Establish an SSH Connection for a NETCONF Session
Establish an SSH Connection for a NETCONF Session
You can use the SSH protocol to establish connections between a configuration management server and a Junos device. You use a configuration management server to configure the Junos device remotely.
You can use the following options to establish an SSH connection between the configuration management server and the Junos device.
-
SSH—The configuration management server initiates an SSH session with the Junos device.
-
Outbound SSH—Use this option when the configuration management server cannot initiate an SSH connection because of network restrictions (such as a firewall). In this situation, you configure the Junos device to initiate, establish, and maintain an SSH connection with a predefined set of configuration management servers.
Prerequisites for Establishing an SSH Connection for NETCONF Sessions
Before the configuration management server establishes an SSH connection with a Junos device, you must satisfy the requirements discussed in the following sections.
- Install SSH Software on the Configuration Management Server
- Enable NETCONF Service over SSH
- Configure a User Account for the Client Application on Junos Devices
- Configure a Public/Private Key Pair or Password for the Junos OS User Account
- Access the Keys or Password with the Client Application
Install SSH Software on the Configuration Management Server
The configuration management server handles the SSH connection with the Junos device. Therefore, SSH software must be installed locally on the configuration management server. For information about obtaining and installing SSH software, see http://www.ssh.com and http://www.openssh.com.
Enable NETCONF Service over SSH
To establish NETCONF sessions on a Junos device, you must enable the NETCONF service. You can configure the NETCONF server to accept NETCONF sessions on the following ports:
-
Default NETCONF port (830) or a user-defined port
-
Default SSH port (22)
We recommend that you use the default NETCONF port because it enables the device
to easily identify and filter NETCONF traffic. Alternatively, you can configure
the device to accept NETCONF sessions on a specific port instead of the default
NETCONF port. The defined port accepts only NETCONF-over-SSH sessions and
rejects regular SSH session requests. If you also enable SSH services on the
server, the device accepts NETCONF sessions on both the default SSH port and the
configured NETCONF port (default or user-defined port). For added security, you
can configure event policies that utilize UI_LOGIN_EVENT
information to effectively disable the default port or further restrict NETCONF
server access on a port.
To enable NETCONF service over SSH on a Junos device:
-
Enable the NETCONF service on either the default NETCONF port (830) or a user-defined port:
-
To use the default NETCONF port (830), include the
netconf ssh
statement at the[edit system services]
hierarchy level:[edit system services] user@host# set netconf ssh
-
To use a specific port, configure the
port
statement with the desired port number at the [edit system services netconf ssh
] hierarchy level.[edit system services] user@host# set netconf ssh port port-number
The
port-number
can range from 1 through 65535. The configured port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests.Note:Although NETCONF-over-SSH sessions can be configured on any port from 1 through 65535, you should avoid configuring access on a port that is normally assigned for another service. This practice avoids potential resource conflicts. If you configure a port assigned for another service, such as FTP, and that service is enabled, a
commit check
does not reveal a resource conflict or issue any warning message to that effect.
-
-
(Optional) To also enable access to the NETCONF SSH subsystem using the default SSH port (22), include the
ssh
statement at the[edit system services]
hierarchy level.[edit system services] user@host# set ssh
This configuration enables SSH access to the device for all users and applications.
Note:In releases where the default behavior is to restrict the root user from using the SSH service, you must configure the
root-login allow
statement at the[edit system services ssh]
hierarchy level to enable the root user to open NETCONF sessions over SSH. (Optional) Configure the device to disconnect unresponsive NETCONF clients.
Specify the timeout interval (in seconds) after which, if no data has been received from the client, the sshd process requests a response. Additionally, specify the threshold of missed client-alive responses that triggers a disconnect.
[edit system services] user@host# set netconf ssh client-alive-interval 10 user@host# set netconf ssh client-alive-count-max 10
Note:Statements configured at the
[edit system services netconf ssh]
hierarchy level only apply to NETCONF sessions that connect through the default port (830) or through the user-defined port that is configured at the same hierarchy level.-
Commit the configuration:
[edit] user@host# commit
-
Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.
Configure a User Account for the Client Application on Junos Devices
The configuration management server must log in to the Junos device to establish a NETCONF session. Thus, the configuration management server needs a user account on each device where it establishes a NETCONF session. The following instructions explain how to create a local user account on Junos devices. Alternatively, you can skip this section and enable authentication through RADIUS or TACACS+.
To create a local user account:
Configure a Public/Private Key Pair or Password for the Junos OS User Account
The configuration management server needs an SSH public/private key pair, a text-based password, or both before it can authenticate with the NETCONF server. A public/private key pair is sufficient if the account is used only to connect to the NETCONF server through SSH. If the account is also used to access the device in other ways (for login on the console, for example), it must have a text-based password. The password is also used (the SSH server prompts for it) if key-based authentication is configured but fails.
You can skip this section if you have chosen to enable authentication through RADIUS or TACACS+.
To create a text-based password:
To create an SSH public/private key pair, perform the following steps:
On the configuration management server where the client application runs, issue the
ssh-keygen
command in the standard command shell and provide the appropriate arguments.% ssh-keygen options
For more information about
ssh-keygen
options, see the manual page for thessh-keygen
command.Associate the public key with the Junos OS login account.
[edit system login user username authentication] user@host# set load-key-file URL
Junos OS copies the contents of the specified file onto the device running Junos OS. URL is the path to the file that contains one or more public keys. The
ssh-keygen
command by default stores each public key in a file in the .ssh subdirectory of the user home directory; the filename depends on the encoding and SSH version. For information about specifying URLs, see the CLI User Guide.Note:Alternatively, you can include the
ssh-rsa
statement at the[edit system login user account-name authentication]
hierarchy level. We recommend using theload-key-file
statement, however, because it eliminates the need to type or cut-and-paste the public key on the command line.Commit the configuration.
[edit] user@host# commit
Repeat Step 2 and Step 3 on each Junos device where the client application establishes NETCONF sessions.
Access the Keys or Password with the Client Application
The client application must be able to access the configured public/private keys or password and provide it when the NETCONF server prompts for it.
There are several methods for enabling the application to access the key or password:
If public/private keys are used, the ssh-agent program runs on the device where the client application runs, and handles the private key.
When a user starts the application, the application prompts the user for the password and stores it temporarily in a secure manner.
The password is stored in encrypted form in a secure local-disk location or in a secured database.
Prerequisites for Establishing an Outbound SSH Connection for NETCONF Sessions
To enable a configuration management server to establish an outbound SSH connection to the NETCONF server, you must satisfy the requirements discussed in the following sections:
- Install SSH Software on the Client
- Enable NETCONF Service over SSH
- Configure the Junos Device for Outbound SSH
- Receive and Manage the Outbound SSH Initiation Sequence on the Client
Install SSH Software on the Client
Once the device establishes the SSH connection to the configuration management server, the configuration management server takes control of the SSH session. Therefore, the SSH client software must be installed locally on the configuration management server. For information about obtaining and installing SSH software, see http://www.ssh.com/ and http://www.openssh.com/ .
Enable NETCONF Service over SSH
To establish NETCONF sessions on a Junos device, you must enable the NETCONF service. You can configure the NETCONF server to accept NETCONF sessions on the following ports:
-
Default NETCONF port (830) or a user-defined port
-
Default SSH port (22)
We recommend that you use the default NETCONF port because it enables the device
to easily identify and filter NETCONF traffic. Alternatively, you can configure
the device to accept NETCONF sessions on a specific port instead of the default
NETCONF port. The defined port accepts only NETCONF-over-SSH sessions and
rejects regular SSH session requests. If you also enable SSH services on the
server, the device accepts NETCONF sessions on both the default SSH port and the
configured NETCONF port (default or user-defined port). For added security, you
can configure event policies that utilize UI_LOGIN_EVENT
information to effectively disable the default port or further restrict NETCONF
server access on a port.
To enable NETCONF service over SSH on a Junos device:
-
Enable the NETCONF service on either the default NETCONF port (830) or a user-defined port:
-
To use the default NETCONF port (830), include the
netconf ssh
statement at the[edit system services]
hierarchy level:[edit system services] user@host# set netconf ssh
-
To use a specific port, configure the
port
statement with the desired port number at the [edit system services netconf ssh
] hierarchy level.[edit system services] user@host# set netconf ssh port port-number
The
port-number
can range from 1 through 65535. The configured port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests.Note:Although NETCONF-over-SSH sessions can be configured on any port from 1 through 65535, you should avoid configuring access on a port that is normally assigned for another service. This practice avoids potential resource conflicts. If you configure a port assigned for another service, such as FTP, and that service is enabled, a
commit check
does not reveal a resource conflict or issue any warning message to that effect.
-
-
(Optional) To also enable access to the NETCONF SSH subsystem using the default SSH port (22), include the
ssh
statement at the[edit system services]
hierarchy level.[edit system services] user@host# set ssh
This configuration enables SSH access to the device for all users and applications.
Note:In releases where the default behavior is to restrict the root user from using the SSH service, you must configure the
root-login allow
statement at the[edit system services ssh]
hierarchy level to enable the root user to open NETCONF sessions over SSH. (Optional) Configure the device to disconnect unresponsive NETCONF clients.
Specify the timeout interval (in seconds) after which, if no data has been received from the client, the sshd process requests a response. Additionally, specify the threshold of missed client-alive responses that triggers a disconnect.
[edit system services] user@host# set netconf ssh client-alive-interval 10 user@host# set netconf ssh client-alive-count-max 10
Note:Statements configured at the
[edit system services netconf ssh]
hierarchy level only apply to NETCONF sessions that connect through the default port (830) or through the user-defined port that is configured at the same hierarchy level.-
Commit the configuration:
[edit] user@host# commit
-
Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.
Configure the Junos Device for Outbound SSH
To configure the Junos device for outbound SSH:
Receive and Manage the Outbound SSH Initiation Sequence on the Client
When configured for outbound SSH, the Junos device attempts to maintain a constant connection with a configuration management server. Whenever an outbound SSH session is not established, the device sends an outbound SSH initiation sequence to a configuration management server listed in the device’s configuration management server list. Prior to establishing a connection with the device, each configuration management server must be set up to receive this initiation sequence, establish a TCP connection with the device, and transmit the device identity back to the device.
The initiation sequence takes one of two forms, depending on how you chose to handle the Junos OS server's public key.
If the public key is installed manually on the configuration management server, the initiation sequence takes the following form:
MSG-ID: DEVICE-CONN-INFO\r\n MSG-VER: V1\r\n DEVICE-ID: <device-id>\r\n
If the public key is forwarded to the configuration management server by the device during the initialization sequence, the sequence takes the following form:
MSG-ID: DEVICE-CONN-INFO\r\n MSG-VER: V1\r\n DEVICE-ID: : <device-id>\r\n HOST-KEY: <pub-host-key>\r\n HMAC: <HMAC(pub-SSH-host-key,<secret>)>\r\n
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.