Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Troubleshooting Authentication Errors When Using Salt to Manage Devices Running Junos OS

 

Problem

Description: After starting the proxy minion process for a device running Junos OS and accepting the key on the Salt master, the Junos proxy (for Salt) fails to connect to the device, and the proxy log file on the proxy minion server includes an error regarding failed authentication. For example:

saltuser@salt-master:~$ sudo salt 'router1' test.ping
saltuser@minion:~/.ssh$ sudo cat /var/log/salt/proxy

Cause

The Salt user might fail to authenticate with a device running Junos OS for the following reasons:

  • The user does not have an account on the device running Junos OS.

  • The user has an account with a text-based password configured on the device running Junos OS, but the wrong password or no password is supplied for the user in the pillar file that defines the proxy configuration for that device.

  • The user has an account and authenticates with the device running Junos OS using SSH keys, but the SSH keys are inaccessible on either the device or the proxy minion server.

  • The user’s SSH configuration file on the proxy minion server, which is automatically queried when the Junos proxy attempts to establish the connection, defines incorrect settings for authenticating with that device.

Note

If you do not specify a user in the pillar file that defines the proxy information or in an SSH configuration file, the user defaults to the current user.

Solution

Verify the following configuration items to ensure that the user can authenticate with the managed device:

  • The Salt user authenticating with the device running Junos OS has a login account on the device and that a text-based password or SSH public key is configured for the account.

  • If SSH keys are configured, verify that the user can access them on the proxy minion server and can successfully connect to the device using the keys.

  • The user’s SSH configuration file does not contain any settings for that device that will cause the connection to fail, for example, a different username or SSH key file.

  • The correct parameters are supplied for the device’s proxy configuration on the Salt master, for example:

If you update the pillar file containing the proxy configuration for a given device, you might need to restart the proxy minion process for that device on the proxy minion server and accept the new Salt key on the Salt master for the changes to take effect.