Authenticating Junos PyEZ Users
Junos PyEZ User Authentication Overview
Junos PyEZ enables you to directly connect to and manage devices running Junos OS using a serial console connection, telnet, or a NETCONF session over SSH. In addition, Junos PyEZ also supports connecting to the device through a telnet or SSH connection to a console server that is connected to the device’s CONSOLE port. The device must be able to authenticate the user using either a password or other standard SSH authentication mechanisms, depending on the connection method. When you manage devices running Junos OS through an SSH connection, the most convenient and secure way to access a device is to configure SSH keys. SSH keys enable the remote device to identify trusted users.
You can perform device operations using any user account that
has access to the managed device running Junos OS. You can explicitly
define the user when creating a new instance of the jnpr.junos.device.Device class, or if you do not specify a user in the parameter list, the
user defaults to $USER.
For SSH connections, Junos PyEZ automatically queries the default
SSH configuration file at ~/.ssh/config, if one exists, unless the Device argument
list includes the ssh_config argument to
specify a different configuration file. Junos PyEZ uses any relevant
settings in the SSH configuration file for the given connection that
are not overridden by the arguments in the Device argument list, such as the user or the identity file.
When the Junos PyEZ client uses SSH to connect to either the device running Junos OS or to a console server connected to the device, Junos PyEZ first attempts SSH public key-based authentication and then tries password-based authentication. When SSH keys are in use, the supplied password is used as the passphrase for unlocking the private key. When password-based authentication is used, the supplied password is used as the device password. If SSH public key-based authentication is being used and the SSH private key has an empty passphrase, then a password is not required. However, SSH private keys with empty passphrases are not recommended.
It is the user's responsibility to obtain the username and password authentication credentials in a secure manner appropriate for their environment. It is best practice to prompt for these authentication credentials during each invocation of the script rather than storing the credentials in an unencrypted format.
Authenticating Junos PyEZ Users Using a Password
To authenticate a Junos PyEZ user using a password:
- In your favorite editor, create a new file that uses the
.pyfile extension.This example uses the filename
junos-pyez-pw.py. - Include code that prompts for the hostname to which to
connect and the username and password for the device running Junos
OS and stores each value in a variable.
# Python 3 from jnpr.junos import Device from getpass import getpass import sys hostname = input("Hostname: ") junos_username = input("Junos OS username: ") junos_password = getpass("Junos OS password: ")
Note For Python 2.7, you can use the
raw_input()function instead ofinput(), or you can install thefuturemodule and include the "from builtins import input" line in your application to make the code compatible with both Python 2 and 3. - If the Junos PyEZ client connects to the device through
an SSH connection to a console server, include code that prompts for
the console server username and password and stores each value in
a variable.
# login credentials required for SSH connection to console server cs_username = input("Console server username: ") cs_password = getpass("Console server password: ")
- In the
Deviceconstructor argument list:Set the
hostargument to the variable containing the hostnameSet the
userandpasswdarguments to the variables containing the Junos OS login credentialsIf the Junos PyEZ client connects through a console server using SSH, set the
cs_userandcs_passwdarguments to the variables containing the console server login credentials.Include any additional arguments required for the connection method
The following example provides sample code for each of the different connection methods:
# Python 3 from jnpr.junos import Device from getpass import getpass import sys hostname = input("Device hostname: ") junos_username = input("Junos OS username: ") junos_password = getpass("Junos OS password: ") # login credentials required for SSH connection to console server cs_username = input("Console server username: ") cs_password = getpass("Console server password: ") try: # NETCONF session over SSH with Device(host=hostname, user=junos_username, passwd=junos_password) as dev: # Telnet connection to device or console server connected to device #with Device(host=hostname, user=junos_username, passwd=junos_password, mode='telnet', port='23') as dev: # Serial console connection to device #with Device(host=hostname, user=junos_username, passwd=junos_password, mode='serial', port='/dev/ttyUSB0') as dev: # SSH connection to console server connected to device #with Device(host=hostname, user=junos_username, passwd=junos_password, cs_user=cs_username, cs_passwd=cs_password, timeout=5) as dev: print (dev.facts) except Exception as err: print (err) sys.exit(1)
Note All platforms running Junos OS have only the root user configured by default, without any password. When using Junos PyEZ to initially configure a new or zeroized device through a console connection, use
user='root', and omit thepasswdparameter. - Execute the Junos PyEZ code, which prompts for the hostname,
the Junos OS username and password, and the console server username
and password (when requested) and does not echo the password on the
command line.
bsmith@server:~$ python3 junos-pyez-pw.pyDevice hostname: dc1a.example.com Junos OS username: bsmith Junos OS password: Console server username: bsmith Console server password: {'domain': 'example.com', 'serialnumber': 'JNXXXXXXXXXX', 'ifd_style': 'CLASSIC', 'version_info': junos.version_info(major=(13, 3), type=R, minor=1, build=8), '2RE': True, 'hostname': 'dc1a', 'fqdn': 'dc1a.example.com', 'switch_style': 'NONE', 'version': '13.3R1.8', 'HOME': '/var/home/bsmith', 'model': 'MX240', 'RE0': {'status': 'OK', 'last_reboot_reason': 'Router rebooted after a normal shutdown.', 'model': 'RE-S-1300', 'up_time': '14 days, 17 hours, 45 minutes, 8 seconds'}, 'personality': 'MX'}
Authenticating Junos PyEZ Users Using SSH Keys
To use SSH keys in a Junos
PyEZ application, you must first generate the keys on the configuration
management server and configure the public key on each device to which
the Junos PyEZ client will connect. To directly connect to the device
running Junos OS, configure the key on that device. To connect to
a device running Junos OS through a console server, configure the
key on the console server. To use the keys, you must include the appropriate
arguments in the Device argument list.
Junos PyEZ can utilize SSH keys that are actively loaded into
an SSH key agent, keys that are generated in either the default location
or a user-defined location, and keys that either use or forgo password
protection. When connecting directly to a device running Junos OS,
if the Device arguments do not specify
a password or SSH key file, Junos PyEZ first checks the SSH keys that
are actively loaded in the SSH key agent and then checks for SSH keys
in the default location. When connecting to a console server, only
password-protected keys are supported.
The following sections outline the steps for generating the SSH keys, configuring the keys on devices running Junos OS, and using the keys to connect to the managed device:
Generating and Configuring SSH Keys
To generate SSH keys on the configuration management server and configure the public key on devices running Junos OS:
- On the server, generate the public and private SSH key
pair for the desired user, and provide any required or desired options,
for example:user@server:~$ cd ~/.sshuser@server:~/.ssh$ ssh-keygen -t rsa -b 2048Generating public/private rsa key pair.Enter file in which to save the key (/home/user/.ssh/id_rsa): id_rsa_dcEnter passphrase (empty for no passphrase): *****Enter same passphrase again: *****
- (Optional) Load the key into the native SSH key agent.
- Configure the public key on each device to which the Junos
PyEZ application will connect, which could include devices running
Junos OS or a console server connected to the device running Junos
OS.
The easiest method to configure the public key on a device running Junos OS is to load a file that contains the public key under the appropriate user account.
[edit]user@router# set system login user username authentication load-key-file URLuser@router# commit - Verify that the key works by logging in to the device
using the key.user@server:~$ ssh -i ~/.ssh/id_rsa_dc router.example.comEnter passphrase for key '/home/user/.ssh/id_rsa_dc':user@router>
Referencing SSH Keys in Junos PyEZ Applications
After generating the SSH key pair and configuring
the public key on the remote device, you can use the key to connect
to the device by including the appropriate arguments in the Device constructor code. The Device arguments are determined by the location of the key, whether the
key is password-protected, whether the key is actively loaded into
an SSH key agent, such as ssh-agent, and whether the user’s
SSH configuration file already defines settings for that host. The
following sections outline the various scenarios:
Authenticating the User Using an SSH Key Agent with Actively Loaded Keys
Authenticating the User Using SSH Keys Without Password Protection
Authenticating the User Using Password-Protected SSH Key Files
Authenticating the User Using an SSH Key Agent with Actively Loaded Keys
You can use an SSH key agent to securely store private keys
and avoid repeatedly retyping the passphrase for password-protected
keys. Junos PyEZ enables a client to connect directly to a device
running Junos OS using SSH keys that are actively loaded into an SSH
key agent. When connecting to a device running Junos OS, if the Device arguments do not specify a password or SSH key
file, Junos PyEZ first checks the SSH keys that are actively loaded
in the SSH key agent and then checks for SSH keys in the default location.
To use SSH keys that are actively loaded into the native SSH key agent to connect directly to a device running Junos OS:
In the
Deviceargument list, you need only supply the required hostname and any desired variables.dev = Device(host='router.example.com')
Authenticating the User Using SSH Keys Without Password Protection
Junos PyEZ enables a client to connect directly to a device running Junos OS using SSH private keys that do not have password protection, although we do not recommend using SSH private keys with an empty passphrase. Junos PyEZ does not support connecting to a console server using SSH private keys with an empty passphrase.
To connect to a device running Junos OS using SSH keys that are in the default location and do not have password protection:
In the
Deviceargument list, you need only supply the required hostname and any desired variables.dev = Device(host='router.example.com')
Junos PyEZ first checks the SSH keys that are loaded in any active SSH key agent and then checks the SSH keys in the default location.
To connect to a device running Junos OS using SSH keys that are not in the default location and do not have password protection:
In the
Deviceargument list, set thessh_private_key_fileargument to the path of the SSH private key.dev = Device(host='router.example.com', ssh_private_key_file='/home/user/.ssh/id_rsa_dc')
Note If the user’s SSH configuration file already specifies the local SSH private key file path for a given host, you can omit the
ssh_private_key_fileargument in theDeviceargument list. Including thessh_private_key_fileargument overrides any existingIdentityFilevalue defined for a host in the user’s SSH configuration file.
Authenticating the User Using Password-Protected SSH Key Files
Junos PyEZ clients can use password-protected SSH key files to connect directly to a device running Junos OS or to connect to a console server connected to the device.
To connect directly to a device running Junos OS using a password-protected SSH key file:
- Include code that prompts for the SSH private key password
and stores the value in a variable.
from jnpr.junos import Device from getpass import getpass key_password = getpass('Password for SSH private key file: ')
- In the
Deviceargument list, set thepasswdargument to reference the variable containing the SSH key file password.If the key is not in the default location and the file path is not already defined in the user’s SSH configuration file, set the
ssh_private_key_fileargument to the path of the private key.from jnpr.junos import Device from getpass import getpass key_password = getpass('Password for SSH private key file: ') dev = Device(host='router.example.com', passwd=key_password, ssh_private_key_file='/home/user/.ssh/id_rsa_dc') dev.open() # ... dev.close()
To connect to a device running Junos OS through a console server using a password-protected SSH key file:
- Include code that prompts for the login credentials for
the device running Junos OS and stores each value in a variable.
from jnpr.junos import Device from getpass import getpass junos_username = input('Junos OS username: ') junos_password = getpass('Junos OS password: ')
- Include code that prompts for the console server username
and the SSH private key password and stores each value in a variable.
from jnpr.junos import Device from getpass import getpass junos_username = input('Junos OS username: ') junos_password = getpass('Junos OS password: ') cs_username = input("Console server username: ") key_password = getpass('Password for SSH private key file: ')
- In the
Deviceconstructor argument list:Set the
hostargument to the console server hostname or IP addressSet the
userandpasswdarguments to the variables containing the Junos OS login credentialsSet the
cs_userargument to the variable containing the console server usernameSet the
cs_passwdargument to the variable containing the SSH key file passwordSet the
ssh_private_key_fileargument to the path of the private key, if the key is not in the default location and the file path is not already defined in the user’s SSH configuration file
from jnpr.junos import Device from getpass import getpass junos_username = input('Junos OS username: ') junos_password = getpass('Junos OS password: ') cs_username = input("Console server username: ") key_password = getpass('Password for SSH private key file: ') with Device(host='router.example.com', user=junos_username, passwd=junos_password, cs_user=cs_username, cs_passwd=key_password, ssh_private_key_file='/home/user/.ssh/id_rsa_dc') as dev: print (dev.facts) # ...