Authentication and Access Control
-
OpenSSH certificate support (PTX10008 and PTX10016)—Starting in Junos OS Evolved Release 23.4R1, you can set up SSH access to a device with password-less login for users. You can also trust hosts without the need to verify the key fingerprints.
Use the following new CLI configuration statements to configure SSH certificate-based authentication:
-
system services ssh trusted-user-ca-key-file filename
—Configure the TrustedUserCAKey file at /etc/ssh/sshd_config, which contains the public keys of an SSH certificate. -
system services ssh host-certificate-file filename
—Configure the HostCertificate file at /etc/ssh/sshd_config, which contains the signed host certificate. -
system services ssh authorized-principals-file filename
—Configure the AuthorizedPrincipals file at /var/etc, which contains a list of names, one of which must appear in the certificate for it to be accepted for authentication. -
system services ssh authorized-principals-command program-path
—Specify a program to be used for generating the list of allowed certificate principals found in the AuthorizedPrincipals file.
-
-
SSH Hostkey Algorithm Update (ACX7100-32C, ACX7100-48L, PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016)—Starting in Junos OS Evolved Release 23.4R1, the
hostkey-algorithm
SSH configuration options has been replaced withhostkey-algorithm-list
, and theecdsa-sha2-nistp384
andecdsa-sha2-nistp521
hostkey algorithms are now supported.You can find the
hostkey-algorithm-list
configuration option at the[edit system services ssh]
hierachy level.[See hostkey-algorithm.]
-
Background File Transfer for SCP/SSH (ACX7100-32C, ACX7100-48L, PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016)—Starting in Junos OS Evolved Release 23.4R1, you can transfer files in the background via SCP/SSH. To configure background file transfers, include the
archive-sites
configuration statement at the[edit system archival configuration]
hierarchy level.[See Understanding BFD.]
-
Control device access privileges with exact match configuration (ACX7024, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509, PTX10001-36MR, PTX10003, PTX10004, PTX10008, PTX10016)
—Starting in Junos OS Evolved Release 23.4R1, you can configure access privileges for login classes by allowing or denying full hierarchy strings with the
allow-configuration-exact-match
anddeny-configuration-exact-match
configuration options. The exact match configuration enables you to set separate permissions forset
,delete
,activate
, ordeactivate
operators for any hierarchy.The
allow-configuration-exact-match
anddeny-configuration-exact-match
configuration options support full hierarchy strings as well as wildcard characters and regular expressions.[See Understanding Exact Match Access Privileges for Login Classes.]