Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Establish an SSH Connection for a NETCONF Session

Establish an SSH Connection for a NETCONF Session

You can use the SSH protocol to establish connections between a configuration management server and a Junos device. You use a configuration management server to configure the Junos device remotely.

You can use the following options to establish an SSH connection between the configuration management server and the Junos device.

  • SSH—The configuration management server initiates an SSH session with the Junos device.

  • Outbound SSH—Use this option when the configuration management server cannot initiate an SSH connection because of network restrictions (such as a firewall). In this situation, you configure the Junos device to initiate, establish, and maintain an SSH connection with a predefined set of configuration management servers.

Prerequisites for Establishing an SSH Connection for NETCONF Sessions

Before the configuration management server establishes an SSH connection with a Junos device, you must satisfy the requirements discussed in the following sections.

Install SSH Software on the Configuration Management Server

The configuration management server handles the SSH connection with the Junos device. Therefore, SSH software must be installed locally on the configuration management server. For information about obtaining and installing SSH software, see http://www.ssh.com and http://www.openssh.com.

Enable NETCONF Service over SSH

To establish NETCONF sessions on a Junos device, you must enable the NETCONF service. You can configure the NETCONF server to accept NETCONF sessions on the following ports:

  • Default NETCONF port (830) or a user-defined port

  • Default SSH port (22)

We recommend that you use the default NETCONF port because it enables the device to easily identify and filter NETCONF traffic. Alternatively, you can configure the device to accept NETCONF sessions on a specific port instead of the default NETCONF port. The defined port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests. If you also enable SSH services on the server, the device accepts NETCONF sessions on both the default SSH port and the configured NETCONF port (default or user-defined port). For added security, you can configure event policies that utilize UI_LOGIN_EVENT information to effectively disable the default port or further restrict NETCONF server access on a port.

To enable NETCONF service over SSH on a Junos device:

  1. Enable the NETCONF service on either the default NETCONF port (830) or a user-defined port:

    • To use the default NETCONF port (830), include the netconf ssh statement at the [edit system services] hierarchy level:

    • To use a specific port, configure the port statement with the desired port number at the [edit system services netconf ssh] hierarchy level.

      The port-number can range from 1 through 65535. The configured port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests.

      Note:

      Although NETCONF-over-SSH sessions can be configured on any port from 1 through 65535, you should avoid configuring access on a port that is normally assigned for another service. This practice avoids potential resource conflicts. If you configure a port assigned for another service, such as FTP, and that service is enabled, a commit check does not reveal a resource conflict or issue any warning message to that effect.

  2. (Optional) To also enable access to the NETCONF SSH subsystem using the default SSH port (22), include the ssh statement at the [edit system services] hierarchy level.

    This configuration enables SSH access to the device for all users and applications.

    Note:

    In releases where the default behavior is to restrict the root user from using the SSH service, you must configure the root-login allow statement at the [edit system services ssh] hierarchy level to enable the root user to open NETCONF sessions over SSH.

  3. (Optional) Configure the device to disconnect unresponsive NETCONF clients.

    Specify the timeout interval (in seconds) after which, if no data has been received from the client, the sshd process requests a response. Additionally, specify the threshold of missed client-alive responses that triggers a disconnect.

    Note:

    Statements configured at the [edit system services netconf ssh] hierarchy level only apply to NETCONF sessions that connect through the default port (830) or through the user-defined port that is configured at the same hierarchy level.

  4. Commit the configuration:

  5. Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.

Configure a User Account for the Client Application on Junos Devices

The configuration management server must log in to the Junos device to establish a NETCONF session. Thus, the configuration management server needs a user account on each device where it establishes a NETCONF session. The following instructions explain how to create a local user account on Junos devices. Alternatively, you can skip this section and enable authentication through RADIUS or TACACS+.

To create a local user account:

  1. Configure the user statement at the [edit system login] hierarchy level and specify a username. Include the class statement, and specify a login class that has the permissions required for all actions to be performed by the application.
  2. Optionally, include the full-name and uid statements at the [edit system login user username] hierarchy level.
  3. Commit the configuration to activate the user account on the device.
  4. Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.

Configure a Public/Private Key Pair or Password for the Junos OS User Account

The configuration management server needs an SSH public/private key pair, a text-based password, or both before it can authenticate with the NETCONF server. A public/private key pair is sufficient if the account is used only to connect to the NETCONF server through SSH. If the account is also used to access the device in other ways (for login on the console, for example), it must have a text-based password. The password is also used (the SSH server prompts for it) if key-based authentication is configured but fails.

Note:

You can skip this section if you have chosen to enable authentication through RADIUS or TACACS+.

To create a text-based password:

  1. Include either the plain-text-password or encrypted-password statement at the [edit system login user username authentication] hierarchy level.

    To enter a password as text, issue the following command. You are prompted for the password, which is encrypted before being stored.

    To store a password that you have previously created and hashed using Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1), issue the following command:

  2. Commit the configuration.
  3. Repeat the preceding steps on each device where the client application establishes NETCONF sessions.

To create an SSH public/private key pair, perform the following steps:

  1. On the configuration management server where the client application runs, issue the ssh-keygen command in the standard command shell and provide the appropriate arguments.

    For more information about ssh-keygen options, see the manual page for the ssh-keygen command.

  2. Associate the public key with the Junos OS login account.

    Junos OS copies the contents of the specified file onto the device running Junos OS. URL is the path to the file that contains one or more public keys. The ssh-keygen command by default stores each public key in a file in the .ssh subdirectory of the user home directory; the filename depends on the encoding and SSH version. For information about specifying URLs, see the CLI User Guide.

    Note:

    Alternatively, you can include the ssh-rsa statement at the [edit system login user account-name authentication] hierarchy level. We recommend using the load-key-file statement, however, because it eliminates the need to type or cut-and-paste the public key on the command line.

  3. Commit the configuration.

  4. Repeat Step 2 and Step 3 on each Junos device where the client application establishes NETCONF sessions.

Access the Keys or Password with the Client Application

The client application must be able to access the configured public/private keys or password and provide it when the NETCONF server prompts for it.

There are several methods for enabling the application to access the key or password:

  • If public/private keys are used, the ssh-agent program runs on the device where the client application runs, and handles the private key.

  • When a user starts the application, the application prompts the user for the password and stores it temporarily in a secure manner.

  • The password is stored in encrypted form in a secure local-disk location or in a secured database.

See Also

Prerequisites for Establishing an Outbound SSH Connection for NETCONF Sessions

To enable a configuration management server to establish an outbound SSH connection to the NETCONF server, you must satisfy the requirements discussed in the following sections:

Install SSH Software on the Client

Once the device establishes the SSH connection to the configuration management server, the configuration management server takes control of the SSH session. Therefore, the SSH client software must be installed locally on the configuration management server. For information about obtaining and installing SSH software, see http://www.ssh.com/ and http://www.openssh.com/ .

Enable NETCONF Service over SSH

To establish NETCONF sessions on a Junos device, you must enable the NETCONF service. You can configure the NETCONF server to accept NETCONF sessions on the following ports:

  • Default NETCONF port (830) or a user-defined port

  • Default SSH port (22)

We recommend that you use the default NETCONF port because it enables the device to easily identify and filter NETCONF traffic. Alternatively, you can configure the device to accept NETCONF sessions on a specific port instead of the default NETCONF port. The defined port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests. If you also enable SSH services on the server, the device accepts NETCONF sessions on both the default SSH port and the configured NETCONF port (default or user-defined port). For added security, you can configure event policies that utilize UI_LOGIN_EVENT information to effectively disable the default port or further restrict NETCONF server access on a port.

To enable NETCONF service over SSH on a Junos device:

  1. Enable the NETCONF service on either the default NETCONF port (830) or a user-defined port:

    • To use the default NETCONF port (830), include the netconf ssh statement at the [edit system services] hierarchy level:

    • To use a specific port, configure the port statement with the desired port number at the [edit system services netconf ssh] hierarchy level.

      The port-number can range from 1 through 65535. The configured port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests.

      Note:

      Although NETCONF-over-SSH sessions can be configured on any port from 1 through 65535, you should avoid configuring access on a port that is normally assigned for another service. This practice avoids potential resource conflicts. If you configure a port assigned for another service, such as FTP, and that service is enabled, a commit check does not reveal a resource conflict or issue any warning message to that effect.

  2. (Optional) To also enable access to the NETCONF SSH subsystem using the default SSH port (22), include the ssh statement at the [edit system services] hierarchy level.

    This configuration enables SSH access to the device for all users and applications.

    Note:

    In releases where the default behavior is to restrict the root user from using the SSH service, you must configure the root-login allow statement at the [edit system services ssh] hierarchy level to enable the root user to open NETCONF sessions over SSH.

  3. (Optional) Configure the device to disconnect unresponsive NETCONF clients.

    Specify the timeout interval (in seconds) after which, if no data has been received from the client, the sshd process requests a response. Additionally, specify the threshold of missed client-alive responses that triggers a disconnect.

    Note:

    Statements configured at the [edit system services netconf ssh] hierarchy level only apply to NETCONF sessions that connect through the default port (830) or through the user-defined port that is configured at the same hierarchy level.

  4. Commit the configuration:

  5. Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.

Configure the Junos Device for Outbound SSH

To configure the Junos device for outbound SSH:

  1. At the [edit system services ssh] hierarchy level, set the SSH protocol-version to v2:
  2. Generate or obtain a public/private key pair for the device running Junos OS. This key pair will be used to encrypt the data transferred across the SSH connection.
  3. If you are manually installing the public key on the configuration management server, transfer the public key to the configuration management server.
  4. At the [edit system services] hierarchy level, include the outbound-ssh configuration hierarchy and any required statements.

    The options are as follows:

    address

    (Required) Hostname or IPv4 or IPv6 address of the management server. You can list multiple clients by adding each client's IP address or hostname along with the following connection parameters.

    • port port-number—Outbound SSH port for the client. The default is port 22.

    • retry number– Number of times the device attempts to establish an outbound SSH connection. The default is three tries.

    • timeout seconds—Amount of time, in seconds, that the device running Junos OS attempts to establish an outbound SSH connection. The default is 15 seconds per attempt.

      Note:

      Starting in Junos OS Release 15.1, Junos OS supports outbound SSH connections with devices that have IPv6 addresses.
    client client-id

    (Required) Identifies the outbound-ssh configuration stanza on the device. Each outbound-ssh stanza represents a single outbound SSH connection. This attribute is not sent to the client.
    device-id device-id

    (Required) Identifies the device running Junos OS to the client during the initiation sequence.

    keep-alive

    (Optional) Specify that the device send keepalive messages to the management server. To configure the keepalive message, you must set both the timeout and retry attributes. To configure the keepalive message, you must configure both the timeout and retry statements.

    • retry number—Number of keepalive messages the device sends without receiving a response from the management server before the current SSH connection is terminated. The default is three tries.

    • timeout seconds—Amount of time, in seconds, that the server waits for data before sending a keepalive signal. The default is 15 seconds.
    reconnect-strategy (sticky | in-order)

    (Optional) Specify the method the device running Junos OS uses to reestablish a disconnected outbound SSH connection. Two methods are available:

    • in-order—Specify that the router or switch first attempt to establish an outbound SSH session based on the management server address list. The router or switch attempts to establish a session with the first server on the list. If this connection is not available, the router or switch attempts to establish a session with the next server, and so on down the list until a connection is established.

    • sticky—Specify that the router or switch first attempt to reconnect to the management server that it was last connected to. If the connection is unavailable, it attempts to establish a connection with the next client on the list and so forth until a connection is made.
    secret password

    (Optional) Public SSH host key of the device. If added to the outbound-ssh statement, during the initialization of the outbound SSH service, the router or switch passes its public key to the management server. This is the recommended method of maintaining a current copy of the devices public key.
    services netconf

    (Required) Specifies the services available for the session. Currently, NETCONF is the only service available.
  5. Commit the configuration:

Receive and Manage the Outbound SSH Initiation Sequence on the Client

When configured for outbound SSH, the Junos device attempts to maintain a constant connection with a configuration management server. Whenever an outbound SSH session is not established, the device sends an outbound SSH initiation sequence to a configuration management server listed in the device’s configuration management server list. Prior to establishing a connection with the device, each configuration management server must be set up to receive this initiation sequence, establish a TCP connection with the device, and transmit the device identity back to the device.

The initiation sequence takes one of two forms, depending on how you chose to handle the Junos OS server's public key.

If the public key is installed manually on the configuration management server, the initiation sequence takes the following form:

If the public key is forwarded to the configuration management server by the device during the initialization sequence, the sequence takes the following form:

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
15.1
Starting in Junos OS Release 15.1, Junos OS supports outbound SSH connections with devices that have IPv6 addresses.