ssh (System Services)

Enable a user to create an SSH tunnel over a CLI session to a disaggregated Junos OS platform by using SSH.

Starting in Junos OS Release 22.2R1, we’ve disabled the TCP forwarding feature by default to enhance security. To enable the TCP forwarding feature, you can configure the allow-tcp-forwarding statement at the [edit system services ssh] hierarchy level. In addition, we’ve deprecated the tcp-forwarding and no-tcp-forwarding statements at the [edit system services ssh] hierarchy level.

Configure the order in which the software tries different user authentication methods when attempting to authenticate a user. For each login attempt, the software tries the authentication methods in order, starting with the first one, until the password matches.

• Default: If you do not include the authentication-order statement, users are verified based on their configured passwords.

• Syntax: Specify one or more of the following authentication methods listed in the order in which they must be tried:

  • ldaps—Use LDAP authentication services.

  • password—Use the password configured for the user with the authentication statement at the [edit system login user] hierarchy level.

  • radius—Use RADIUS authentication services.

  • tacplus—Use TACACS+ authentication services.

Specify a command string to be used to look up the user's public keys.

Specify the user under whose account the authorized-keys-command is run.

Specify a list of principals that can be accepted for authenticaiton. Principals added through this command are supplemental to the principals added with the authorized-principals-file command.

Configure the AuthorizedPrincipals file at /var/etc, for SSH certificate-based authentication. This file contains a list of names, one of which must appear in the certificate for it to be accepted for authentication.

Specify a program to be used for generating the list of allowed certificate principals found in the AuthorizedPrincipals file for SSH certificate-based authentication.

Specify the set of ciphers the SSH server can use to perform encryption and decryption functions.

• Values: Specify one or more of the following ciphers:

  • aes128-cbc—128-bit Advanced Encryption Standard (AES) in CBC mode.

  • aes128-ctr—128-bit AES in counter mode.

  • aes128-gcm@openssh.com—128-bit AES in Galois/Counter Mode.

  • aes192-cbc—192-bit AES in CBC mode.

  • aes192-ctr—192-bit AES in counter mode.

  • aes256-cbc—256-bit AES in CBC mode.

  • aes256-ctr—256-bit AES in counter mode.

  • aes256-gcm@openssh.com—256-bit AES in Galois/Counter Mode.

  • chacha20-poly1305@openssh.com—ChaCha20 stream cipher and Poly1305 MAC.

Configure the number of client alive messages that can be sent without sshd receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. Client alive messages are sent through the encrypted channel. Use in conjunction with the client-alive-interval statement to disconnect unresponsive SSH clients.

• Default: 3 messages

• Range: 0 through 255 messages

Configure a timeout interval in seconds, after which if no data has been received from the client, sshd will send a message through the encrypted channel to request a response from the client. This option applies to SSH protocol version 2 only. Use in conjunction with the client-alive-count-max statement to disconnect unresponsive SSH clients.

• Default: 0 seconds

• Range: 1 through 65535 seconds

Specify the hash algorithm used by the SSH server when it displays key fingerprints.

• Values: Specify one of the following:

  • md5—Enable the SSH server to use the MD5 algorithm.

  • sha2-256—Enable the SSH server to use the sha2-256 algorithm.

• Default: sha2-256

Configure the HostCertificate file at /etc/ssh/sshd_config for SSH certificate-based authentication. This file contains the signed host certificate.

Enable Junos OS to log the authorized SSH keys. When the log-key-changes statement is configured and committed, Junos OS logs the changes to the set of authorized SSH keys for each user (including the keys that were added or removed). Junos OS logs the differences since the last time the log-key-changes statement was configured. If the log-key-changes statement was never configured, then Junos OS logs all the authorized SSH keys.

• Default: Junos OS logs all the authorized SSH keys.

Specify the set of message authentication code (MAC) algorithms that the SSH server can use to authenticate messages.

• Values: Specify one or more of the following MAC algorithms to authenticate messages:

  • hmac-md5—Hash-based MAC using Message-Digest 5 (MD5)

  • hmac-md5-96—96-bits of hash-based MAC using MD5

  • hmac-md5-96-etm@openssh.com—96-bits of hash-based Encrypt-then-MAC using MD5

  • hmac-md5-etm@openssh.com—Hash-based Encrypt-then-MAC using MMD5

  • hmac-sha1—Hash-based MAC using secure hash algorithm-1 (SHA-1)

  • hmac-sha1-96—96-bits of hash-based MAC using SHA-1

  • hmac-sha1-96-etm@openssh.com—96-bits of hash-based Encrypt-then-MAC using SHA-1

  • hmac-sha1-etm@openssh.com—Hash-based Encrypt-then-MAC using SHA-1

  • hmac-sha2-256—256-bits of hash-based MAC using secure hash algorithm-2 (SHA-2)

  • hmac-sha2-256-etm@openssh.com—Hash-based Encrypt-then-Mac using SHA-2

  • hmac-sha2-512—512-bits of hash-based MAC using SHA-2

  • hmac-sha2-512-etm@openssh.com—Hash-based Encrypt-then-Mac using SHA-2

  • umac-128-etm@openssh.com—Encrypt-then-MAC using UMAC-128 algorithm specified in RFC4418

  • umac-128@openssh.com—UMAC-128 algorithm specified in RFC4418

  • umac-64-etm@openssh.com—Encrypt-then-MAC using UMAC-64 algorithm specified in RFC4418

  • umac-64@openssh.com—UMAC-64 algorithm specified in RFC4418

Define the maximum number of pre-authentication SSH packets that the SSH server will accept prior to user authentication.

• Range: 20 through 2147483647 packets

• Default: 128 packets

Specify the maximum number of ssh sessions allowed per single SSH connection.

• Range: 1 through 65535 sessions

• Default: 10 sessions

Disable SSH challenge-response-based authentication methods.

Disable SSH password-based authentication methods.

Disable both password-based and challenge-response-based authentication for SSH.

Disable public key authentication system wide. If you specify the no-public-keys statement at the [edit system login user user-name authentication] hierarchy level, you disable public key authentication for a specific user.

Specify the port number on which to accept incoming SSH connections.

• Default: 22

• Range: 1 through 65535

Specify the Secure Shell (SSH) protocol version.

Starting in Junos OS Release 19.3R1 and Junos OS Release 18.3R3, on all SRX Series devices, we’ve removed the nonsecure SSH protocol version 1 (v1) option from the [edit system services ssh protocol-version] hierarchy level. You can use the SSH protocol version 2 (v2) as the default option to remotely manage systems and applications. With the v1 option deprecated, Junos OS is compatible with OpenSSH 7.4 and later versions.

Junos OS releases before 19.3R1 and 18.3R3 continue to support the v1 option to remotely manage systems and applications.

• Default: v2—SSH protocol version 2 is the default, introduced in Junos OS Release 11.4.

Configure the maximum number of connection attempts per minute, per protocol (either IPv6 or IPv4) on an access service. For example, a rate limit of 10 allows 10 IPv6 SSH session connection attempts per minute and 10 IPv4 SSH session connection attempts per minute.

• Range: 1 through 250 connections

• Default: 150 connections

Specify limits before the session keys are renegotiated.

Control user access through SSH.

• allow—Allow users to log in to the device as root through SSH.

• deny—Disable users from logging in to the device as root through SSH.

• deny-password—Allow users to log in to the device as root through SSH when the authentication method (for example, RSA authentication) does not require a password.

• Default: deny-password is the default for most systems.

  Starting in Junos release 17.4R1 for MX Series routers, the default for root-login is deny. In previous Junos OS releases, the default setting for the MX240, MX480, MX960, MX2010 and MX2020 was allow.

Globally enable incoming SSH File Transfer Protocol (SFTP) connections. By configuring the sftp-server statement, you enable authorized devices to connect to the device through SFTP. If the sftp-server statement is not present in the configuration, then SFTP is globally disabled and no devices can connect to the device through SFTP.

Configure the TrustedUserCAKey file at /etc/ssh/sshd_config for SSH certificate-based authentication. This file contains the public keys of an SSH certificate.