Prerequisites for Establishing an SSH Connection

Before the configuration management server establishes an SSH connection with a router running the JUNOS software, you must satisfy the requirements discussed in the following sections:

The configuration management server handles the SSH connection between the configuration management server and the router. Therefore, the SSH software must be installed locally on the configuration management server. If the application uses the NETCONF Perl module provided by Juniper Networks, no further action is necessary. As part of the installation procedure for the Perl module, you install a prerequisites package that includes the necessary SSH software. If the application does not use the NETCONF Perl module, obtain the SSH software and install it on the computer where the application runs. For information about obtaining and installing SSH software, see http://www.ssh.com and http://www.openssh.com.

The configuration management server must log in to each routing running the JUNOS software when establishing a NETCONF session. Thus, each configuration management server needs a user account on each router where it will establish a NETCONF session. The following instructions explain how to create a JUNOS login account for the configuration management server. Alternatively, you can skip this section and enable authentication through RADIUS or TACACS+; for instructions, see the chapter about system authentication in the JUNOS System Basics Configuration Guide.

To determine if a JUNOS login account exists, enter JUNOS command-line interface (CLI) configuration mode on the router you wish to check, and issue the following commands:

If the appropriate account does not exist, perform the following steps:

1. Include the user statement at the [edit system login] hierarchy level. Specify a JUNOS login class that has the permissions required for all actions to be performed by the application. You can also include the optional full-name and uid statements. For detailed information about creating user accounts, see the chapter about configuring user access in the JUNOS System Basics Configuration Guide.

   [edit system login]

   user@host# set user account-name class class-name

2. Commit the configuration. You can wait to commit the changes if you are adding more changes to the configuration file, for example until you have added the statements that satisfy all prerequisites (see NETCONF Service over SSH Is EnabledEnable NETCONF Service over SSH). However, you will need to commit the configuration file before the user account is available on the system.

   [edit system login]

   user@host# commit

3. Repeat the preceding steps on each routing platform where the client application establishes NETCONF sessions.

The configuration management server needs an SSH public/private key pair, a text-based password, or both before it can authenticate with the NETCONF server. A public/private key pair is sufficient if the account is used only to connect to the NETCONF server through SSH. If the account is also used to access the router in other ways (for login on the console, for example), it must have a text-based password. The password is also used (the SSH server prompts for it) if key-based authentication is configured but fails.

Note: You can skip this section if you have chosen to enable authentication through RADIUS or TACACS+, as described in the chapter about system authentication in the JUNOS System Basics Configuration Guide.

Follow the instructions in the appropriate section:

• Creating a Text-Based Password
• Creating a Public/Private Key Pair

The client application must be able to access the public/private keys or password you created in JUNOS Login Account Has Public/Private Key Pair or Password and provide it when the NETCONF server prompts for it.

There are several methods for enabling the application to access the key or password:

• If public/private keys are used, the ssh-agent program runs on the computer where the client application runs, and handles the private key.

• When a user starts the application, the application prompts the user for the password and stores it temporarily in a secure manner.

• The password is stored in encrypted form in a secure local-disk location or in a secured database.

The IETF draft titled Using the NETCONF Configuration Protocol over Secure Shell (SSH) requires that the NETCONF server by default provide SSH access to client machines over a devoted Transmission Control Protocol (TCP) port, to make it easy to identify and filter NETCONF traffic. The port for the JUNOS NETCONF server is 32000. In addition, you can enable client applications to access the NETCONF server over the default SSH port (22). (For more information about the IETF draft, see Generating Well-Formed XML Documents.)

Perform the following steps:

1. Include one or both of the following statements at the indicated hierarchy level:

• To enable SSH access over the devoted port (32000) as specified by the IETF specification, include the ssh statement at the [edit system services netconf] hierarchy level:

  [edit system login user account-name authentication]

  user@host# top

  
  

  [edit]

  user@host# set system services netconf ssh

• To enable access over the default SSH port (22), include the ssh statement at the [edit system services] hierarchy level. This configuration also enables SSH access to the routing platform for all users and applications.

  [edit]

  user@host# set system services ssh

• Commit the configuration:

  [edit]

  user@host# commit

• Repeat the preceding steps on each routing platform where the client application establishes NETCONF sessions.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.