Setting Up Junos PyEZ Managed Nodes
Junos PyEZ is a Python library that enables you to manage and automate devices running Junos OS. You do not need to install any client software on the nodes in order to use Junos PyEZ to manage the devices. Also, Python is not required on the managed devices, because Junos PyEZ utilizes NETCONF and the Junos XML APIs.
You can use Junos PyEZ to manage devices running Junos OS using
any user account that has access to the device. You can explicitly
define the user when creating a new instance of the
jnpr.junos.device.Device class, or if you do not specify a user in the parameter list, the
user defaults to
$USER. When you use Junos
PyEZ to access and manage devices running Junos OS, Junos OS user
account access privileges are enforced. The class configured for the
Junos OS user account determines the permissions. Thus, if you use
Junos PyEZ to load configuration changes onto a device, the user must
have permissions to change the relevant portions of the configuration.
Junos PyEZ enables you to connect directly to a device running Junos OS using a serial console connection, telnet, or a NETCONF session over SSH. To telnet directly to a device, you must first configure the Telnet service on the managed device. To manage devices through a NETCONF session over SSH, you must enable the SSH or NETCONF-over-SSH service on the managed device and ensure that the device meets requirements for SSHv2 connections. You do not need to configure these services if the client application connects to the device through a separate console server.
This topic outlines the requirements and required configuration on devices running Junos OS when using Junos PyEZ to access the device using the different connection protocols.
Enabling NETCONF over SSH on Devices Running Junos OS
To enable the NETCONF-over-SSH service on the default port (830) on a device running Junos OS:
- Configure the NETCONF-over-SSH service.[edit system services]user@host# set netconf ssh
It is also possible to reach the NETCONF-over-SSH service on TCP port 22 by configuring the ssh statement at the [edit system services] hierarchy level, which enables SSH access to the device for all users and applications. However, we recommend configuring the netconf ssh statement to more easily identify and filter NETCONF traffic.
- Commit the configuration.user@host# commit
Satisfying Requirements for SSHv2 Connections
The NETCONF server communicates with client applications within the context of a NETCONF session. The server and client explicitly establish a connection and session before exchanging data, and close the session and connection when they are finished. Junos PyEZ accesses the NETCONF server using the SSH protocol and standard SSH authentication mechanisms. When you use Junos PyEZ to manage devices running Junos OS, the most convenient way to access the devices is to configure SSH keys.
To establish an SSHv2 connection with a device running Junos OS, you must ensure that the following requirements are met:
The NETCONF service over SSH is enabled on each device where a NETCONF session will be established.
The client application has a user account and can log in to each device where a NETCONF session will be established.
The login account used by the client application has an SSH public/private key pair or a text-based password configured.
The client application can access the public/private keys or text-based password.
For additional information about enabling NETCONF on a device running Junos OS and satisfying the requirements for establishing an SSH session, see the NETCONF XML Management Protocol Developer Guide.
Configuring Telnet Service on Devices Running Junos OS
Starting in Junos PyEZ Release 2.0, Junos PyEZ applications can telnet to a device running Junos OS, provided that the Telnet service is configured on the device. Configuring Telnet service for a device enables unencrypted, remote access to the device.
Because telnet uses clear-text passwords (therefore creating a potential security vulnerability), we recommend that you use SSH.
To enable Telnet service:
- Configure the service.[edit system services]user@host# set telnet
- (Optional) Configure the connection limit, rate limit,
and order of authentication, as necessary.[edit system services]user@host# set telnet connection-limit connection-limituser@host# set telnet rate-limit rate-limituser@host# set telnet authentication-order [radius tacplus password]
- Commit the configuration.user@host# commit