Troubleshooting Authentication Errors When Using Salt to Manage Devices Running Junos OS
Problem
Description
After starting the proxy minion process for a device running Junos OS and accepting the key on the Salt master, the Junos proxy (for Salt) fails to connect to the device, and the proxy log file on the proxy minion server includes an error regarding failed authentication. For example:
saltuser@salt-master:~$ sudo salt 'router1' test.ping
router1:
Minion did not return. [No response]
saltuser@minion:~/.ssh$ sudo cat /var/log/salt/proxy
...
File "/usr/lib/python3/dist-packages/salt/minion.py", line 3420, in _post_master_init
proxy_init_fn(self.opts)
File "/usr/lib/python3/dist-packages/salt/proxy/junos.py", line 109, in init
thisproxy['conn'].open()
File "/usr/local/lib/python3.6/dist-packages/jnpr/junos/device.py", line 1268, in open
raise EzErrors.ConnectAuthError(self)
jnpr.junos.exception.ConnectAuthError: ConnectAuthError(router1.example.com)
Cause
The Salt user might fail to authenticate with a device running Junos OS for the following reasons:
The user does not have an account on the device running Junos OS.
The user has an account with a text-based password configured on the device running Junos OS, but the wrong password or no password is supplied for the user in the pillar file that defines the proxy configuration for that device.
The user has an account and authenticates with the device running Junos OS using SSH keys, but the SSH keys are inaccessible on either the device or the proxy minion server.
The user’s SSH configuration file on the proxy minion server, which is automatically queried when the Junos proxy attempts to establish the connection, defines incorrect settings for authenticating with that device.
If you do not specify a user in the pillar file that defines the proxy information or in an SSH configuration file, the user defaults to the current user.
Solution
Verify the following configuration items to ensure that the user can authenticate with the managed device:
The Salt user authenticating with the device running Junos OS has a login account on the device and that a text-based password or SSH public key is configured for the account.
If SSH keys are configured, verify that the user can access them on the proxy minion server and can successfully connect to the device using the keys.
The user’s SSH configuration file does not contain any settings for that device that will cause the connection to fail, for example, a different username or SSH key file.
The correct parameters are supplied for the device’s proxy configuration on the Salt master, for example:
# /srv/pillar/router1-proxy.sls proxy: proxytype: junos host: router1.example.com username: saltuser password: lab123 # SSH password or SSH key file password ssh_private_key_file: /home/saltuser/.ssh/id_rsa_salt # non-default SSH key location on proxy minion server port: 830
If you update the pillar file containing the proxy configuration for a given device, you might need to restart the proxy minion process for that device on the proxy minion server and accept the new Salt key on the Salt master for the changes to take effect.