Supported Platforms
Configuring SSH Host Keys for Secure Copying of Data
Secure Shell (SSH) uses encryption algorithms to generate a host, server, and session key system that ensures secure data transfer. You can configure SSH host keys to support secure copy (SCP) as an alternative to FTP for the background transfer of data such as configuration archives and event logs. To configure SSH support for SCP, you must complete the following tasks:
- Specify SSH known hosts by including hostnames and host key information in the Routing Engine configuration hierarchy.
- Set an SCP URL to specify the host from which to receive data. Setting this attribute automatically retrieves SSH host key information from the SCP server.
- Verify that the host key is authentic.
- Accept the secure connection. Accepting this connection automatically stores host key information in the local host key database. Storing host key information in the configuration hierarchy automates the secure handshake and allows background data transfer using SCP.
Tasks to configure SSH host keys for secure copying of data are:
- Configuring SSH Known Hosts
- Configuring Support for SCP File Transfer
- Updating SSH Host Key Information
Configuring SSH Known Hosts
To configure SSH known hosts, include the host statement, and specify hostname and host key options for trusted servers at the [edit security ssh-known-hosts] hierarchy level:
Host keys are one of the following:
- dsa-key—Base64 encoded Digital Signature Algorithm (DSA) key.
- rsa-key—Base64 encoded RSA public key algorithm, which supports encryption and digital signatures.
- rsa1-key—Base64 encoded RSA public key algorithm, which supports encryption and digital signatures for SSH version 1 and SSH version 2.
Configuring Support for SCP File Transfer
To configure a known host to support background SCP file transfers, include the archive-sites statement at the [edit system archival configuration] hierarchy level.
 | Note: When specifying a URL in a Junos OS statement using an IPv6 host address, you must enclose the entire URL in quotation marks (" ") and enclose the IPv6 host address in brackets ([ ]). For example, “scp://username<:password>@[host]<:port>/url-path”; |
Setting the archive-sites statement to point to an SCP URL triggers automatic host key retrieval. At this point, Junos OS connects to the SCP host to fetch the SSH public key, displays the host key message digest or fingerprint as output to the console, and terminates the connection to the server.
To verify that the host key is authentic, compare this fingerprint with a fingerprint that you obtain from the same host using a trusted source. If the fingerprints are identical, accept the host key by entering yes at the prompt. The host key information is then stored in the Routing Engine configuration and supports background data transfers using SCP.
Updating SSH Host Key Information
Typically, SSH host key information is automatically retrieved when you set a URL attribute for SCP using the archival configuration archive-sites statement at the [edit system] hierarchy level. However, if you need to manually update the host key database, use one of the following methods.
Retrieving Host Key Information Manually
To manually retrieve SSH public host key information, use the fetch-from-server option with the set security ssh-known-hosts command. You must include a hostname attribute with the set security ssh-known-hosts fetch-from-server command to specify the host from which to retrieve the SSH public key.
Importing Host Key Information from a File
To manually import SSH host key information from the known-hosts file located at /var/tmp/known-hosts on the server, include the load-key-file option with the set security ssh-known-hosts command. You must include the path to the known-hosts file with the set security ssh-known-hosts load-key-file command to specify the location from which to import host key information.
