Establishing an Outbound SSH Connection

To enable a configuration management server to establish an outbound SSH connection with the client server, you must satisfy the following requirements:

Configuring the Device Running Junos OS for Outbound SSH

To configure the device running Junos OS for outbound SSH:

  1. At the [edit system services ssh] hierarchy level, set the SSH protocol-version to v2:
    [edit system services ssh]user@host# set protocol-version v2
  2. During the initialization of an outbound SSH connection, the client authenticates the identity of the router or switch using the public SSH host key of the device. Therefore, before the client can initiate the SSH sequence, it needs the public SSH key of the device. When you configure the secret statement, the device passes its public SSH key as part of the outbound SSH connection initiation sequence. When the secret statement is set and the device establishes an outbound SSH connection, the device communicates its device ID, its public SSH key, and an SHA1 hash derived in part from the secret statement. The value of the secret statement is shared between the device and the management client. The client uses the shared secret to authenticate the public SSH host key it is receiving to determine whether the public key is from the device identified by the device-id statement. This key pair will be used to encrypt the data transferred across the SSH connection.
  3. If the public key will be installed on the configuration management server manually, transfer the public key to the configuration management server.
  4. Once the client application has the device’s public SSH host key, it can then initiate the sequence as if it had created the TCP/IP connection and can authenticate the device using its copy of the device’s public host SSH key as part of that sequence.
  5. To configure various client servers available for this outbound SSH connection, list each client with a separate address statement.
  6. Add the following outbound-ssh statement at the [edit system services ssh] hierarchy level:
    [edit system services]
    outbound-ssh {client client-id {device-id device-id;secret secret;keep-alive {retry numbertimeout number;}reconnect-strategy (sticky | in-order);services service-name;address [ address ] {port destination-port;retry number;timeout number;}}}

    The attributes are as follows:

    • client client-id—Identifies the outbound SSH configuration stanza on the device. Each outbound SSH stanza represents a single outbound SSH connection. This attribute is not sent to the client.

      device-id device-id—Unique ID identifying the device running Junos OS to the configuration management server during the initiation process.

    • secret secret—(Optional) Public SSH host key of the device. If this statement is added to the outbound SSH configuration hierarchy, the device will pass its public key to the configuration management server during the initialization of the outbound SSH service. This is the recommended method of maintaining a current copy of the device's public key on the configuration management server.
    • keep-alive—(Optional) Specify that keepalive messages be sent from the device running Junos OS to the configuration management server. To configure the keepalive message, you must set both the timeout and retry attributes.
      • retry number—Number of keepalive messages the device running Junos OS sends without receiving a response from the configuration management server before the current SSH connection is terminated. The default is three tries.
      • timeout seconds—Amount of time, in seconds, that the server waits for data before sending a keepalive signal. The default is 15 seconds.
    • reconnect-strategy (sticky | in-order)—(Optional) Method that the device running Junos OS uses to reestablish a disconnected outbound SSH connection. Two methods are available:
      • sticky—The device attempts to reconnect to the configuration management server to which it was last connected. If the connection is unavailable, the device attempts to establish a connection with the next configuration management server on the list and so forth until a connection is established.
      • in-order—The device attempts to reestablish an outbound SSH session based on the configuration management server address list. The device attempts to establish a session with the first server on the list. If this connection is not available, the device attempts to establish a session with the next server, and so on down the list until a connection is established.

      When reconnecting to a client, the device running Junos OS attempts to reconnect to the client based on the retry and timeout values for each client listed in the configuration management server list.

    • services service-name—(Required) Specifies the services available for the session.
    • address—(Required) The hostname or the IPv6 address of the configuration management server. You can list multiple clients by adding each client's IP address or hostname along with the following connection parameters:
      • port destination-port—Outbound SSH port for the client. The default is port 22.
      • retry number– Number of times the device running Junos OS attempts to establish an outbound SSH connection before giving up. The default is three tries.
      • timeout seconds—Amount of time, in seconds, that the device running Junos OS attempts to establish an outbound SSH connection before giving up. The default is 15 seconds.
  7. Commit the configuration:
    [edit]user@host# commit