Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Authentication and Access Control

  • OpenSSH certificate support (PTX10008 and PTX10016)—Starting in Junos OS Evolved Release 23.4R1, you can set up SSH access to a device with password-less login for users. You can also trust hosts without the need to verify the key fingerprints.

    Use the following new CLI configuration statements to configure SSH certificate-based authentication:

    • system services ssh trusted-user-ca-key-file filename—Configure the TrustedUserCAKey file at /etc/ssh/sshd_config, which contains the public keys of an SSH certificate.

    • system services ssh host-certificate-file filename—Configure the HostCertificate file at /etc/ssh/sshd_config, which contains the signed host certificate.

    • system services ssh authorized-principals-file filename—Configure the AuthorizedPrincipals file at /var/etc, which contains a list of names, one of which must appear in the certificate for it to be accepted for authentication.

    • system services ssh authorized-principals-command program-path—Specify a program to be used for generating the list of allowed certificate principals found in the AuthorizedPrincipals file.

    [See SSH Certificate-Based Authentication Overview.]

  • SSH Hostkey Algorithm Update (ACX7100-32C, ACX7100-48L, PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016)—Starting in Junos OS Evolved Release 23.4R1, the hostkey-algorithm SSH configuration options has been replaced with hostkey-algorithm-list, and the ecdsa-sha2-nistp384 and ecdsa-sha2-nistp521 hostkey algorithms are now supported.

    You can find the hostkey-algorithm-list configuration option at the [edit system services ssh] hierachy level.

    [See hostkey-algorithm.]

  • Background File Transfer for SCP/SSH (ACX7100-32C, ACX7100-48L, PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016)—Starting in Junos OS Evolved Release 23.4R1, you can transfer files in the background via SCP/SSH. To configure background file transfers, include the archive-sites configuration statement at the [edit system archival configuration] hierarchy level.

    [See Understanding BFD.]

  • Control device access privileges with exact match configuration (ACX7024, ACX7100-32C, ACX7100-48L, ACX7348, ACX7509, PTX10001-36MR, PTX10003, PTX10004, PTX10008, PTX10016)

    —Starting in Junos OS Evolved Release 23.4R1, you can configure access privileges for login classes by allowing or denying full hierarchy strings with the allow-configuration-exact-match and deny-configuration-exact-match configuration options. The exact match configuration enables you to set separate permissions for set, delete, activate, or deactivate operators for any hierarchy.

    The allow-configuration-exact-match and deny-configuration-exact-match configuration options support full hierarchy strings as well as wildcard characters and regular expressions.

    [See Understanding Exact Match Access Privileges for Login Classes.]