Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

How to Authenticate Salt for Junos OS Users

Salt for Junos OS User Authentication Overview

When you use Salt to manage devices running Junos OS, the Junos proxy minion connects to the Salt master using the ZeroMQ event bus and uses the Juniper Junos PyEZ library to establish a NETCONF session over SSH with the device running Junos OS. The managed device must be able to authenticate the Salt user by using either a password or other standard SSH authentication mechanisms, depending on the connection method. When you use Salt to manage devices running Junos OS, the most convenient and secure way to access a device is to configure SSH keys, which enable the remote device to identify trusted users. Alternatively, you can provide username and password authentication credentials in the proxy configuration file for a given device.

To use Salt to connect to and manage a device running Junos OS, you define the necessary connection and authentication information for the device under the proxy key in a pillar file on the Salt master. When you specify proxytype: junos, you can define many of the same connection and authentication parameters in the pillar data that you can specify in the Junos PyEZ Device() constructor.

The following sample pillar file shows the general connection and authentication parameters that you can define under the proxy key when you specify proxytype: junos. Table 1 outlines the parameters.

Table 1: Junos Proxy Parameters

Parameter

Description

host: hostname

Hostname or IP address of the device running Junos OS.

password: secret

Passphrase for the user or the user’s SSH private key file used to authenticate with the device running Junos OS.

port: port

Port on which to establish the connection to the device running Junos OS.

proxytype: junos

Specify that Salt should use the Junos proxy module to interface with the device running Junos OS.

ssh_config: file-path

Path to the Salt user’s SSH configuration file on the proxy minion server. You can omit this parameter if the SSH configuration file is in the default path.

ssh_private_key_file: file-path

Path to the Salt user’s SSH private key file on the proxy minion server that the Junos proxy uses to authenticate with the device running Junos OS. You can omit this parameter if the user’s SSH key file is in the default path or if the path is already defined in the SSH configuration file.

username: user

Username used to authenticate with the device running Junos OS and under whose Junos OS account privileges the Salt operations are performed.

Salt can perform device operations using any user account that has access to the managed device running Junos OS. You can explicitly specify the user by including the username parameter in the proxy configuration for a given device running Junos OS. You can also specify the user within an SSH configuration file. If you do not specify a user, it defaults to the current user.

The Salt connection through Junos PyEZ automatically queries the user’s default SSH configuration file at ~/.ssh/config on the proxy minion server, if one exists, unless the proxy configuration for that device includes the ssh_config argument to specify a different configuration file. Salt uses any relevant settings in the SSH configuration file for the given connection that are not overridden by the parameters defined in the proxy configuration for that device, such as the user or the identity file.

The Junos proxy first attempts SSH public key-based authentication and then tries password-based authentication. The Junos proxy checks for SSH keys that are actively loaded in the SSH key agent and then checks for SSH keys in the default location. When SSH keys are in use, the supplied password is used as the passphrase for unlocking the private key. When password-based authentication is used, the supplied password is used as the device password. If SSH public key-based authentication is being used and the SSH private key has an empty passphrase, then a password is not required. However, we don’t recommend using an SSH private key with an empty passphrase.

On the Salt master, the pillar top file maps the proxy ID to the pillar file containing the device’s proxy configuration.

When you start the Junos proxy minion process for the device running Junos OS and authorize the keys on the Salt master, it connects using the configured authentication method.

For detailed information about configuring the Salt servers, see How to Install Salt for Junos OS.

Authenticating the Salt User By Using a Password

To authenticate a Salt user by using a password:

  1. On the device running Junos OS, configure the user account with the password that will be used to connect to the device, and commit the configuration. For example:
  2. On the Salt master, in the pillar file containing the device’s proxy configuration, set the username and password parameters to the Junos OS login credentials for that device.
    Note:

    For information about securely storing sensitive data in Salt, see https://docs.saltstack.com/en/latest/topics/best_practices.html#storing-secure-data.

Authenticating the Salt User By Using SSH Keys

To use SSH keys to authenticate the Salt user, you must first generate the keys on the Salt proxy minion server and configure the public key on each device running Junos OS to which Salt will connect. To use the keys, you must include the appropriate parameters in the device’s proxy configuration on the Salt master. Salt connections through Junos PyEZ can use SSH keys that are actively loaded into an SSH key agent, SSH keys that are generated in either the default location or a user-defined location, and keys that either use or forgo password protection. The Junos proxy first checks for SSH keys that are actively loaded in the SSH key agent and then checks for SSH keys in the default location under the user’s .ssh directory.

The following sections outline the steps for generating the SSH keys, configuring the keys on a device running Junos OS, and using the keys to connect to the managed device.

Generating and Configuring SSH Keys

To generate SSH keys on the Salt proxy minion server and configure the public key on devices running Junos OS:

  1. On the Salt proxy minion server, generate the public and private SSH key pair for the desired user, and provide any required or desired options, for example:
  2. (Optional) Load the key into the native SSH key agent using the commands specific to your OS and agent. For example:
  3. Configure the public key under the appropriate user account on each device running Junos OS to which Salt will connect.

    The easiest method to configure the public key on a device running Junos OS is to load a file containing the public key.

  4. Verify that the key works by logging in to the device using the key.

Referencing SSH Keys in the Salt Proxy Configuration File

After generating the SSH key pair and configuring the public key on the managed device running Junos OS, the Junos proxy can use the key to connect to the device. To use the key, you must include the appropriate parameters in the device’s proxy configuration on the Salt master. In addition to the required proxytype and host parameters, the parameters required to use the SSH key are determined by the location of the key, whether the key is password-protected, whether the key is actively loaded into an SSH key agent, and whether the user’s SSH configuration file already defines settings for that host.

The Junos proxy queries the default SSH configuration file at ~/.ssh/config on the proxy minion server, if one exists, unless the proxy configuration for that device includes the ssh_config argument to specify a different configuration file. Salt uses any relevant settings in the SSH configuration file for the given connection that are not overridden by the parameters defined in the proxy configuration for that device. When connecting to a device, the Junos proxy first checks for SSH keys that are actively loaded in the SSH key agent and then checks for SSH keys in the default location under the user’s .ssh directory.

To use an SSH key that is actively loaded into the native SSH key agent:

  • In the pillar file containing the device’s proxy configuration, you must define the username parameter.

To use an SSH key that is in the default location and does not have password protection:

  • In the pillar file containing the device’s proxy configuration, you only need to supply the username parameter when it does not default to the user whose keys are used to authenticate with the device.

To use an SSH key that is not in the default location or that uses password protection:

  • In the pillar file containing the device’s proxy configuration, set the ssh_private_key_file parameter to the path of the SSH private key on the proxy minion server, and set the password parameter to the SSH key file password, if the key is password protected.

    Note:

    If the user’s SSH configuration file already specifies the SSH private key file path for a given host, you can omit the ssh_private_key_file parameter in the proxy configuration. Including the ssh_private_key_file parameter overrides any existing IdentityFile value defined for a host in the SSH configuration file.