Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Device Authentication in Junos Space Overview

Junos Space Network Management Platform can authenticate a device by using credentials (username and password), keys (which use public-key cryptographic principles), or the devices’ SSH fingerprints. You can choose the authentication mode on the basis of the level of security needed for the managed devices. The authentication mode is displayed in the Authentication Status column on the Device Management page. You can also change the authentication mode.

The following sections describe the authentication modes in Junos Space Platform:

Credentials-Based Device Authentication

To configure credentials-based authentication on your Junos Space setup, you need to ensure that the device login credentials with administrative privileges are configured on the device. If the device is reachable and the credentials are authenticated, these credentials are stored in the Junos Space Platform database. Junos Space Platform connects to the device by using these credentials. If you have configured key-based authentication on your Junos Space setup, you need to enter only the username to access the device.

Key-Based Device Authentication

From Junos Space Network Management Platform Release 16.1R1 onward, Junos Space Platform supports 4096-bit Rivest-Shamir-Adleman (RSA) algorithm, Digital Signature Standard (DSS), and Elliptic Curve Digital Signature Algorithm (ECDSA) public-key cryptographic principles to authenticate devices running Junos OS through key-based authentication. Junos Space Platform continues to support the 2048-bit RSA algorithm. Key-based authentication is more secure than credentials-based authentication because the device credentials need not be stored in the Junos Space Platform database.

RSA is an asymmetric-key or public-key algorithm that uses two keys that are mathematically related. Junos Space Platform includes a default set of public and private key pairs. The public key can be uploaded to the managed devices. The private key is encrypted and stored on the system on which Junos Space Platform is installed. For additional security, we recommend that you generate your own public and private key pair with a passphrase. A passphrase protects the private key on the Junos Space server. Creating long passphrases can be more difficult to break by brute-force attacks than shorter passphrases. A passphrase helps to prevent an attacker from gaining control of your Junos Space setup and trying to log in to your managed network devices. If you generate a new pair of keys, the keys are automatically uploaded to all active devices (that is, devices whose connection status is Up) that use Junos Space key-based authentication.

From Junos Space Network Management Platform Release 16.1R1 onward, you can also upload custom private keys to the Junos Space server and authenticate devices without the need to upload keys to devices from Junos Space Platform. With the custom key-based authentication method, you upload a private key with a passphrase to the Junos Space server. The device is authenticated using the existing set of public keys on the device, the private key uploaded to the Junos Space server, and the appropriate public-key algorithm—that is, RSA, ECDSA, or DSS. This authentication method can be used to authenticate devices during device discovery and later during device management.

If the keys are modified, the devices become unreachable and the authentication status changes to Key Conflict. You can use the Resolve Key Conflicts workflow to manually trigger the process of uploading new keys to these devices. To authenticate the devices, you can choose to upload the new keys generated from Junos Space Platform or use custom keys. If Junos Space key-based or custom key-based authentication fails, credentials-based authentication is automatically triggered.

After key-based or custom key-based authentication is enabled, all further communication to the devices is through Junos Space key-based or custom key-based authentication, without passwords. You can also change the authentication mode from credentials-based to key-based or custom key-based for managed devices. For more information, see Modifying the Authentication Mode on the Devices.

You need to ensure the following to use key-based authentication in Junos Space Platform:

  • The authentication keys are generated in the Administration workspace. For more information about generating and uploading keys to the devices, see Generating and Uploading Authentication Keys to Devices. The job result indicates whether the keys were successfully uploaded to the devices. On a multinode setup, the authentication keys are made available on all existing cluster nodes. Authentication keys are also made available on any subsequent nodes added to the setup.

  • The device’s administrator credentials and the name of the user who connects to the Junos Space Appliance to upload the keys to the device are available.

SSH Fingerprint-Based Device Authentication

To avoid man-in-the-middle attacks or proxy SSH connections between Junos Space Platform and a device, Junos Space Platform can store the SSH fingerprint of the device in the Junos Space Platform database and validate the fingerprint during subsequent connections with the device. A fingerprint is a sequence of 16 hexadecimal octets separated by colons. For example, c1:b1:30:29:d7:b8:de:6c:97:77:10:d7:46:41:63:83. You can specify the fingerprint for Juniper Networks devices during device discovery and validate the fingerprint when the devices connect to Junos Space Platform for the first time. You can specify fingerprints for a maximum of 1024 devices simultaneously in the Device Discovery workflow. If you do not specify the fingerprint, Junos Space Platform obtains the fingerprint details when it connects to the device for the first time. For more information, see Viewing Managed Devices.

Junos Space Platform does not recognize an SSH fingerprint change on a device during an active open connection with the device. SSH fingerprint changes are recognized only when the device reconnects to Junos Space Platform. The Authentication Status column on the Device Management page displays any conflicts or unverified authentication statuses.

Conflicts between SSH fingerprints stored in the Junos Space Platform database and those on the device can be resolved manually from the Junos Space user interface. Alternatively, you can allow Junos Space Platform to automatically update any fingerprint changes. To allow Junos Space Platform to automatically update SSH fingerprints, disable the Manually Resolve Fingerprint Conflict check box on the Modify Application Settings page in the Administration workspace. If you enable this check box, the Authentication Status column displays Fingerprint Conflict if a device’s fingerprint changes. You need to manually resolve the fingerprint conflict. For more information, see Acknowledging SSH Fingerprints from Devices.

Note:

Key-based and fingerprint-based authentication modes are not supported in ww Junos OS devices.

Note:

Arbiter devices in disaster recovery must use password-based authentication.

Junos Space Platform verifies that the fingerprint on the device matches that in the database when you perform the following tasks:

  • Staging a script on a device

  • Staging a device image on a device

  • Deploying a device image on a device

  • Activating a replacement device

  • Executing a script on a device

  • Connecting to a device by using SSH

If the fingerprint on the device does not match the fingerprint stored in the Junos Space Platform database, the connection to the device is dropped. The connection status is displayed as Down and the authentication status is displayed as Fingerprint Conflict on the Device Management page.

Supported Algorithms for Junos Space SSH

Table 1 lists the supported algorithms for Junos Space SSH:

Table 1: Supported Algorithms for Junos Space SSH

Algorithm Type

FIPS Devices

Non-FIPS Devices

Key exchange algorithms

ecdh-sha2-nistp256, ecdh-sha2-nistp384, diffie-hellman-group14-sha1

ecdh-sha2-nistp256, ecdh-sha2-nistp384, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1

Host key algorithms

ecdsa-sha2-nistp256, ecdsa-sha2-nistp384

ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ssh-rsa, ssh-dss

Encryption algorithms(client to server)

aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc

aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc, 3des-ctr, blowfish-cbc, 3des-cbc

Encryption algorithms(server to client)

aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc

aes128-ctr, aes192-ctr, aes256-ctr, aes128-cbc, aes192-cbc, aes256-cbc, 3des-ctr, blowfish-cbc, 3des-cbc

MAC algorithm

hmac-sha1-96, hmac-sha2-256, hmac-sha256@ssh.com

hmac-sha1-96, hmac-sha2-256, hmac-sha256@ssh.com, hmac-sha1, hmac-md5, hmac-md5-96, hmac-sha256

Compression algorithm

zlib@openssh.com

zlib@openssh.com, none, zlib

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
16.1R1
From Junos Space Network Management Platform Release 16.1R1 onward, Junos Space Platform supports 4096-bit Rivest-Shamir-Adleman (RSA) algorithm, Digital Signature Standard (DSS), and Elliptic Curve Digital Signature Algorithm (ECDSA) public-key cryptographic principles to authenticate devices running Junos OS through key-based authentication.
16.1R1
From Junos Space Network Management Platform Release 16.1R1 onward, you can also upload custom private keys to the Junos Space server and authenticate devices without the need to upload keys to devices from Junos Space Platform.