Public key authentication in JUNOS

Enabling public key authentication isn’t much different than Linux. You create your public private key and then push your public key to the remote device. Here are instructions;

For example you would like to connect from the machine linrouter to the remote junos device. My test devices are Linux and SRX firewall.

1) Create public private pair on Linux client

root@linrouter:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
b9:70:89:4c:65:b0:29:0d:0a:52:7b:13:91:e4:eb:67 root@linrouter
The key's randomart image is:
+--[ RSA 2048]----+
|o...=o..o        |
|.. +.+ =         |
|  o = =          |
|   . * . o       |
|    . + S        |
|   .   o .       |
|    . E .        |
|     o           |
|                 |
+-----------------+

For the simplicity I didn’t enter any pass phrase i.e it will be a password-less login.

Our new public key looks like below;

root@linrouter:~# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmWk9y00c6NQQhZDE1yWJE0vnYMf2DbfDrytpQ1ZtK6T5tMnHHQR5
NwjOtsE2jBKTx3HhaYb/NcV7LJ3XRrY/5K6tSxKND3+fnW+GSKl/h5VWPQEXsiZgNy5Hh9dRQ+HZUinh7gbMo5d
/4JLREHF4xEcFvKjGz3Ez7I4xxTHyb6QOKcOvBjou5C089F/BDR7ya/xsQZSAueraeArL3h3RcM8VwLSikmvXsi4x
xMscJ9ali+YqTrKiF7o5cd4mdKo9F6cYJW7vK8+pUPdJ/6DbHqvocRp/U3V5fHdljxkD/y0YVBGnNgGEutIt2J3pbfV
w7uG9RXwehypm0p9w1V6hF root@linrouter

2) Create the junos admin user with key authentication as below

When pasting the entire id_rsa.pub into ssh-rsa section, don’t forget to enclose it with double quotes.

root@jgw25# show system login
user admin {
    class super-user;
    authentication {
        ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmWk9y00c6NQQhZDE1yWJE0vnYMf2DbfDrytpQ1ZtK6T5tMnHHQR5
NwjOtsE2jBKTx3HhaYb/NcV7LJ3XRrY/5K6tSxKND3+fnW+GSKl/h5VWPQEXsiZgNy5Hh9dRQ+HZUinh7gbMo5d
/4JLREHF4xEcFvKjGz3Ez7I4xxTHyb6QOKcOvBjou5C089F/BDR7ya/xsQZSAueraeArL3h3RcM8VwLSikmvXsi4x
xMscJ9ali+YqTrKiF7o5cd4mdKo9F6cYJW7vK8+pUPdJ/6DbHqvocRp/U3V5fHdljxkD/y0YVBGnNgGEutIt2J3pbfV
w7uG9RXwehypm0p9w1V6hF root@linrouter";


    }
}

3) Now you can login to the remote junos without password

root@linrouter:~# ssh admin@192.168.193.10
admin@jgw25>

As you can see we have logged into the remote device without entering any password.

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


5 thoughts on “Public key authentication in JUNOS”

  1. The part you have explained in the blog is clear with me.

    Can you please explain how we can we enter a manual key (rather than generating the key in /root/.ssh/id_rsa on the linux machine and then pasting the contents on the SRX)

    As similar config is mentioned here :

    http://www.juniper.net/us/en/training/certification/JNCIP_studyguide.pdf

    under : Configuring the Root Account (pg 11 of the doc)
    I could not understand the procedure in this case.

    As for the KB : https://kb.juniper.net/InfoCenter/index?page=content&id=KB21577&smlogin=true

    The key is generated on the device and also associated with a user by using the command :

    root@Juniper#set system login user authentication load-key-file /root/.ssh/id_rsa.pub

    how does the machine from where the user is doing the login know this key in the case of this KB ?
    or we have to load the file created on the JUNOS device to the machine from where logging is done.

  2. Hi Tin,
    load-key-file option is just for you to easily get the public key into SRX. If you issue that command, you will import RSA public key you created on your e.g Linux machine to your SRX.
    If you have a pub key already, you can just issue;

    #set system login user lab authentication ssh-rsa “HERE YOUR PUBLIC KEY WILL BE PASTED”

    and if your private key is on your linux machine you can login to srx by

    linux$ssh -i /root/.ssh/private_key lab@srx

    I hope this makes it a bit more clear for you.

    1. Thanks a lot for the reply !

      I have a few more queries and doubts.

      I was following the procedure in the KB :

      https://kb.juniper.net/InfoCenter/index?page=content&id=KB21577

      By following this on my SRX, I end up generating a 2048 bit key (I suppose) :

      root@240-POE-5% ssh-keygen -t rsa
      Generating public/private rsa key pair.
      Enter file in which to save the key (/root/.ssh/id_rsa):
      Created directory ‘/root/.ssh’.
      Enter passphrase (empty for no passphrase):
      Enter same passphrase again:
      Your identification has been saved in /root/.ssh/id_rsa.
      Your public key has been saved in /root/.ssh/id_rsa.pub.
      The key fingerprint is:
      44:cc:8a:66:7f:03:f2:01:06:c9:db:03:f7:eb:11:a3 root@240-POE-5
      The key’s randomart image is:
      +–[ RSA 2048]—-+ <================================= 2048 bit key ?
      | ..o o. |
      | + + .o |
      | * + .. |
      | . B B. |
      | o * *S |
      | E = o |
      | . o . |
      | . |
      | |
      +—————–+

      * I mentioned the passphrase as "juniper". Is this my public key ? (probably I have to do some reading regarding RSA key and authentication to understand this concept more clearly !)
      If yes, is this the value the PC user needs to enter while trying to login into the SRX ?

      * The part you have explained is for a linux machine,if the req. is use it on a windows machine
      what should be done ? like the procedure for creating public key and loading into the SRX ?

      * I need to have a 1024 bit RSA key , Is there an option for this ?

      * Please provide any links or docs if you have regarding RSA key and authentication reading.

      1. Passphrase is just to secure your key. This will only be needed when you want to view the content of key.

        run this command cat .ssh/id_rsa.pub to see your key.

  3. I’m getting this error

    Must follow SSHv2 or SSHv1 RSA key format
    error: statement creation failed: ssh-rsa

Leave a Reply to MYNCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading