Authenticating Junos PyEZ Users Using a Password

 

Junos PyEZ enables you to connect to and manage devices running Junos OS using a serial console connection, telnet, or a NETCONF session over SSH. The device must be able to authenticate the user using either a password or other standard SSH authentication mechanisms, depending on the connection method.

You can execute Junos PyEZ methods using any user account that has access to the managed device running Junos OS. You can explicitly define the user and password when creating a new instance of the jnpr.junos.device.Device class, or if you do not specify a user in the parameter list, the user defaults to $USER.

When establishing a NETCONF session over SSH, Junos PyEZ first attempts SSH public key-based authentication and then tries password-based authentication. When SSH keys are in use, the passwd argument is used as the passphrase for unlocking the private SSH key. When password-based authentication is used, the passwd argument is used as the password. If SSH public key-based authentication is being used and the SSH private key has an empty passphrase, then the passwd argument may be omitted. However, SSH private keys with empty passphrases are not recommended.

It is the user's responsibility to obtain the username and password authentication credentials in a secure manner appropriate for their environment. It is best practice to prompt for these authentication credentials during each invocation of the script, as shown in the following Python 3 example, rather than storing the credentials in an unencrypted format.

To authenticate a user using a password:

  1. In your favorite editor, create a new file that uses the .py file extension.

    This example uses the filename junos-pyez-pw.py.

  2. Include code that prompts for the hostname, username, and password and stores each value in a variable.
    Note

    For Python 2.7, you can use the raw_input() function instead of input(), or you can install the future module and include the "from builtins import input" line in your application to make the code compatible with both Python 2 and 3.

  3. In the Device constructor argument list, set the host, user, and passwd arguments to reference the appropriate variables, and include any additional arguments required for the connection method.

    The following example provides sample code for each of the different connection methods:

    Note

    All platforms running Junos OS have only the root user configured by default, without any password. When using Junos PyEZ to initially configure a new or zeroized device through a console connection, use user='root', and omit the passwd parameter.

  4. Execute the Junos PyEZ code, which prompts for the hostname, username, and password and does not echo the password on the command line.

    [user@localhost]$ python junos-pyez-pw.py