Connecting to the NETCONF Server Using SSH
Before a client application can connect to the NETCONF server using SSH, you must satisfy the requirements described in Establishing an SSH Connection for a NETCONF Session.
When the prerequisites are satisfied, applications written in Perl use the NETCONF Perl module to connect to the NETCONF server. A client application that does not use the NETCONF Perl module uses one of the following methods:
It uses SSH library routines to establish an SSH connection to the NETCONF server, provide the username and password or passphrase, and create a channel that acts as an SSH subsystem for the NETCONF session. Providing instructions for using library routines is beyond the scope of this document.
It establishes a NETCONF session using the ssh command.
To establish a NETCONF session as an SSH subsystem over the default NETCONF port (830), the client application issues the following command:ssh user@hostname -p 830 -s netconf
The -p option defines the port number on which the NETCONF server listens. This option can be omitted if you enabled access to SSH over the default port in Enabling NETCONF Service over SSH.
The -s option establishes the NETCONF session as an SSH subsystem.
To establish a NETCONF session over the default SSH port (22) and use pseudo-tty allocation, the client application issues the following command:ssh user@hostname -t netconf
Using multiple -t options forces pseudo-tty allocation even if SSH has no local tty.
Establishing a NETCONF session as an SSH subsystem with a dedicated port enables a device to more easily identify and filter NETCONF traffic. However, establishing a NETCONF session over the default SSH port using the -t option has the advantage of providing visibility to the session on the device running Junos OS, for example, when issuing the show system users operational command.
The application must include code to intercept the NETCONF server’s prompt for the password or passphrase. Perhaps the most straightforward method is for the application to use a utility such as the expect command. The NETCONF Perl client uses this method, for example.