Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Prerequisites for Establishing an SSH Connection for NETCONF Sessions

Before the configuration management server establishes an SSH connection with a device running Junos OS, you must satisfy the requirements discussed in the following sections.

1. Installing SSH Software on the Configuration Management Server
2. Configuring a User Account for the Client Application on Devices Running Junos OS
3. Configuring a Public/Private Key Pair or Password for the Junos OS User Account
4. Accessing the Keys or Password with the Client Application
5. Enabling NETCONF Service over SSH

Installing SSH Software on the Configuration Management Server

The configuration management server handles the SSH connection between the configuration management server and the device running Junos OS. Therefore, the SSH software must be installed locally on the configuration management server.

If the client application accessing the NETCONF server uses the NETCONF Java Toolkit or the NETCONF Perl module provided by Juniper Networks, no further action is necessary. The NETCONF Java Toolkit includes SSH software, and as part of the installation procedure for the NETCONF Perl module, you install a prerequisites package that includes the necessary SSH software. If the client application does not use the NETCONF Java Toolkit or the NETCONF Perl module, obtain the SSH software and install it on the configuration management server where the client application runs. For information about obtaining and installing SSH software, see http://www.ssh.com/ and http://www.openssh.com/ .

Configuring a User Account for the Client Application on Devices Running Junos OS

When establishing a NETCONF session, the configuration management server must log in to the device running Junos OS. Thus, each configuration management server needs a user account on each device where a NETCONF session will be established. The following instructions explain how to create a login account on devices running Junos OS. Alternatively, you can skip this section and enable authentication through RADIUS or TACACS+; for instructions, see the Junos OS Administration Library for Routing Devices.

To determine whether a login account exists on a device running Junos OS, enter CLI configuration mode on the device and issue the following commands:

1. Configure the user statement at the [edit system login] hierarchy level and specify a username. Include the class statement, and specify a login class that has the permissions required for all actions to be performed by the application.
   [edit system login]user@host# set user username class class-name
2. Optionally, include the full-name and uid statements at the [edit system login user username] hierarchy level.
3. Commit the configuration to activate the user account on the device.
   [edit]user@host# commit
4. Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.

Configuring a Public/Private Key Pair or Password for the Junos OS User Account

The configuration management server needs an SSH public/private key pair, a text-based password, or both before it can authenticate with the NETCONF server. A public/private key pair is sufficient if the account is used only to connect to the NETCONF server through SSH. If the account is also used to access the device in other ways (for login on the console, for example), it must have a text-based password. The password is also used (the SSH server prompts for it) if key-based authentication is configured but fails.

Note: You can skip this section if you have chosen to enable authentication through RADIUS or TACACS+, as described in the Junos OS Administration Library for Routing Devices.

1. Include either the plain-text-password or encrypted-password statement at the [edit system login user username authentication] hierarchy level.

   To enter a password as text, issue the following command. You are prompted for the password, which is encrypted before being stored.

   [edit system login user username authentication]user@host# set plain-text-password New password: password Retype new password: password

   To store a password that you have previously created and hashed using Message Digest 5 (MD5) or Secure Hash Algorithm 1 (SHA-1), issue the following command:

   [edit system login user username authentication]user@host# set encrypted-password "password"
2. Commit the configuration.
   [edit system login user username authentication]user@host# commit
3. Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.

1. Issue the ssh-keygen command in the standard command shell (not the Junos OS CLI) on the configuration management server where the client application runs.

   By providing the appropriate arguments, you encode the public key with either RSA (supported by SSH versions 1 and 2) or the Digital Signature Algorithm (DSA, supported by SSH version 2). For more information, see the manual page for the ssh-keygen command. Junos OS uses SSH version 2 by default, but also supports version 1.

   % ssh-keygen options
2. Associate the public key with the Junos OS login account by including the load-key-file statement at the [edit system login user account-name authentication] hierarchy level.
   [edit system login user username authentication]user@host# set load-key-file URL

   Junos OS copies the contents of the specified file onto the device running Junos OS. URL is the path to the file that contains one or more public keys. The ssh-keygen command by default stores each public key in a file in the .ssh subdirectory of the user home directory; the filename depends on the encoding (DSA or RSA) and SSH version. For information about specifying URLs, see the CLI User Guide.

   Alternatively, you can include one or both of the ssh-dsa and ssh-rsa ssh-dsastatements at the [edit system login user account-name authentication] hierarchy level. We recommend using the load-key-file statement, however, because it eliminates the need to type or cut-and-paste the public key on the command line. For more information about the ssh-dsa and ssh-rsa statements, see the Junos OS Administration Library for Routing Devices.

3. Commit the configuration.
   [edit]user@host# commit
4. Repeat Step 2 and Step 3 on each device running Junos OS where the client application establishes NETCONF sessions.

Accessing the Keys or Password with the Client Application

The client application must be able to access the public/private keys or password you created in Configuring a Public/Private Key Pair or Password for the Junos OS User Account and provide it when the NETCONF server prompts for it.

• If public/private keys are used, the ssh-agent program runs on the computer where the client application runs, and handles the private key.

• When a user starts the application, the application prompts the user for the password and stores it temporarily in a secure manner.

• The password is stored in encrypted form in a secure local-disk location or in a secured database.

Enabling NETCONF Service over SSH

RFC 4742, Using the NETCONF Configuration Protocol over Secure SHell (SSH), requires that the NETCONF server, by default, provide the client device with access to the NETCONF SSH subsystem when the SSH session is established over a dedicated IANA-assigned TCP port. Use of a dedicated port makes it easy to identify and filter NETCONF traffic. The IANA-assigned port for NETCONF-over-SSH sessions is 830.

You also can configure the server to allow access to the NETCONF SSH subsystem either over the default SSH port (22) or over a port number that is explicitly configured. An explicitly configured port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests. If SSH services are enabled on the server, the default SSH port (22) continues to accept NETCONF sessions even when an alternate NETCONF-over-SSH port is configured. For added security, you can configure event policies that utilize UI_LOGIN_EVENT information to effectively disable the default port or further restrict NETCONF server access on a port.

To enable NETCONF service over SSH on a device running Junos OS, perform the following steps:

1. Include one of the following statements at the indicated configuration hierarchy level:
   • To enable access to the NETCONF SSH subsystem using the default NETCONF-over-SSH port (830) as specified by RFC 4742, include the ssh statement at the [edit system services netconf] hierarchy level:
     [edit system services]user@host# set netconf ssh
   • To enable access to the NETCONF SSH subsystem using a specified port number, configure the port statement with the desired port number at the [edit system services netconf ssh] hierarchy level.
     [edit system services]user@host# set netconf ssh port port-number

     The port-number can range from 1 through 65535. The configured port accepts only NETCONF-over-SSH sessions and rejects regular SSH session requests.

     Note: Although NETCONF-over-SSH can be configured on any port from 1 through 65535, you should avoid configuring access on a port that is normally assigned for another service. This practice avoids potential resource conflicts. If you configure NETCONF-over-SSH on a port assigned for another service, such as FTP, and that service is enabled, a commit check does not reveal a resource conflict or issue any warning message to that effect.

   • To enable access to the NETCONF SSH subsystem using the default SSH port (22), include the ssh statement at the [edit system services] hierarchy level. This configuration enables SSH access to the device for all users and applications. The ssh statement can be included in the configuration in addition to the configuration statements listed previously.
     [edit system services]user@host# set ssh
2. Commit the configuration:
   [edit]user@host# commit
3. Repeat the preceding steps on each device running Junos OS where the client application establishes NETCONF sessions.