The outbound SSH feature allows the initiation
of an SSH session between JUNOS routers and Network and System Management
servers where client initiated TCP/IP connections are blocked (for
example when the router is behind a firewall). To configure outbound
SSH, you add an outbound-ssh configuration statement to the
JUNOS router. Once configured and committed, the JUNOS router will
begin to initiate an outbound SSH session with the configured management
clients. Once the outbound SSH session is initialized and the connection
is established, the Network and System Management server initiates
the SSH sequence as the client and the JUNOS device as the server
that authenticates the client.
Setting up outbound SSH involves:
Configuring the JUNOS router for outbound SSH
Configuring the management server for outbound SSH.
In the [edit system services ssh] hierarchy level,
set the SSH protocol to v2:
[edit system services ssh] set protocol-version v2
Generate/obtain a public/private key pair for the JUNOS
router. This key pair will be used to encrypt the data transferred
across the SSH connection. For more information on generating key
pairs, see the System Basics Configuration Guide.
If the public key will be installed on the application
management system manually, transfer the public key to the NSM server.
Add the following outbound-ssh statement at the [edit system services] hierarchy level:
application-id—(Required) The application-id is used to identify the outbound-ssh configuration stanza
on the router. Each outbound-ssh stanza represents a single
outbound SSH connection. This attribute is not sent to the client.
device-id—(Required) The device-id identifies the JUNOS device to the client during the initiation
sequence.
secret—(Optional) The JUNOS router's public
SSH Host Key. If added to the outbound-ssh statement, during
the initialization of the outbound SSH service, the JUNOS device will
pass its public key to the management server. This is the recommended
method of maintaining a current copy of the router's public key.
keep-alive—(Optional) When configured,
the router will send keep alive messages to the management server.
To configure the keep alive message, you must set both the timeout
and retry attributes.
retry—The number of keep alive messages
the JUNOS device will send without receiving a response from the client
before the current SSH connection will be disconnected. (default=3)
timeout—The amount of time, in seconds,
that the JUNOS server will wait for data before sending a keep alive
signal. (default =15)
reconnect-strategy—(Optional) Specifies
the method the JUNOS router will use to re-establish an outbound SSH
connection that was disconnected. There are two methods available sticky and in-order:
sticky—The router will attempt to reconnect
to the management server the router was last connected with first.
If the connection is unavailable, it will attempt to establish a connection
with the next client on the list and so fourth until a connection
is made.
in-order—The router will attempt to establish
an outbound SSH session based on the management server address list.
The router attempts to establish a session with the first server on
the list. If this connection is not available, the router attempts
to establish a session with the next server. The router will continue
through the list until a connection is established.
When reconnecting to a client, the JUNOS router will
attempt to reconnect to the client based on the retry and timeout values for each of the clients listed.
services—(Required) Specifies the services
available for the session. Currently, NETCONF is the only service
available.
address—(Required) The host name or the
IPv4 address of the NSM application server. You can list multiple
clients by adding each client's IP address or host name along with
the connection parameters listed below.
port—The port that the client will use
for the outbound SSH connection. (default=22)
retry– The number of times the JUNOS router
will attempt to establish an outbound SSH connection before gving
up. (default=3)
timeout—The amount of time, in seconds,
that the JUNOS router will attempt to establish an outbound SSH connection
before giving up. (default=15)
Commit the configuration:
[edit]
user@host# commit
To set up the Network and Systems Management Server:
Enable the application to access the SSH software.
If the application uses the JUNOScript Perl
module provided by Juniper Networks, no action is necessary. As part
of the installation procedure for the Perl module, you install a prerequisites
package that includes the necessary SSH software. For instructions,
see Downloading the JUNOS Module and Sample Scripts.
If the application does not use the JUNOScript
Perl module, obtain the SSH software and install it on the computer
where the application runs. For information about obtaining and installing
SSH software, see http://www.ssh.com and http://www.openssh.com.
(Optional) Manually install the JUNOS router's public
key for use with the SSH connection.
Configure the client system to receive an process initialization
broadcast requests. The intialization requests use the following syntax:
If the secret attribute is configured, the JUNOS router
will send its public SSH key along with the intialization sequence
(recommended method). When the key has been received, the client needs
to determine what to do with the router’s public key. Juniper
recommends that you replace any current public SSH key for the router
with the new key. This ensures that the client always has the current
key available for authentication.
If the secret attribute is not configured, the JUNOS router
does not send its public SSH key along with the initialization sequence.
You need to manually install the current public SSH key for the router.
