Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Establish an SSH Connection for a NETCONF Session

Establish an SSH Connection for a NETCONF Session

You use the SSH protocol to establish connections between a configuration management server and a device running Junos OS. A configuration management server, as the name implies, is used to configure the device running Junos OS remotely.

There are two options available when establishing a connection between the configuration management server and a device running Junos OS: SSH and outbound SSH. With SSH, the configuration management server initiates an SSH session with the device running Junos OS. Outbound SSH is used when the configuration management server cannot initiate an SSH connection because of network restrictions (such as a firewall). In this situation, the device running Junos OS is configured to initiate, establish, and maintain an SSH connection with a predefined set of configuration management servers. For a complete discussion of outbound SSH, see Configuring Outbound SSH Service .

Prerequisites for Establishing an SSH Connection for NETCONF Sessions

Before the configuration management server establishes an SSH connection with a device running Junos OS, you must satisfy the requirements discussed in the following sections.

Installing SSH Software on the Configuration Management Server

The configuration management server handles the SSH connection between the configuration management server and the device running Junos OS. Therefore, the SSH software must be installed locally on the configuration management server. For information about obtaining and installing SSH software, see http://www.ssh.com/ and http://www.openssh.com/.

Configuring a User Account for the Client Application on Devices Running Junos OS

When establishing a NETCONF session, the configuration management server must log in to the device running Junos OS. Thus, each configuration management server needs a user account on each device where a NETCONF session will be established. The following instructions explain how to create a login account on devices running Junos OS. Alternatively, you can skip this section and enable authentication through RADIUS or TACACS+.

To determine whether a login account exists on a device running Junos OS, enter CLI configuration mode on the device and issue the following commands:

If the appropriate account does not exist, perform the following steps to create one:

  1. Configure the user statement at the [edit system login] hierarchy level and specify a username. Include the class statement, and specify a login class that has the permissions required for all actions to be performed by the application.
  2. Optionally, include the full-name and uid statements at the [edit system login user username] hierarchy level.
  3. Commit the configuration to activate the user account on the device.
  4. Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.

See Also

Configuring a Public/Private Key Pair or Password for the Junos OS User Account

The configuration management server needs an SSH public/private key pair, a text-based password, or both before it can authenticate with the NETCONF server. A public/private key pair is sufficient if the account is used only to connect to the NETCONF server through SSH. If the account is also used to access the device in other ways (for login on the console, for example), it must have a text-based password. The password is also used (the SSH server prompts for it) if key-based authentication is configured but fails.

Note:

You can skip this section if you have chosen to enable authentication through RADIUS or TACACS+.

To create a text-based password, perform the following steps:

  1. Include either the plain-text-password or encrypted-password statement at the [edit system login user username authentication] hierarchy level.

    To enter a password as text, issue the following command. You are prompted for the password, which is encrypted before being stored.

    To store a password that you have previously created and hashed using Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1), issue the following command:

  2. Commit the configuration.
  3. Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.

To create an SSH public/private key pair, perform the following steps:

  1. Issue the ssh-keygen command in the standard command shell (not the Junos OS CLI) on the configuration management server where the client application runs.

    By providing the appropriate arguments, you encode the public key with either RSA (supported by SSH versions 1 and 2) or the Digital Signature Algorithm (DSA, supported by SSH version 2). For more information, see the manual page for the ssh-keygen command. Junos OS uses SSH version 2 by default, but also supports version 1.

  2. Associate the public key with the Junos OS login account by including the load-key-file statement at the [edit system login user account-name authentication] hierarchy level.

    Junos OS copies the contents of the specified file onto the device running Junos OS. URL is the path to the file that contains one or more public keys. The ssh-keygen command by default stores each public key in a file in the .ssh subdirectory of the user home directory; the filename depends on the encoding (DSA or RSA) and SSH version. For information about specifying URLs, see the CLI User Guide.

    Alternatively, you can include one or both of the ssh-dsa and ssh-rsa ssh-dsastatements at the [edit system login user account-name authentication] hierarchy level. We recommend using the load-key-file statement, however, because it eliminates the need to type or cut-and-paste the public key on the command line.

  3. Commit the configuration.

  4. Repeat Step 2 and Step 3 on each device running Junos OS where the client application establishes NETCONF sessions.

Accessing the Keys or Password with the Client Application

The client application must be able to access the configured public/private keys or password and provide it when the NETCONF server prompts for it.

There are several methods for enabling the application to access the key or password:

  • If public/private keys are used, the ssh-agent program runs on the computer where the client application runs, and handles the private key.

  • When a user starts the application, the application prompts the user for the password and stores it temporarily in a secure manner.

  • The password is stored in encrypted form in a secure local-disk location or in a secured database.

Enabling NETCONF Service over SSH

RFC 4742, Using the NETCONF Configuration Protocol over Secure SHell (SSH), requires that the NETCONF server, by default, provide the client device with access to the NETCONF SSH subsystem when the SSH session is established over a dedicated IANA-assigned TCP port. Use of a dedicated port makes it easy to identify and filter NETCONF traffic. The IANA-assigned port for NETCONF-over-SSH sessions is 830.

You also can configure the server to allow access to the NETCONF SSH subsystem either over the default SSH port (22) or over a port number that is explicitly configured. An explicitly configured port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests. If SSH services are enabled on the server, the default SSH port (22) continues to accept NETCONF sessions even when an alternate NETCONF-over-SSH port is configured. For added security, you can configure event policies that utilize UI_LOGIN_EVENT information to effectively disable the default port or further restrict NETCONF server access on a port.

To enable NETCONF service over SSH on a device running Junos OS, perform the following steps:

  1. Include one of the following statements at the indicated configuration hierarchy level:

    • To enable access to the NETCONF SSH subsystem using the default NETCONF-over-SSH port (830) as specified by RFC 4742, include the netconf ssh statement at the [edit system services] hierarchy level:

    • To enable access to the NETCONF SSH subsystem using a specified port number, configure the port statement with the desired port number at the [edit system services netconf ssh] hierarchy level.

      The port-number can range from 1 through 65535. The configured port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests.

      Note:

      Although NETCONF-over-SSH can be configured on any port from 1 through 65535, you should avoid configuring access on a port that is normally assigned for another service. This practice avoids potential resource conflicts. If you configure NETCONF-over-SSH on a port assigned for another service, such as FTP, and that service is enabled, a commit check does not reveal a resource conflict or issue any warning message to that effect.

    • To enable access to the NETCONF SSH subsystem using the default SSH port (22), include the ssh statement at the [edit system services] hierarchy level. This configuration enables SSH access to the device for all users and applications. The ssh statement can be included in the configuration in addition to the configuration statements listed previously.

  2. (Optional) Configure the device to disconnect unresponsive NETCONF clients by specifying both the timeout interval (in seconds) after which, if no data has been received from the client, the sshd process requests a response as well as the threshold of missed client-alive responses that triggers a disconnect.
    Note:

    Statements configured at the [edit system services netconf ssh] hierarchy level only apply to NETCONF sessions that connect through the default port (830) or through the user-defined port that is configured at the same hierarchy level.

  3. Commit the configuration:

  4. Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.

See Also

Prerequisites for Establishing an Outbound SSH Connection for NETCONF Sessions

To enable a configuration management server to establish an outbound SSH connection to the NETCONF server, you must satisfy the requirements discussed in the following sections:

Configuring the Device Running Junos OS for Outbound SSH

To configure the device running Junos OS for outbound SSH:

  1. At the [edit system services ssh] hierarchy level, set the SSH protocol-version to v2:
  2. Generate or obtain a public/private key pair for the device running Junos OS. This key pair will be used to encrypt the data transferred across the SSH connection.
  3. If you are manually installing the public key on the configuration management server, transfer the public key to the configuration management server.
  4. At the [edit system services] hierarchy level, include the outbound-ssh configuration hierarchy and any required statements.

    The options are as follows:

    address

    (Required) Hostname or IPv4 or IPv6 address of the management server. You can list multiple clients by adding each client's IP address or hostname along with the following connection parameters.

    • port port-number—Outbound SSH port for the client. The default is port 22.

    • retry number– Number of times the device attempts to establish an outbound SSH connection. The default is three tries.

    • timeout seconds—Amount of time, in seconds, that the device running Junos OS attempts to establish an outbound SSH connection. The default is 15 seconds per attempt.

      Note:

      Starting in Junos OS Release 15.1, Junos OS supports outbound SSH connections with devices that have IPv6 addresses.
    client client-id

    (Required) Identifies the outbound-ssh configuration stanza on the device. Each outbound-ssh stanza represents a single outbound SSH connection. This attribute is not sent to the client.
    device-id device-id

    (Required) Identifies the device running Junos OS to the client during the initiation sequence.

    keep-alive

    (Optional) Specify that the device send keepalive messages to the management server. To configure the keepalive message, you must set both the timeout and retry attributes. To configure the keepalive message, you must configure both the timeout and retry statements.

    • retry number—Number of keepalive messages the device sends without receiving a response from the management server before the current SSH connection is terminated. The default is three tries.

    • timeout seconds—Amount of time, in seconds, that the server waits for data before sending a keepalive signal. The default is 15 seconds.
    reconnect-strategy (sticky | in-order)

    (Optional) Specify the method the device running Junos OS uses to reestablish a disconnected outbound SSH connection. Two methods are available:

    • in-order—Specify that the router or switch first attempt to establish an outbound SSH session based on the management server address list. The router or switch attempts to establish a session with the first server on the list. If this connection is not available, the router or switch attempts to establish a session with the next server, and so on down the list until a connection is established.

    • sticky—Specify that the router or switch first attempt to reconnect to the management server that it was last connected to. If the connection is unavailable, it attempts to establish a connection with the next client on the list and so forth until a connection is made.
    secret password

    (Optional) Public SSH host key of the device. If added to the outbound-ssh statement, during the initialization of the outbound SSH service, the router or switch passes its public key to the management server. This is the recommended method of maintaining a current copy of the devices public key.
    services netconf

    (Required) Specifies the services available for the session. Currently, NETCONF is the only service available.
  5. Commit the configuration:

Installing SSH Software on the Client

Once the device establishes the SSH connection to the configuration management server, the configuration management server takes control of the SSH session. Therefore, the SSH client software must be installed locally on the configuration management server. For information about obtaining and installing SSH software, see http://www.ssh.com/ and http://www.openssh.com/ .

Receiving and Managing the Outbound SSH Initiation Sequence on the Client

When configured for outbound SSH, the device running Junos OS attempts to maintain a constant connection with a configuration management server. Whenever an outbound SSH session is not established, the device sends an outbound SSH initiation sequence to a configuration management server listed in the device’s configuration management server list. Prior to establishing a connection with the device, each configuration management server must be set up to receive this initiation sequence, establish a TCP connection with the device, and transmit the device identity back to the device.

The initiation sequence takes one of two forms, depending on how you chose to handle the Junos OS server's public key.

If the public key is installed manually on the configuration management server, the initiation sequence takes the following form:

If the public key is forwarded to the configuration management server by the device during the initialization sequence, the sequence takes the following form:

Enabling NETCONF Service over SSH

RFC 4742, Using the NETCONF Configuration Protocol over Secure SHell (SSH), requires that the NETCONF server, by default, provide the client device with access to the NETCONF SSH subsystem when the SSH session is established over a dedicated IANA-assigned TCP port. Use of a dedicated port makes it easy to identify and filter NETCONF traffic. The IANA-assigned port for NETCONF-over-SSH sessions is 830.

You also can configure the server to allow access to the NETCONF SSH subsystem either over the default SSH port (22) or over a port number that is explicitly configured. An explicitly configured port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests. If SSH services are enabled on the server, the default SSH port (22) continues to accept NETCONF sessions even when an alternate NETCONF-over-SSH port is configured. For added security, you can configure event policies that utilize UI_LOGIN_EVENT information to effectively disable the default port or further restrict NETCONF server access on a port.

To enable NETCONF service over SSH on a device running Junos OS, perform the following steps:

  1. Include one of the following statements at the indicated configuration hierarchy level:

    • To enable access to the NETCONF SSH subsystem using the default NETCONF-over-SSH port (830) as specified by RFC 4742, include the netconf ssh statement at the [edit system services] hierarchy level:

    • To enable access to the NETCONF SSH subsystem using a specified port number, configure the port statement with the desired port number at the [edit system services netconf ssh] hierarchy level.

      The port-number can range from 1 through 65535. The configured port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests.

      Note:

      Although NETCONF-over-SSH can be configured on any port from 1 through 65535, you should avoid configuring access on a port that is normally assigned for another service. This practice avoids potential resource conflicts. If you configure NETCONF-over-SSH on a port assigned for another service, such as FTP, and that service is enabled, a commit check does not reveal a resource conflict or issue any warning message to that effect.

    • To enable access to the NETCONF SSH subsystem using the default SSH port (22), include the ssh statement at the [edit system services] hierarchy level. This configuration enables SSH access to the device for all users and applications. The ssh statement can be included in the configuration in addition to the configuration statements listed previously.

  2. Commit the configuration:

  3. Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.

Related Documentation

Release History Table
Release
Description
15.1
Starting in Junos OS Release 15.1, Junos OS supports outbound SSH connections with devices that have IPv6 addresses.