Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos PyEZ Junos PyEZ Developer Guide Connect to and Retrieve Facts From a Device Using Junos PyEZ

Junos PyEZ Developer Guide

keyboard_arrow_up
close
keyboard_arrow_left
Junos PyEZ Developer Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Authenticate Junos PyEZ Users

date_range 20-May-24
arrow_backward
arrow_forward

Junos PyEZ applications can authenticate users using standard SSH authentication mechanisms, including passwords and SSH keys.

Junos PyEZ User Authentication Overview

Junos PyEZ enables you to directly connect to and manage Junos devices using a serial console connection, telnet, or a NETCONF session over SSH. In addition, Junos PyEZ also supports connecting to the device through a telnet or SSH connection to a console server that is connected to the device’s CONSOLE port. The device must be able to authenticate the user using either a password or other standard SSH authentication mechanisms, depending on the connection method. When you manage Junos devices through an SSH connection, the most convenient and secure way to access a device is to configure SSH keys. SSH keys enable the remote device to identify trusted users.

You can perform device operations using any user account that has access to the managed Junos device. You can explicitly define the user when creating a new instance of the jnpr.junos.device.Device class, or if you do not specify a user in the parameter list, the user defaults to $USER.

For SSH connections, Junos PyEZ automatically queries the default SSH configuration file at ~/.ssh/config, if one exists, unless the Device argument list includes the ssh_config argument to specify a different configuration file. Junos PyEZ uses any relevant settings in the SSH configuration file for the given connection that are not overridden by the arguments in the Device argument list, such as the user or the identity file.

When the Junos PyEZ client uses SSH to connect to either the Junos device or to a console server connected to the device, Junos PyEZ first attempts SSH public key-based authentication and then tries password-based authentication. When SSH keys are in use, the supplied password is used as the passphrase for unlocking the private key. When password-based authentication is used, the supplied password is used as the device password. If SSH public key-based authentication is being used and the SSH private key has an empty passphrase, then a password is not required. However, SSH private keys with empty passphrases are not recommended.

It is the user's responsibility to obtain the username and password authentication credentials in a secure manner appropriate for their environment. It is best practice to prompt for these authentication credentials during each invocation of the script rather than storing the credentials in an unencrypted format.

Authenticate Junos PyEZ Users Using a Password

To authenticate a Junos PyEZ user using a password:

  1. In your favorite editor, create a new file that uses the .py file extension.

    This example uses the filename junos-pyez-pw.py.

  2. Include code that prompts for the hostname to which to connect and the username and password for the Junos device and stores each value in a variable.
    content_copy zoom_out_map
    # Python 3
from jnpr.junos import Device
from getpass import getpass
import sys

hostname = input("Hostname: ")
junos_username = input("Junos OS username: ")
junos_password = getpass("Junos OS password: ")
  3. If the Junos PyEZ client connects to the device through an SSH connection to a console server, include code that prompts for the console server username and password and stores each value in a variable.
    content_copy zoom_out_map
    # login credentials required for SSH connection to console server
cs_username = input("Console server username: ")
cs_password = getpass("Console server password: ")
  4. In the Device constructor argument list:

    • Set the host argument to the variable containing the hostname

    • Set the user and passwd arguments to the variables containing the Junos OS login credentials

    • If the Junos PyEZ client connects through a console server using SSH, set the cs_user and cs_passwd arguments to the variables containing the console server login credentials.

    • Include any additional arguments required for the connection method

    The following example provides sample code for each of the different connection methods:

    content_copy zoom_out_map
    # Python 3
from jnpr.junos import Device
from getpass import getpass
import sys

hostname = input("Device hostname: ")
junos_username = input("Junos OS username: ")
junos_password = getpass("Junos OS password: ")

# login credentials required for SSH connection to console server
cs_username = input("Console server username: ")
cs_password = getpass("Console server password: ")


try: 
    # NETCONF session over SSH
    with Device(host=hostname, user=junos_username, passwd=junos_password) as dev:

    # Telnet connection to device or console server connected to device
    #with Device(host=hostname, user=junos_username, passwd=junos_password, mode='telnet', port='23') as dev:

    # Serial console connection to device
    #with Device(host=hostname, user=junos_username, passwd=junos_password, mode='serial', port='/dev/ttyUSB0') as dev:

    # SSH connection to console server connected to device
    #with Device(host=hostname, user=junos_username, passwd=junos_password, cs_user=cs_username, cs_passwd=cs_password, timeout=5) as dev:

        print (dev.facts)
except Exception as err:
    print (err)
    sys.exit(1)
    Note:

    All platforms running Junos OS have only the root user configured by default, without any password. When using Junos PyEZ to initially configure a new or zeroized device through a console connection, use user='root', and omit the passwd parameter.

  5. Execute the Junos PyEZ code, which prompts for the hostname, the Junos OS username and password, and the console server username and password (when requested) and does not echo the password on the command line.
    content_copy zoom_out_map
    bsmith@server:~$ python3 junos-pyez-pw.py
Device hostname: dc1a.example.com
Junos OS username: bsmith
Junos OS password:
Console server username: bsmith
Console server password:
{'domain': 'example.com', 'serialnumber': 'JNXXXXXXXXXX', 'ifd_style': 'CLASSIC', 'version_info': junos.version_info(major=(13, 3), type=R, minor=1, build=8), '2RE': True, 'hostname': 'dc1a', 'fqdn': 'dc1a.example.com', 'switch_style': 'NONE', 'version': '13.3R1.8', 'HOME': '/var/home/bsmith', 'model': 'MX240', 'RE0': {'status': 'OK', 'last_reboot_reason': 'Router rebooted after a normal shutdown.', 'model': 'RE-S-1300', 'up_time': '14 days, 17 hours, 45 minutes, 8 seconds'}, 'personality': 'MX'}

Authenticate Junos PyEZ Users Using SSH Keys

To use SSH keys in a Junos PyEZ application, you must first generate the keys on the configuration management server and configure the public key on each device to which the Junos PyEZ client will connect. To directly connect to the Junos device, configure the key on that device. To connect to a Junos device through a console server, configure the key on the console server. To use the keys, you must include the appropriate arguments in the Device argument list.

Junos PyEZ can utilize SSH keys that are actively loaded into an SSH key agent, keys that are generated in either the default location or a user-defined location, and keys that either use or forgo password protection. When connecting directly to a Junos device, if the Device arguments do not specify a password or SSH key file, Junos PyEZ first checks the SSH keys that are actively loaded in the SSH key agent and then checks for SSH keys in the default location. When connecting to a console server, only password-protected keys are supported.

The following sections outline the steps for generating the SSH keys, configuring the keys on Junos devices, and using the keys to connect to the managed device:

Generate and Configure SSH Keys

To generate SSH keys on the configuration management server and configure the public key on Junos devices:

  1. On the server, generate the public and private SSH key pair for the desired user, and provide any required or desired options, for example:
    content_copy zoom_out_map
    user@server:~$ cd ~/.ssh
user@server:~/.ssh$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): id_rsa_dc
Enter passphrase (empty for no passphrase):  *****
Enter same passphrase again: *****
  2. (Optional) Load the key into the native SSH key agent.
  3. Configure the public key on each device to which the Junos PyEZ application will connect, which could include Junos devices or a console server connected to the Junos device.

    One method to configure the public key under the appropriate user account on a Junos device is to load the public key from a file.

    content_copy zoom_out_map
    [edit]
user@router# set system login user username authentication load-key-file URL
user@router# commit
  4. Verify that the key works by logging in to the device using the key.
    content_copy zoom_out_map
    user@server:~$ ssh -i ~/.ssh/id_rsa_dc router.example.com 
Enter passphrase for key '/home/user/.ssh/id_rsa_dc': 
user@router>

Reference SSH Keys in Junos PyEZ Applications

After generating the SSH key pair and configuring the public key on the remote device, you can use the key to connect to the device by including the appropriate arguments in the Device constructor code. The Device arguments are determined by the location of the key, whether the key is password-protected, whether the key is actively loaded into an SSH key agent, such as ssh-agent, and whether the user’s SSH configuration file already defines settings for that host. The following sections outline the various scenarios:

Authenticate the User Using an SSH Key Agent with Actively Loaded Keys

You can use an SSH key agent to securely store private keys and avoid repeatedly retyping the passphrase for password-protected keys. Junos PyEZ enables a client to connect directly to a Junos device using SSH keys that are actively loaded into an SSH key agent. When connecting to a Junos device, if the Device arguments do not specify a password or SSH key file, Junos PyEZ first checks the SSH keys that are actively loaded in the SSH key agent and then checks for SSH keys in the default location.

To use SSH keys that are actively loaded into the native SSH key agent to connect directly to a Junos device:

  • In the Device argument list, you need only supply the required hostname and any desired variables.

    content_copy zoom_out_map
    dev = Device(host='router.example.com')

Authenticate the User Using SSH Keys Without Password Protection

Junos PyEZ enables a client to connect directly to a Junos device using SSH private keys that do not have password protection, although we do not recommend using SSH private keys with an empty passphrase. Junos PyEZ does not support connecting to a console server using SSH private keys with an empty passphrase.

To connect to a Junos device using SSH keys that are in the default location and do not have password protection:

  • In the Device argument list, you need only supply the required hostname and any desired variables.

    content_copy zoom_out_map
    dev = Device(host='router.example.com')

Junos PyEZ first checks the SSH keys that are loaded in any active SSH key agent and then checks the SSH keys in the default location.

To connect to a Junos device using SSH keys that are not in the default location and do not have password protection:

  • In the Device argument list, set the ssh_private_key_file argument to the path of the SSH private key.

    content_copy zoom_out_map
    dev = Device(host='router.example.com', ssh_private_key_file='/home/user/.ssh/id_rsa_dc')
    Note:

    If the user’s SSH configuration file already specifies the local SSH private key file path for a given host, you can omit the ssh_private_key_file argument in the Device argument list. Including the ssh_private_key_file argument overrides any existing IdentityFile value defined for a host in the user’s SSH configuration file.

Authenticate the User Using Password-Protected SSH Key Files

Junos PyEZ clients can use password-protected SSH key files to connect directly to a Junos device or to connect to a console server connected to the device.

To connect directly to a Junos device using a password-protected SSH key file:

  1. Include code that prompts for the SSH private key password and stores the value in a variable.
    content_copy zoom_out_map
    from jnpr.junos import Device
from getpass import getpass

key_password = getpass('Password for SSH private key file: ')
  2. In the Device argument list, set the passwd argument to reference the variable containing the SSH key file password.

    If the key is not in the default location and the file path is not already defined in the user’s SSH configuration file, set the ssh_private_key_file argument to the path of the private key.

    content_copy zoom_out_map
    from jnpr.junos import Device
from getpass import getpass

key_password = getpass('Password for SSH private key file: ')

dev = Device(host='router.example.com', passwd=key_password, ssh_private_key_file='/home/user/.ssh/id_rsa_dc')
dev.open()
# ...
dev.close()

To connect to a Junos device through a console server using a password-protected SSH key file:

  1. Include code that prompts for the login credentials for the Junos device and stores each value in a variable.

    content_copy zoom_out_map
    from jnpr.junos import Device
from getpass import getpass

junos_username = input('Junos OS username: ')
junos_password = getpass('Junos OS password: ')

  2. Include code that prompts for the console server username and the SSH private key password and stores each value in a variable.

    content_copy zoom_out_map
    from jnpr.junos import Device
from getpass import getpass

junos_username = input('Junos OS username: ')
junos_password = getpass('Junos OS password: ')

cs_username = input('Console server username: ')
key_password = getpass('Password for SSH private key file: ')

  3. In the Device constructor argument list:

    • Set the host argument to the console server hostname or IP address

    • Set the user and passwd arguments to the variables containing the Junos OS login credentials

    • Set the cs_user argument to the variable containing the console server username

    • Set the cs_passwd argument to the variable containing the SSH key file password

    • Set the ssh_private_key_file argument to the path of the private key, if the key is not in the default location and the file path is not already defined in the user’s SSH configuration file

    content_copy zoom_out_map
    from jnpr.junos import Device
from getpass import getpass

junos_username = input('Junos OS username: ')
junos_password = getpass('Junos OS password: ')

cs_username = input('Console server username: ')
key_password = getpass('Password for SSH private key file: ')

with Device(host='router.example.com', user=junos_username, passwd=junos_password, cs_user=cs_username, cs_passwd=key_password, ssh_private_key_file='/home/user/.ssh/id_rsa_dc') as dev:
    print (dev.facts)
#   ...

Related Documentation

arrow_backward PREVIOUS Connect to Junos Devices Using Junos PyEZ
NEXT arrow_forward Use Junos PyEZ to Retrieve Facts from Junos Devices
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top