Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All
     

    Related Documentation

     

    Authenticating Junos PyEZ Users Using SSH Keys

    Junos PyEZ enables you to manage devices running Junos OS through a NETCONF session over SSH. When you use Junos PyEZ to manage a device running Junos OS using NETCONF over SSH, the device must be able to authenticate the user using standard SSH authentication mechanisms.

    You can execute Junos PyEZ methods using any user account that has access to the managed device running Junos OS. You can explicitly define the user when creating a new instance of the jnpr.junos.device.Device class, or if you do not specify a user in the parameter list, the user defaults to $USER. When you use Junos PyEZ to manage devices running Junos OS through a NETCONF session over SSH, the most convenient and secure way to access the devices is to configure SSH keys. SSH keys enable the remote device to identify trusted users.

    Junos PyEZ first attempts SSH public key-based authentication and then tries password-based authentication. When SSH keys are in use, the passwd argument is used as the passphrase for unlocking the private SSH key. When password-based authentication is used, the passwd argument is used as the password. If SSH public key-based authentication is being used and the SSH private key has an empty passphrase, then the passwd argument may be omitted. However, SSH private keys with empty passphrases are not recommended.

    It is the user's responsibility to obtain the username and password authentication credentials in a secure manner appropriate for their environment. It is best practice to prompt for these authentication credentials during each invocation of the script rather than storing the credentials in an unencrypted format.

    To use SSH keys in a Junos PyEZ application, you must first generate the keys on the configuration management server and configure the public key on each managed device running Junos OS. You must then include the appropriate arguments in the Device argument list.

    Junos PyEZ can utilize SSH keys that are generated in either the default location or a user-defined location and that either use or forgo password protection. Junos PyEZ also checks for keys that are actively loaded into an SSH key agent.

    The following sections outline the steps for generating the SSH keys, configuring the keys on devices running Junos OS, and connecting to the device using the keys:

    1. Generating and Configuring SSH Keys
    2. Referencing SSH Keys in Junos PyEZ Applications

    Generating and Configuring SSH Keys

    To generate SSH keys on the configuration management server and configure the public key on devices running Junos OS:

    1. On the server, generate the public and private SSH key pair for the desired user, and provide any required or desired options, for example:

      [user@localhost]$ cd ~/.ssh[user@localhost]$ ssh-keygen -t rsaEnter file in which to save the key (/home/user/.ssh/id_rsa): id_rsa_dc Enter passphrase (empty for no passphrase): *****Enter same passphrase again: *****
    2. (Optional) Load the key into the native SSH key agent.
    3. Configure the public key under the appropriate user account on all devices running Junos OS that will be managed using this key.

      The easiest method is to create a file that contains the public key and then load the file into the configuration.

      [edit][user@router]# set system login user username authentication load-key-file URL[user@router]# commit
    4. Verify that the key works by logging in to the device using the key.
      [user@localhost]$ ssh -i ~/.ssh/id_rsa_dc router.example.com Enter passphrase for key '/home/user/.ssh/id_rsa_dc': user@router>

    Referencing SSH Keys in Junos PyEZ Applications

    After generating the SSH key pair and configuring the public key on the device running Junos OS, you can connect to the device using the key by including the appropriate arguments in the Device constructor code. The Device arguments are determined by the location of the key, whether the key is password-protected, and whether the key is actively loaded into an SSH key agent, such as ssh-agent. The following sections outline the various scenarios:

    Authenticating the User Using an SSH Key Agent with Actively Loaded Keys

    You can use an SSH key agent to securely store private keys and avoid repeatedly retyping the passphrase for password-protected keys. If you do not provide a password or SSH key file in the arguments of the Device constructor, Junos PyEZ first checks the SSH keys that are actively loaded in the SSH key agent and then checks for SSH keys in the default location.

    To connect to a device running Junos OS using SSH keys that are actively loaded into the native SSH key agent:

    • In the Device argument list, you need only supply the required hostname and any desired variables.

      dev = Device(host='dc1a.example.com')
      

    Authenticating the User Using SSH Keys Without Password Protection

    To connect to a device running Junos OS using SSH keys that are in the default location and do not have password protection:

    • In the Device argument list, you need only supply the required hostname and any desired variables.

      dev = Device(host='dc1a.example.com')
      

    Junos PyEZ first checks the SSH keys that are loaded in any active SSH key agent and then checks the SSH keys in the default location.

    To connect to a device running Junos OS using SSH keys that are not in the default location and do not have password protection:

    • In the Device argument list, set the ssh_private_key_file argument to the path of the SSH private key.

      dev = Device(host='dc1a.example.com', ssh_private_key_file='/home/user/.ssh/id_rsa_dc')
      

    Authenticating the User Using Password-Protected SSH Key Files

    To connect to a device running Junos OS using a password-protected SSH key file:

    1. Include code that prompts for the private key password and stores the value in a variable.

      from jnpr.junos import Device
      from getpass import getpass
      
      passwd = getpass('Enter password for SSH private key file: ')
      
    2. In the Device argument list, set the ssh_private_key_file argument to the path of the private key, and set the passwd argument to reference the password variable.

      from jnpr.junos import Device
      from getpass import getpass
      
      host = 'dc1a.example.com'
      key_file = '/home/user/.ssh/id_rsa_dc'
      
      passwd = getpass('Enter password for SSH private key file: ')
      dev = Device(host=host, passwd=passwd, ssh_private_key_file=key_file)
      dev.open()
      ...
      
     

    Related Documentation

     

    Modified: 2017-08-29