- play_arrow Port Security
- play_arrow Port Security Overview
-
- play_arrow IPSec
- play_arrow Understanding IPsec and Security Associations
- play_arrow IPsec Configurations and Examples
- play_arrow Configuring IPsec Security Associations
- play_arrow Using Digital Certificates for IPsec
- play_arrow Additional IPsec Options
- play_arrow Configuring IPsec Dynamic Endpoints
- play_arrow Additional ES and AS PIC Configuration Examples
- Example: ES PIC Manual SA Configuration
- Example: AS PIC Manual SA Configuration
- Example: ES PIC IKE Dynamic SA Configuration
- Example: AS PIC IKE Dynamic SA Configuration
- Example: IKE Dynamic SA Between an AS PIC and an ES PIC Configuration
- Example: AS PIC IKE Dynamic SA with Digital Certificates Configuration
- Example: Dynamic Endpoint Tunneling Configuration
-
- play_arrow Trusted Platform Module
- play_arrow MACsec
- play_arrow Understanding MACsec
- play_arrow MACsec Examples
-
- play_arrow MAC Limiting and Move Limiting
- play_arrow MAC Limiting and Move Limiting Configurations and Examples
- Understanding MAC Limiting and MAC Move Limiting
- Understanding MAC Limiting on Layer 3 Routing Interfaces
- Understanding and Using Persistent MAC Learning
- Configuring MAC Limiting
- Example: Configuring MAC Limiting
- Verifying That MAC Limiting Is Working Correctly
- Override a MAC Limit Applied to All Interfaces
- Configuring MAC Move Limiting (ELS)
- Verifying That MAC Move Limiting Is Working Correctly
- Verifying That the Port Error Disable Setting Is Working Correctly
-
- play_arrow DHCP Protection
- play_arrow DHCPv4 and DHCPv6
- play_arrow DHCP Snooping
- Understanding DHCP Snooping (ELS)
- Understanding DHCP Snooping (non-ELS)
- Understanding DHCP Snooping Trust-All Configuration
- Enabling DHCP Snooping (non-ELS)
- Configuring Static DHCP IP Addresses
- Example: Protecting Against Address Spoofing and Layer 2 DoS Attacks
- Example: Protecting Against DHCP Snooping Database Attacks
- Example: Protecting Against ARP Spoofing Attacks
- Example: Prioritizing Snooped and Inspected Packet
- Configuring DHCP Security with Q-in-Q Tunneling in Service Provider Style
- play_arrow DHCP Option 82
- play_arrow Dynamic ARP Inspection (DAI)
-
- play_arrow IP Source Guard
- play_arrow Understanding IP Source Guard
- play_arrow IP Source Guard Examples
- Example: Configuring IP Source Guard on a Data VLAN That Shares an Interface with a Voice VLAN
- Example: Configuring IP Source Guard with Other EX Series Switch Features to Mitigate Address-Spoofing Attacks on Untrusted Access Interfaces
- Example: Configuring IP Source Guard and Dynamic ARP Inspection to Protect the Switch from IP Spoofing and ARP Spoofing
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
- Configuring IP Source Guard to Mitigate the Effects of Source IP Address Spoofing and Source MAC Address Spoofing
- Example: Configuring IP Source Guard and Dynamic ARP Inspection on a Specified Bridge Domain to Protect the Devices Against Attacks
- Example: Configuring IPv6 Source Guard and Neighbor Discovery Inspection to Protect a Switch from IPv6 Address Spoofing
-
- play_arrow IPv6 Access Security
- play_arrow Neighbor Discovery Protocol
- play_arrow SLAAC Snooping
- play_arrow Router Advertisement Guard
-
- play_arrow Control Plane Distributed Denial-of-Service (DDoS) Protection and Flow Detection
- play_arrow Control Plane DDoS Protection
- play_arrow Flow Detection and Culprit Flows
-
- play_arrow Unicast Forwarding
- play_arrow Unicast Reverse Path Forwarding
- play_arrow Unknown Unicast Forwarding
-
- play_arrow Storm Control
- play_arrow Malware Protection
- play_arrow Juniper Malware Removal Tool
-
- play_arrow Configuration Statements and Operational Commands
Configure SSH Known Host Keys for Secure Copying of Data
Secure Shell (SSH) uses encryption algorithms to generate a host, server, and session key system that ensures secure data transfer. You can configure SSH host keys to support secure copy (SCP) as an alternative to FTP for the background transfer of data such as configuration archives and event logs. To configure SSH support for SCP, you must complete the following tasks:
Specify SSH known hosts by including hostnames and host key information in the Routing Engine configuration hierarchy.
Set an SCP URL to specify the host from which to receive data. Setting this attribute automatically retrieves SSH host key information from the SCP server.
Verify that the host key is authentic.
Accept the secure connection. Accepting this connection automatically stores host key information in the local host key database. Storing host key information in the configuration hierarchy automates the secure handshake and allows background data transfer using SCP.
Tasks to configure SSH host keys for secure copying of data are:
Configure SSH Known Hosts
To configure SSH known hosts, include the host statement, and
specify hostname and host key options for trusted servers at the [edit
security ssh-known-hosts] hierarchy level:
[edit security ssh-known-hosts]
host corporate-archive-server {
dsa-key key;
}
host archive-server-url {
rsa-key key;
}
host server-with-ssh-version-1 {
rsa1-key key;
}
Host keys are one of the following:
dsa-key key—Base64 encoded Digital Signature Algorithm (DSA) key for SSH version 2.ecdsa-sha2-nistp256-keykey—Base64 encoded ECDSA-SHA2-NIST256 key.ecdsa-sha2-nistp384-keykey—Base64 encoded ECDSA-SHA2-NIST384 key.ecdsa-sha2-nistp521-keykey—Base64 encoded ECDSA-SHA2-NIST521 key.ed25519-keykey—Base64 encoded ED25519 key.rsa-key key—Base64 encoded public key algorithm that supports encryption and digital signatures for SSH version 1 and SSH version 2.rsa1-key key—Base64 encoded RSA public key algorithm, which supports encryption and digital signatures for SSH version 1.
Configure Support for SCP File Transfer
To configure a known host to support background SCP file transfers, include the
archive-sites statement at the [edit system
archival configuration] hierarchy level.
[edit system archival configuration]
archive-sites {
scp://username<:password>@host<:port>/url-path;
}
When specifying a URL in a Junos OS statement using an IPv6 host address, you must enclose the entire URL in quotation marks (" ") and enclose the IPv6 host address in brackets ([ ]). For example, “scp://username<:password>@[host]<:port>/url-path”;
Setting the archive-sites statement to point to an SCP URL
triggers automatic host key retrieval. At this point, Junos OS connects to the SCP host to fetch the SSH
public key, displays the host key message digest or fingerprint as output to the
console, and terminates the connection to the server.
user@host# set system archival configuration archive-sites “<scp-url-path>” The authenticity of host <my-archive-server (<server-ip-address>)> can’t be established. RSA key fingerprint is <ascii-text key>. Are you sure you want to continue connecting (yes/no)?
To verify that the host key is authentic, compare this fingerprint with a fingerprint that you obtain from the same host using a trusted source. If the fingerprints are identical, accept the host key by entering yes at the prompt. The host key information is then stored in the Routing Engine configuration and supports background data transfers using SCP.
Update SSH Host Key Information
Typically, SSH host key information is automatically retrieved when you set a URL
attribute for SCP using the archival configuration archive-sites
statement at the [edit system] hierarchy level. However, if you
need to manually update the host key database, use one of the following methods.
Retrieve Host Key Information Manually
To manually retrieve SSH public host key information, configure the
fetch-from-server option at the [edit security
ssh-known-hosts] hierarchy level. You must to specify the host
from which to retrieve the SSH public key.
user@host# set security ssh-known-hosts fetch-from-server <hostname>
Import Host Key Information from a File
To manually import SSH host key information from a
known_hosts file, include the
load-key-file option at the [edit security
ssh-known-hosts] hierarchy level. You must specify the path to
the file from which to import host key information.
user@host# set security ssh-known-hosts load-key-file /var/tmp/known-hosts
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
ssh-dss
and ssh-dsa hostkey algorithms are deprecated— rather than
immediately removed—to provide backward compatibility and a chance to bring your
configuration into compliance with the new configuration.