Public key authentication in JUNOS
Enabling public key authentication isn’t much different than Linux. You create your public private key and then push your public key to the remote device. Here are instructions;
For example you would like to connect from the machine linrouter to the remote junos device. My test devices are Linux and SRX firewall.
1) Create public private pair on Linux client
root@linrouter:~# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: b9:70:89:4c:65:b0:29:0d:0a:52:7b:13:91:e4:eb:67 root@linrouter The key's randomart image is: +--[ RSA 2048]----+ |o...=o..o | |.. +.+ = | | o = = | | . * . o | | . + S | | . o . | | . E . | | o | | | +-----------------+
For the simplicity I didn’t enter any pass phrase i.e it will be a password-less login.
Our new public key looks like below;
root@linrouter:~# cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmWk9y00c6NQQhZDE1yWJE0vnYMf2DbfDrytpQ1ZtK6T5tMnHHQR5 NwjOtsE2jBKTx3HhaYb/NcV7LJ3XRrY/5K6tSxKND3+fnW+GSKl/h5VWPQEXsiZgNy5Hh9dRQ+HZUinh7gbMo5d /4JLREHF4xEcFvKjGz3Ez7I4xxTHyb6QOKcOvBjou5C089F/BDR7ya/xsQZSAueraeArL3h3RcM8VwLSikmvXsi4x xMscJ9ali+YqTrKiF7o5cd4mdKo9F6cYJW7vK8+pUPdJ/6DbHqvocRp/U3V5fHdljxkD/y0YVBGnNgGEutIt2J3pbfV w7uG9RXwehypm0p9w1V6hF root@linrouter
2) Create the junos admin user with key authentication as below
When pasting the entire id_rsa.pub into ssh-rsa section, don’t forget to enclose it with double quotes.
root@jgw25# show system login user admin { class super-user; authentication { ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmWk9y00c6NQQhZDE1yWJE0vnYMf2DbfDrytpQ1ZtK6T5tMnHHQR5 NwjOtsE2jBKTx3HhaYb/NcV7LJ3XRrY/5K6tSxKND3+fnW+GSKl/h5VWPQEXsiZgNy5Hh9dRQ+HZUinh7gbMo5d /4JLREHF4xEcFvKjGz3Ez7I4xxTHyb6QOKcOvBjou5C089F/BDR7ya/xsQZSAueraeArL3h3RcM8VwLSikmvXsi4x xMscJ9ali+YqTrKiF7o5cd4mdKo9F6cYJW7vK8+pUPdJ/6DbHqvocRp/U3V5fHdljxkD/y0YVBGnNgGEutIt2J3pbfV w7uG9RXwehypm0p9w1V6hF root@linrouter"; } }
3) Now you can login to the remote junos without password
root@linrouter:~# ssh admin@192.168.193.10 admin@jgw25>
As you can see we have logged into the remote device without entering any password.
The part you have explained in the blog is clear with me.
Can you please explain how we can we enter a manual key (rather than generating the key in /root/.ssh/id_rsa on the linux machine and then pasting the contents on the SRX)
As similar config is mentioned here :
http://www.juniper.net/us/en/training/certification/JNCIP_studyguide.pdf
under : Configuring the Root Account (pg 11 of the doc)
I could not understand the procedure in this case.
As for the KB : https://kb.juniper.net/InfoCenter/index?page=content&id=KB21577&smlogin=true
The key is generated on the device and also associated with a user by using the command :
root@Juniper#set system login user authentication load-key-file /root/.ssh/id_rsa.pub
how does the machine from where the user is doing the login know this key in the case of this KB ?
or we have to load the file created on the JUNOS device to the machine from where logging is done.
Hi Tin,
load-key-file option is just for you to easily get the public key into SRX. If you issue that command, you will import RSA public key you created on your e.g Linux machine to your SRX.
If you have a pub key already, you can just issue;
#set system login user lab authentication ssh-rsa “HERE YOUR PUBLIC KEY WILL BE PASTED”
and if your private key is on your linux machine you can login to srx by
linux$ssh -i /root/.ssh/private_key lab@srx
I hope this makes it a bit more clear for you.
Thanks a lot for the reply !
I have a few more queries and doubts.
I was following the procedure in the KB :
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21577
By following this on my SRX, I end up generating a 2048 bit key (I suppose) :
root@240-POE-5% ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory ‘/root/.ssh’.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
44:cc:8a:66:7f:03:f2:01:06:c9:db:03:f7:eb:11:a3 root@240-POE-5
The key’s randomart image is:
+–[ RSA 2048]—-+ <================================= 2048 bit key ?
| ..o o. |
| + + .o |
| * + .. |
| . B B. |
| o * *S |
| E = o |
| . o . |
| . |
| |
+—————–+
* I mentioned the passphrase as "juniper". Is this my public key ? (probably I have to do some reading regarding RSA key and authentication to understand this concept more clearly !)
If yes, is this the value the PC user needs to enter while trying to login into the SRX ?
* The part you have explained is for a linux machine,if the req. is use it on a windows machine
what should be done ? like the procedure for creating public key and loading into the SRX ?
* I need to have a 1024 bit RSA key , Is there an option for this ?
* Please provide any links or docs if you have regarding RSA key and authentication reading.
Passphrase is just to secure your key. This will only be needed when you want to view the content of key.
run this command cat .ssh/id_rsa.pub to see your key.
I’m getting this error
Must follow SSHv2 or SSHv1 RSA key format
error: statement creation failed: ssh-rsa