Prerequisites for Outbound SSH Connections

The outbound SSH feature allows the initiation of an SSH session between JUNOS routers and Network and System Management servers where client initiated TCP/IP connections are blocked (for example when the router is behind a firewall). To configure outbound SSH, you add an outbound-ssh configuration statement to the JUNOS router. Once configured and committed, the JUNOS router will begin to initiate an outbound SSH session with the configured management clients. Once the outbound SSH session is initialized and the connection is established, the Network and System Management server initiates the SSH sequence as the client and the JUNOS device as the server that authenticates the client.

Setting up outbound SSH involves:

• Configuring the JUNOS router for outbound SSH
• Configuring the management server for outbound SSH.

To configure the JUNOS router for outbound SSH:

1. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
2. In the [edit system services ssh] hierarchy level, set the SSH protocol to v2:

   [edit system services ssh]
   set protocol-version v2

3. Generate/obtain a public/private key pair for the JUNOS router. This key pair will be used to encrypt the data transferred across the SSH connection. For more information on generating key pairs, see the System Basics Configuration Guide.
4. If the public key will be installed on the application management system manually, transfer the public key to the NSM server.
5. Add the following outbound-ssh statement at the [edit system services] hierarchy level:

   [edit system services]
   outbound-ssh client {
       
   application-id {
           device-id device-id;
           secret secret;
           keep-alive {
               retry number;
               timeout number;
           }
           reconnect-strategy (sticky | in-order) ;
           services netconf;
           
   address {
               port destination-port;
               retry number;
               timeout number;
           }
       }
   }

   The attributes are as follows:

   • application-id—(Required) The application-id is used to identify the outbound-ssh configuration stanza on the router. Each outbound-ssh stanza represents a single outbound SSH connection. This attribute is not sent to the client.
   • device-id—(Required) The device-id identifies the JUNOS device to the client during the initiation sequence.
   • secret—(Optional) The JUNOS router's public SSH Host Key. If added to the outbound-ssh statement, during the initialization of the outbound SSH service, the JUNOS device will pass its public key to the management server. This is the recommended method of maintaining a current copy of the router's public key.
   • keep-alive—(Optional) When configured, the router will send keep alive messages to the management server. To configure the keep alive message, you must set both the timeout and retry attributes.
     • retry—The number of keep alive messages the JUNOS device will send without receiving a response from the client before the current SSH connection will be disconnected. (default=3)
     • timeout—The amount of time, in seconds, that the JUNOS server will wait for data before sending a keep alive signal. (default =15)
   • reconnect-strategy—(Optional) Specifies the method the JUNOS router will use to re-establish an outbound SSH connection that was disconnected. There are two methods available sticky and in-order:
     • sticky—The router will attempt to reconnect to the management server the router was last connected with first. If the connection is unavailable, it will attempt to establish a connection with the next client on the list and so fourth until a connection is made.
     • in-order—The router will attempt to establish an outbound SSH session based on the management server address list. The router attempts to establish a session with the first server on the list. If this connection is not available, the router attempts to establish a session with the next server. The router will continue through the list until a connection is established.

     When reconnecting to a client, the JUNOS router will attempt to reconnect to the client based on the retry and timeout values for each of the clients listed.

   • services—(Required) Specifies the services available for the session. Currently, NETCONF is the only service available.
   • address—(Required) The host name or the IPv4 address of the NSM application server. You can list multiple clients by adding each client's IP address or host name along with the connection parameters listed below.
     • port—The port that the client will use for the outbound SSH connection. (default=22)
     • retry– The number of times the JUNOS router will attempt to establish an outbound SSH connection before gving up. (default=3)
     • timeout—The amount of time, in seconds, that the JUNOS router will attempt to establish an outbound SSH connection before giving up. (default=15)
6. Commit the configuration:

   [edit]

   user@host# commit

To set up the Network and Systems Management Server:

1. Satisfy the prerequisites discussed in Prerequisites for All Access Protocols.
2. Enable the application to access the SSH software.
   • If the application uses the JUNOScript Perl module provided by Juniper Networks, no action is necessary. As part of the installation procedure for the Perl module, you install a prerequisites package that includes the necessary SSH software. For instructions, see Downloading the JUNOS Module and Sample Scripts.
   • If the application does not use the JUNOScript Perl module, obtain the SSH software and install it on the computer where the application runs. For information about obtaining and installing SSH software, see http://www.ssh.com and http://www.openssh.com.
3. (Optional) Manually install the JUNOS router's public key for use with the SSH connection.
4. Configure the client system to receive an process initialization broadcast requests. The intialization requests use the following syntax:
   • If the secret attribute is configured, the JUNOS router will send its public SSH key along with the intialization sequence (recommended method). When the key has been received, the client needs to determine what to do with the router’s public key. Juniper recommends that you replace any current public SSH key for the router with the new key. This ensures that the client always has the current key available for authentication.

     MSG-ID: DEVICE-CONN-INFO\r\n
     MSG-VER: V1\r\n
     DEVICE-ID: <device-id>\r\n
     HOST-KEY: <pub-host-key>\r\n
     HMAC: <HMAC(pub-SSH-host-key, <secret>)>\r\n

   • If the secret attribute is not configured, the JUNOS router does not send its public SSH key along with the initialization sequence. You need to manually install the current public SSH key for the router.

     MSG-ID: DEVICE-CONN-INFO\r\n
     MSG-VER: V1\r\n
     DEVICE-ID: <device-id>\r\n

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.