Configuring Outbound SSH Service
You can configure a router or switch running the Junos OS to initiate a TCP/IP connection with a client management application that would be blocked if the client attempted to initiate the connection (for example, if the router or switch is behind a firewall). A single outbound-ssh configuration statement instructs the router or switch to create a TCP/IP connection with the client management application and to forward the identity of the router or switch. Once the connection is established, the management application initiates the SSH sequence as the client and the router or switch as the server that authenticates the client.
 | Note: There is no initiation command with outbound SSH. Once outbound SSH is configured and committed, the router or switch begins to initiate an outbound SSH connection based on the committed configuration. It continues to attempt to create this connection until successful. If the connection between the router or switch and the client management application is broken, the router or switch again attempts to create a new outbound SSH connection until successful. This connection is maintained until the outbound SSH stanza is removed from the configuration. |
To configure the router or switch for outbound SSH connections, include the outbound-ssh statement at the [edit system services] hierarchy level:
The following topics describe the tasks for configuring the outbound-SSH service:
- Configuring the Device Identifier for Outbound SSH Connections
- Sending the Public SSH Host Key to the Outbound SSH Client
- Configuring Keepalive Messages for Outbound SSH Connections
- Configuring a New Outbound SSH Connection
- Configuring the Outbound SSH Client to Accept NETCONF as an Available Service
- Configuring Outbound SSH Clients
Configuring the Device Identifier for Outbound SSH Connections
Each time the router or switch establishes an outbound SSH connection, it first sends an initiation sequence to the management client. This sequence identifies the router or switch to the management client. Within this transmission is the value of device-id.
To configure the device identifier of the router or switch, include the device-id statement at the [edit system services outbound-ssh client client-id] hierarchy level:
The initiation sequence when secret is not configured:
MSG-ID: DEVICE-CONN-INFO\r\n MSG-VER: V1\r\n DEVICE-ID: <device-id>\r\n
Sending the Public SSH Host Key to the Outbound SSH Client
Each time the router or switch establishes an outbound SSH connection, it first sends an initiation sequence to the management client. This sequence identifies the router or switch to the management client. Within this transmission is the value of device-id.
To configure the device identifier of the router or switch, include the device-id statement at the [edit system services outbound-ssh client client-id] hierarchy level:
The initiation sequence when secret is not configured:
MSG-ID: DEVICE-CONN-INFO\r\n MSG-VER: V1\r\n DEVICE-ID: <device-id>\r\n
During the initialization of an SSH connection, the client authenticates the identity of the router or switch using the public SSH host key of the router or switch. Therefore, before the client can initiate the SSH sequence, it needs the public SSH key of the router or switch. When you configure the secret statement, the router or switch passes its public SSH key as part of the outbound SSH connection initiation sequence.
When the secret statement is set and the router or switch establishes an outbound SSH connection, the router or switch communicates its device ID, its public SSH key, and an SHA1 hash derived in part from the secret statement. The value of the secret statement is shared between the router or switch and the management client. The client uses the shared secret to authenticate the public SSH host key it is receiving to determine whether the public key is from the router or switch identified by the device-id statement.
Using the secret statement to transport the public SSH host key is optional. You can manually transport and install the public key onto the client system.
| Note: Including the secret statement means that the router or switch sends its public SSH host key every time it establishes a connection to the client. It is then up to the client to decide what to do with the SSH host key if it already has one for that router or switch. We recommend that you replace the client’s copy with the new key. Host keys can change for various reasons and by replacing the key each time a connection is established, you ensure that the client has the latest key. |
To send the router’s or switch’s public SSH host key when the router or switch connects to the client, include the secret statement at the [edit system services outbound-ssh client client-id] hierarchy level:
The following message is sent by the router or switch when the secret attribute is configured:
MSG-ID: DEVICE-CONN-INFO\r\n MSG-VER: V1\r\n DEVICE-ID: <device-id>\r\n HOST-KEY: <public-hot-key>\r\n HMAC:<HMAC(pub-SSH-host-key, <secret>>)>\r\n
Configuring Keepalive Messages for Outbound SSH Connections
Once the client application has the router’s or switch’s public SSH host key, it can then initiate the SSH sequence as if it had created the TCP/IP connection and can authenticate the router or switch using its copy of the router’s or switch’s public host SSH key as part of that sequence. The router or switch authenticates the client user through the mechanisms supported in the Junos OS (RSA/DSA public string or password authentication).
To enable the router or switch to send SSH protocol keepalive messages to the client application, configure the keep-alive statement at the [edit system services outbound-ssh client client-id] hierarchy level:
The timeout statement specifies how long the router or switch waits to receive data before sending a request for acknowledgment from the application. The default is 15 seconds.
The retry statement specifies how many keepalive messages the router sends without receiving a response from the client. When that number is exceeded, the router or switch disconnects from the application, ending the outbound SSH connection. The default is three retries.
Configuring a New Outbound SSH Connection
When disconnected, the router or switch begins to initiate a new outbound SSH connection. To specify how the router or switch reconnects to the server after a connection is dropped, include the reconnect-strategy statement at the [edit system services outbound-ssh client client-id] hierarchy level:
The sticky option configures the router or switch to reconnect to the server from which it disconnected.
The in-order option configures the router or switch to reconnect to the first configured server. If this server is unavailable, the router or switch tries to connect to the next configured server. This process repeats until a connection is completed.
You can also specify the number of retry attempts and set the amount of time before the reconnection attempts stop. See Configuring Keepalive Messages for Outbound SSH Connections.
Configuring the Outbound SSH Client to Accept NETCONF as an Available Service
To configure the application to accept NETCONF as an available service, include the services netconf statement at the [edit system services outbound-ssh client client-id] hierarchy level:
Configuring Outbound SSH Clients
To configure the clients available for this outbound SSH connection, list each client with a separate address statement at the [edit system services outbound-ssh client client-id] hierarchy level:
The client client-id value is not forwarded to the client management application. This value serves to uniquely identify the outbound-ssh configuration stanza. Each outbound-ssh stanza represents a single outbound SSH connection. Thus, the administrator is free to assign the client-id any meaningful unique value.
The address address statement is the IP address or host name of the client.
The timeout statement specifies how long the application waits between attempts to reconnect to the specified IP address, in seconds. The default is 15 seconds.
The retry statement specifies how many connection attempts a router or switch can make to the specified IP address. The default is 3.
The port statement specifies the port at which a server listens for outbound SSH connection requests.
