15:28:21Z jneuffer $
# 
# Note: Purpose is to sweep a range of IP addresses and issue a command
#
#
################################################
#
SCRIPT_VERSION='0.2.1';

# Lab hosts range from .200 - .254
HOSTS=( 
	172.16.155.200 
	172.16.155.201 
	172.16.155.202 
	172.16.155.203 
	172.16.155.204 
	172.16.155.205 
	172.16.155.206 
	172.16.155.207 
	172.16.155.208
	172.16.155.209
	172.16.155.210 
	172.16.155.211 
	172.16.155.212 
	172.16.155.213 
	172.16.155.214 
	172.16.155.215 
	172.16.155.216 
	172.16.155.217 
	172.16.155.218 
	172.16.155.219 
	172.16.155.220 
	172.16.155.254 
	);
#HOSTS=( 172.16.155.200 172.16.155.201 172.16.155.202 );
#HOSTS=( 172.16.155.200 );

run_command()
{
	echo;echo;
	for a in ${HOSTS[@]}; do
		# the following ping is used to determine which VM is "alive"
        ping -c 1 -t 1 -n $a > /dev/null 2>&1;        
        if [[ $? -gt 0 ]]; then 
        	echo "$a <-- No Reply" 
        else
        	echo "$a <-- Alive"
        	if [[ "$the_command" == "jhalt" ]]; then
        		ssh $a "request system halt"
        		sleep 8
        	elif [[ "$the_command" == "jreboot" ]]; then
        		ssh $a "request system reboot"
        		sleep 58
        	else
        		echo;echo "nothing matches ($the_command)";echo
        	fi
        	sleep 2
        fi
	done
	echo;echo;
}

continue=yes
while [ "$continue" = yes ]
do
        echo; echo;
        echo "Send Junos Command ($SCRIPT_VERSION)";
        echo "--------------------------------------------";
        echo;     
        echo "  1) Halt   (request system halt)";
        echo "  2) Reboot (request system reboot)";    
                
        echo "  9) Quit";        
        read -p "Select an option [1-7,9]: " ANSWER

        if [[ "$ANSWER" == 1 ]]
        then
                the_command="jhalt";
                run_command;                
                continue=yes;
        elif [[ "$ANSWER" == 2 ]]
        then
                the_command="jreboot";
                run_command;                
                continue=yes;
        
        elif [[ "$ANSWER" == [9Qq] ]]
        then                
                echo "Quiting"; echo;echo;
                continue=no;                
        else
                clear;
                continue=yes;
        fi        
done

This is the output from the script. Notice that for each login to a router a password is not requested.

junos scripting and ssh-agent 1

JUNOS, SSH-KEY Authentication

In an earlier post I spoke of leveraging ssh-agent for accessing Junos based platforms. This blog post takes that earlier blog entry a step further.

There are scripting benefits to using an ssh-agent but if scripting is not your concern then at the very least there is a convenience factor when accessing the Junos based router.

The following is a summery of the detail described in this blog post,

  1. Creating SSH keys
  2. Installing SSH keys onto the Junos based router
  3. Configure your terminal emulator (SSH client) to use ssh-keys
  4. Accessing the Junos router with the new keys from OSX Terminal
  5. Example of issuing a router command from your workstation

Before we can login or run scripts against a Junos based platform we have to setup Junos to use ssh-keys.

The example below uses the following,
Junos 10.4r10.7
OS X 10.8.2 (OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011)

Step 1: Create a SSH public-key

ssh-keygen –t rsa –b 2048

junos ssh-key authentication 1

Step 2: Add ssh public-key to Junos
Here is what the ssh public-key looks like on the workstation.
junos ssh-key authentication 2

Copy the contents of the id_rsa.pub file. Log into Junos and move into configure mode; navigate to system -> login -> user -> SOMEUSERNAME -> authentication. Under the authentication section is where the ssh-key will reside.

[edit system login user jneuffer authentication]
jneuffer@Router_1#

The contents of what I copied from the ssh_rsa.pub file looks like this (one 1 line),

“ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQC7lirM72mQsu0RBPfned6ehxmY3oUFBQaHzYE+uxmRWc
3cQQBshMDVpA2CHlTlTOJJKnZwUYPPf2dzbyE/iGy9hBs8CI7NCposxMc85Xckhhu11T0hFQoh
n97izVqdpHF6DGT0Sz+d0oHLZf9lkjd+gAPtFPtII18DnsW8JF38UXiG7CaLTNwbdSbgpYakDS
u9sxhhkKKN7hC6YIwdiISyb+LqV4jLCEbeZyRvb30dZb25AMwPAEazzRh1APF4viWtFmJroh+F
HhipIIpfW7fiHofICIgvh9BOYe8F8+Nye7NiZJ8miqw9/tC1Sz5nMv43ualOHD+JbrlOnq/kK8v
jneuffer@Kodiak.local”

The following shows the above on one line with the set syntax. The below abbreviates the entire key for brevity sake.

[edit system login user jneuffer authentication]
jneuffer@Router_1# set ssh-rsa “ssh-rsa AAAAB3NzaC1…”

Step 3: Configure your terminal emulator (SSH client) to use ssh-keys

If using a terminal emulator which supports the SSH protocol, tell the terminal emulator where the SSH keys reside should be all that is needed. In the following screen shot I’m telling the terminal emulator I like to use where the SSH private key file is located. It should be obvious that the below screen shot is an example and may not look like what you use… my terminal emulator did not come with OSX and a license to use the terminal emulator was purchased from a developer.

junos ssh-key authentication 3

Step 4: Accessing the Junos router with the new keys from OSX Terminal

Open the Terminal application
junos ssh-key authentication 7

On my Mac with OSX 10.8.2 the ssh-agent will automatically acknowledge that within my user directory resides ssh-keys; the result is the ssh-agent asking for the private ssh-key password to be entered once.
junos ssh-key authentication 4

Once the password is provided the ssh-agent will keep the password in memory. By doing this subsequent logins to routers or servers that have your ssh-key installed will not prompt for a password, rather the ssh-agent will provide the password to the remote host dynamically. This is very convenient.

This is what the first remote login looks like after the ssh-agent asked for the password.
junos ssh-key authentication 5

Here is what it looks like after logging out of the above session and then logging back in again. The purpose of showing the below is to demonstrate that the password prompt from the ssh-agent is not displayed… once the ssh-agent is provided the password the ssh session is quickly and conveniently started.
junos ssh-key authentication 6

Step 5: Example of issuing a router command from your workstation

The real power of leveraging the ssh-agent with Junos devices is efficiency. Efficiency with either scripts or manual commands issued from your workstation.

For example, let’s say I want to verify the IP addresses on the interfaces. Here is what it looks like using ssh-agent.
junos ssh-key authentication 8

Commands can be chained together as shown in the following screen shot.
junos ssh-key authentication 10

In another blog post I’ll cover scripting and using the ssh-agent.