Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring SSH Host Keys for Secure Copying of Data

Secure Shell (SSH) uses encryption algorithms to generate a host, server, and session key system that ensures secure data transfer. You can configure SSH host keys to support secure copy (SCP) as an alternative to FTP for the background transfer of data such as configuration archives and event logs. To configure SSH support for SCP, you must complete the following tasks:

  • Specify SSH known hosts by including hostnames and host key information in the Routing Engine configuration hierarchy.

  • Set an SCP URL to specify the host from which to receive data. Setting this attribute automatically retrieves SSH host key information from the SCP server.

  • Verify that the host key is authentic.

  • Accept the secure connection. Accepting this connection automatically stores host key information in the local host key database. Storing host key information in the configuration hierarchy automates the secure handshake and allows background data transfer using SCP.

Tasks to configure SSH host keys for secure copying of data are:

Configuring SSH Known Hosts

To configure SSH known hosts, include the host statement, and specify hostname and host key options for trusted servers at the [edit security ssh-known-hosts] hierarchy level:

Host keys are one of the following:

  • dsa-key key—Base64 encoded Digital Signature Algorithm (DSA) key for SSH version 2.

  • ecdsa-sha2-nistp256-key key—Base64 encoded ECDSA-SHA2-NIST256 key.

  • ecdsa-sha2-nistp384-key key—Base64 encoded ECDSA-SHA2-NIST384 key.

  • ecdsa-sha2-nistp521-key key—Base64 encoded ECDSA-SHA2-NIST521 key.

  • ed25519-key key—Base64 encoded ED25519 key.

  • rsa-key key—Base64 encoded public key algorithm that supports encryption and digital signatures for SSH version 1 and SSH version 2.

  • rsa1-key key—Base64 encoded RSA public key algorithm, which supports encryption and digital signatures for SSH version 1.

Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are deprecated— rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.

Configuring Support for SCP File Transfer

To configure a known host to support background SCP file transfers, include the archive-sites statement at the [edit system archival configuration] hierarchy level.

Note:

When specifying a URL in a Junos OS statement using an IPv6 host address, you must enclose the entire URL in quotation marks (" ") and enclose the IPv6 host address in brackets ([ ]). For example, “scp://username<:password>@[host]<:port>/url-path”;

Setting the archive-sites statement to point to an SCP URL triggers automatic host key retrieval. At this point, Junos OS connects to the SCP host to fetch the SSH public key, displays the host key message digest or fingerprint as output to the console, and terminates the connection to the server.

To verify that the host key is authentic, compare this fingerprint with a fingerprint that you obtain from the same host using a trusted source. If the fingerprints are identical, accept the host key by entering yes at the prompt. The host key information is then stored in the Routing Engine configuration and supports background data transfers using SCP.

Updating SSH Host Key Information

Typically, SSH host key information is automatically retrieved when you set a URL attribute for SCP using the archival configuration archive-sites statement at the [edit system] hierarchy level. However, if you need to manually update the host key database, use one of the following methods.

Retrieving Host Key Information Manually

To manually retrieve SSH public host key information, use the fetch-from-server option with the set security ssh-known-hosts command. You must include a hostname attribute with the set security ssh-known-hosts fetch-from-server command to specify the host from which to retrieve the SSH public key.

Importing Host Key Information from a File

To manually import SSH host key information from the known-hosts file located at /var/tmp/known-hosts on the server, include the load-key-file option with the set security ssh-known-hosts command. You must include the path to the known-hosts file with the set security ssh-known-hosts load-key-file command to specify the location from which to import host key information.

Release History Table
Release
Description
18.3R1
Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are deprecated— rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.