Authenticate Junos PyEZ Users
Junos PyEZ User Authentication Overview
Junos PyEZ enables you to directly connect to and manage devices
running Junos OS using a serial console connection, telnet, or a NETCONF
session over SSH. In addition, Junos PyEZ also supports connecting
to the device through a telnet or SSH connection to a console server
that is connected to the device’s CONSOLE
port. The
device must be able to authenticate the user using either a password
or other standard SSH authentication mechanisms, depending on the
connection method. When you manage devices running Junos OS through
an SSH connection, the most convenient and secure way to access a
device is to configure SSH keys. SSH keys enable the remote device
to identify trusted users.
You can perform device operations using any user account that
has access to the managed device running Junos OS. You can explicitly
define the user when creating a new instance of the jnpr.junos.device.Device
class, or if you do not specify a user in the parameter list, the
user defaults to $USER
.
For SSH connections, Junos PyEZ automatically queries the default
SSH configuration file at ~/.ssh/config, if one exists, unless the Device
argument
list includes the ssh_config
argument to
specify a different configuration file. Junos PyEZ uses any relevant
settings in the SSH configuration file for the given connection that
are not overridden by the arguments in the Device
argument list, such as the user or the identity file.
When the Junos PyEZ client uses SSH to connect to either the device running Junos OS or to a console server connected to the device, Junos PyEZ first attempts SSH public key-based authentication and then tries password-based authentication. When SSH keys are in use, the supplied password is used as the passphrase for unlocking the private key. When password-based authentication is used, the supplied password is used as the device password. If SSH public key-based authentication is being used and the SSH private key has an empty passphrase, then a password is not required. However, SSH private keys with empty passphrases are not recommended.
It is the user's responsibility to obtain the username and password authentication credentials in a secure manner appropriate for their environment. It is best practice to prompt for these authentication credentials during each invocation of the script rather than storing the credentials in an unencrypted format.
Authenticate Junos PyEZ Users Using a Password
To authenticate a Junos PyEZ user using a password:
Authenticate Junos PyEZ Users Using SSH Keys
To use SSH keys in a Junos
PyEZ application, you must first generate the keys on the configuration
management server and configure the public key on each device to which
the Junos PyEZ client will connect. To directly connect to the device
running Junos OS, configure the key on that device. To connect to
a device running Junos OS through a console server, configure the
key on the console server. To use the keys, you must include the appropriate
arguments in the Device
argument list.
Junos PyEZ can utilize SSH keys that are actively loaded into
an SSH key agent, keys that are generated in either the default location
or a user-defined location, and keys that either use or forgo password
protection. When connecting directly to a device running Junos OS,
if the Device
arguments do not specify
a password or SSH key file, Junos PyEZ first checks the SSH keys that
are actively loaded in the SSH key agent and then checks for SSH keys
in the default location. When connecting to a console server, only
password-protected keys are supported.
The following sections outline the steps for generating the SSH keys, configuring the keys on devices running Junos OS, and using the keys to connect to the managed device:
Generate and Configure SSH Keys
To generate SSH keys on the configuration management server and configure the public key on devices running Junos OS:
Reference SSH Keys in Junos PyEZ Applications
After generating the SSH key pair and configuring
the public key on the remote device, you can use the key to connect
to the device by including the appropriate arguments in the Device
constructor code. The Device
arguments are determined by the location of the key, whether the
key is password-protected, whether the key is actively loaded into
an SSH key agent, such as ssh-agent, and whether the user’s
SSH configuration file already defines settings for that host. The
following sections outline the various scenarios:
- Authenticate the User Using an SSH Key Agent with Actively Loaded Keys
- Authenticate the User Using SSH Keys Without Password Protection
- Authenticate the User Using Password-Protected SSH Key Files
Authenticate the User Using an SSH Key Agent with Actively Loaded Keys
You can use an SSH key agent to securely store private keys
and avoid repeatedly retyping the passphrase for password-protected
keys. Junos PyEZ enables a client to connect directly to a device
running Junos OS using SSH keys that are actively loaded into an SSH
key agent. When connecting to a device running Junos OS, if the Device
arguments do not specify a password or SSH key
file, Junos PyEZ first checks the SSH keys that are actively loaded
in the SSH key agent and then checks for SSH keys in the default location.
To use SSH keys that are actively loaded into the native SSH key agent to connect directly to a device running Junos OS:
In the
Device
argument list, you need only supply the required hostname and any desired variables.dev = Device(host='router.example.com')
Authenticate the User Using SSH Keys Without Password Protection
Junos PyEZ enables a client to connect directly to a device running Junos OS using SSH private keys that do not have password protection, although we do not recommend using SSH private keys with an empty passphrase. Junos PyEZ does not support connecting to a console server using SSH private keys with an empty passphrase.
To connect to a device running Junos OS using SSH keys that are in the default location and do not have password protection:
In the
Device
argument list, you need only supply the required hostname and any desired variables.dev = Device(host='router.example.com')
Junos PyEZ first checks the SSH keys that are loaded in any active SSH key agent and then checks the SSH keys in the default location.
To connect to a device running Junos OS using SSH keys that are not in the default location and do not have password protection:
In the
Device
argument list, set thessh_private_key_file
argument to the path of the SSH private key.dev = Device(host='router.example.com', ssh_private_key_file='/home/user/.ssh/id_rsa_dc')
Note:If the user’s SSH configuration file already specifies the local SSH private key file path for a given host, you can omit the
ssh_private_key_file
argument in theDevice
argument list. Including thessh_private_key_file
argument overrides any existingIdentityFile
value defined for a host in the user’s SSH configuration file.
Authenticate the User Using Password-Protected SSH Key Files
Junos PyEZ clients can use password-protected SSH key files to connect directly to a device running Junos OS or to connect to a console server connected to the device.
To connect directly to a device running Junos OS using a password-protected SSH key file:
To connect to a device running Junos OS through a console server using a password-protected SSH key file:
Include code that prompts for the login credentials for the device running Junos OS and stores each value in a variable.
from jnpr.junos import Device from getpass import getpass junos_username = input('Junos OS username: ') junos_password = getpass('Junos OS password: ')
Include code that prompts for the console server username and the SSH private key password and stores each value in a variable.
from jnpr.junos import Device from getpass import getpass junos_username = input('Junos OS username: ') junos_password = getpass('Junos OS password: ') cs_username = input('Console server username: ') key_password = getpass('Password for SSH private key file: ')
In the
Device
constructor argument list:Set the
host
argument to the console server hostname or IP addressSet the
user
andpasswd
arguments to the variables containing the Junos OS login credentialsSet the
cs_user
argument to the variable containing the console server usernameSet the
cs_passwd
argument to the variable containing the SSH key file passwordSet the
ssh_private_key_file
argument to the path of the private key, if the key is not in the default location and the file path is not already defined in the user’s SSH configuration file
from jnpr.junos import Device from getpass import getpass junos_username = input('Junos OS username: ') junos_password = getpass('Junos OS password: ') cs_username = input('Console server username: ') key_password = getpass('Password for SSH private key file: ') with Device(host='router.example.com', user=junos_username, passwd=junos_password, cs_user=cs_username, cs_passwd=key_password, ssh_private_key_file='/home/user/.ssh/id_rsa_dc') as dev: print (dev.facts) # ...