Sending the Router’s Public SSH Key

During the initialization of an SSH connection, the client authenticates the identity of the router using the router’s public SSH host key. Therefore, before the client can initiate the SSH sequence, it needs the router’s public SSH key. When you configure the secret statement, the router running JUNOS software passes the router’s public SSH key as part of the outbound SSH connection initiation sequence.

When the secret statement is set and the router establishes an outbound SSH connection, the router communicates its device ID, its public SSH key, and an SHA1 hash derived in part from the secret statement. The value of the secret statement is shared between the router and the management client. The client uses the shared secret to authenticate the public SSH host key it is receiving to determine whether the public key is from the router identified by the device-id statement.

Using the secret statement to transport the router’s public SSH host key is optional. You can manually transport and install the public key onto the client system.

Note: Including the secret statement means that the router’s public SSH host key is sent every time the router establishes a connection to the client. It is then up to the client to decide what to do with the SSH host key if it already has one for that router. We recommend that you replace the client’s copy with the new key. Host keys can change for various reasons and by replacing the key each time a connection is established, you ensure that the client has the latest key.

To configure a router that is running the JUNOS software to send the router’s public SSH host key when connection to the client occurs, include the secret statement at the [edit system services outbound-ssh client client-id] hierarchy level:

The message sent by the JUNOS router when the secret attribute is configured:

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.