Authenticate Junos PyEZ Users

Junos PyEZ User Authentication Overview

Junos PyEZ enables you to directly connect to and manage Junos devices using a serial console connection, telnet, or a NETCONF session over SSH. In addition, Junos PyEZ also supports connecting to the device through a telnet or SSH connection to a console server that is connected to the device’s CONSOLE port. The device must be able to authenticate the user using either a password or other standard SSH authentication mechanisms, depending on the connection method. When you manage Junos devices through an SSH connection, the most convenient and secure way to access a device is to configure SSH keys. SSH keys enable the remote device to identify trusted users.

You can perform device operations using any user account that has access to the managed Junos device. You can explicitly define the user when creating a new instance of the jnpr.junos.device.Device class, or if you do not specify a user in the parameter list, the user defaults to $USER.

For SSH connections, Junos PyEZ automatically queries the default SSH configuration file at ~/.ssh/config, if one exists, unless the Device argument list includes the ssh_config argument to specify a different configuration file. Junos PyEZ uses any relevant settings in the SSH configuration file for the given connection that are not overridden by the arguments in the Device argument list, such as the user or the identity file.

When the Junos PyEZ client uses SSH to connect to either the Junos device or to a console server connected to the device, Junos PyEZ first attempts SSH public key-based authentication and then tries password-based authentication. When SSH keys are in use, the supplied password is used as the passphrase for unlocking the private key. When password-based authentication is used, the supplied password is used as the device password. If SSH public key-based authentication is being used and the SSH private key has an empty passphrase, then a password is not required. However, SSH private keys with empty passphrases are not recommended.

It is the user's responsibility to obtain the username and password authentication credentials in a secure manner appropriate for their environment. It is best practice to prompt for these authentication credentials during each invocation of the script rather than storing the credentials in an unencrypted format.

Authenticate Junos PyEZ Users Using a Password

To authenticate a Junos PyEZ user using a password:

In your favorite editor, create a new file that uses the .py file extension.
This example uses the filename junos-pyez-pw.py.

Include code that prompts for the hostname to which to connect and the username and password for the Junos device and stores each value in a variable.

If the Junos PyEZ client connects to the device through an SSH connection to a console server, include code that prompts for the console server username and password and stores each value in a variable.

In the Device constructor argument list:

Set the host argument to the variable containing the hostname
Set the user and passwd arguments to the variables containing the Junos OS login credentials
If the Junos PyEZ client connects through a console server using SSH, set the cs_user and cs_passwd arguments to the variables containing the console server login credentials.
Include any additional arguments required for the connection method

The following example provides sample code for each of the different connection methods:

Note:

All platforms running Junos OS have only the root user configured by default, without any password. When using Junos PyEZ to initially configure a new or zeroized device through a console connection, use user='root', and omit the passwd parameter.

Execute the Junos PyEZ code, which prompts for the hostname, the Junos OS username and password, and the console server username and password (when requested) and does not echo the password on the command line.

Authenticate Junos PyEZ Users Using SSH Keys

To use SSH keys in a Junos PyEZ application, you must first generate the keys on the configuration management server and configure the public key on each device to which the Junos PyEZ client will connect. To directly connect to the Junos device, configure the key on that device. To connect to a Junos device through a console server, configure the key on the console server. To use the keys, you must include the appropriate arguments in the Device argument list.

Junos PyEZ can utilize SSH keys that are actively loaded into an SSH key agent, keys that are generated in either the default location or a user-defined location, and keys that either use or forgo password protection. When connecting directly to a Junos device, if the Device arguments do not specify a password or SSH key file, Junos PyEZ first checks the SSH keys that are actively loaded in the SSH key agent and then checks for SSH keys in the default location. When connecting to a console server, only password-protected keys are supported.

The following sections outline the steps for generating the SSH keys, configuring the keys on Junos devices, and using the keys to connect to the managed device:

Generate and Configure SSH Keys
Reference SSH Keys in Junos PyEZ Applications

Generate and Configure SSH Keys

To generate SSH keys on the configuration management server and configure the public key on Junos devices:

On the server, generate the public and private SSH key pair for the desired user, and provide any required or desired options, for example:

(Optional) Load the key into the native SSH key agent.
Configure the public key on each device to which the Junos PyEZ application will connect, which could include Junos devices or a console server connected to the Junos device.
One method to configure the public key under the appropriate user account on a Junos device is to load the public key from a file.

Verify that the key works by logging in to the device using the key.

Reference SSH Keys in Junos PyEZ Applications

After generating the SSH key pair and configuring the public key on the remote device, you can use the key to connect to the device by including the appropriate arguments in the Device constructor code. The Device arguments are determined by the location of the key, whether the key is password-protected, whether the key is actively loaded into an SSH key agent, such as ssh-agent, and whether the user’s SSH configuration file already defines settings for that host. The following sections outline the various scenarios:

Authenticate the User Using an SSH Key Agent with Actively Loaded Keys
Authenticate the User Using SSH Keys Without Password Protection
Authenticate the User Using Password-Protected SSH Key Files

Authenticate the User Using an SSH Key Agent with Actively Loaded Keys

You can use an SSH key agent to securely store private keys and avoid repeatedly retyping the passphrase for password-protected keys. Junos PyEZ enables a client to connect directly to a Junos device using SSH keys that are actively loaded into an SSH key agent. When connecting to a Junos device, if the Device arguments do not specify a password or SSH key file, Junos PyEZ first checks the SSH keys that are actively loaded in the SSH key agent and then checks for SSH keys in the default location.

To use SSH keys that are actively loaded into the native SSH key agent to connect directly to a Junos device:

In the Device argument list, you need only supply the required hostname and any desired variables.

Authenticate the User Using SSH Keys Without Password Protection

Junos PyEZ enables a client to connect directly to a Junos device using SSH private keys that do not have password protection, although we do not recommend using SSH private keys with an empty passphrase. Junos PyEZ does not support connecting to a console server using SSH private keys with an empty passphrase.

To connect to a Junos device using SSH keys that are in the default location and do not have password protection:

In the Device argument list, you need only supply the required hostname and any desired variables.

Junos PyEZ first checks the SSH keys that are loaded in any active SSH key agent and then checks the SSH keys in the default location.

To connect to a Junos device using SSH keys that are not in the default location and do not have password protection:

In the Device argument list, set the ssh_private_key_file argument to the path of the SSH private key.
Note:
If the user’s SSH configuration file already specifies the local SSH private key file path for a given host, you can omit the ssh_private_key_file argument in the Device argument list. Including the ssh_private_key_file argument overrides any existing IdentityFile value defined for a host in the user’s SSH configuration file.

Authenticate the User Using Password-Protected SSH Key Files

Junos PyEZ clients can use password-protected SSH key files to connect directly to a Junos device or to connect to a console server connected to the device.

To connect directly to a Junos device using a password-protected SSH key file:

Include code that prompts for the SSH private key password and stores the value in a variable.

In the Device argument list, set the passwd argument to reference the variable containing the SSH key file password.

If the key is not in the default location and the file path is not already defined in the user’s SSH configuration file, set the ssh_private_key_file argument to the path of the private key.

To connect to a Junos device through a console server using a password-protected SSH key file:

Include code that prompts for the login credentials for the Junos device and stores each value in a variable.

Include code that prompts for the console server username and the SSH private key password and stores each value in a variable.