Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Generating SSH RSA/DSA keys on EX-Series switches and preserving them after upgrade/downgrade



Article ID: KB21577 KB Last Updated: 04 Mar 2017Version: 2.0
This article describes the procedure to generate SSH RSA/DSA keys on EX-Series switches and ways to retain them.
During the upgrade/downgrade process, the SSH RSA/DSA keys will be deleted. The solution section explains how to retain the keys after upgrade/downgrade.
We have to enable SSH service on the switch using the following command:
root@Juniper# set system services ssh

We can generate the SSH key on EX-Series switches by logging into the shell prompt as a root user:
root@Juniper>start shell
root@Juniper% ssh-keygen -t rsa

Generating public/private rsa key pair.

Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
91:6e:b9:52:fd:14:85:1e:8c:40:9a:7c:2d:c7:d4:0d root@SW_Jaffa_Monitor_104
% ssh-keygen -t rsa/dsa

Once the keys are generated we can associate the key with the "userid" using the following command.
root@Juniper#set system login user <userid> uid 2000
root@Juniper#set system login user <userid> class super-user
root@Juniper#set system login user <userid> authentication load-key-file /root/.ssh/

After running the above configuration commands, it will create a directory with <userid> in /var/home and the authorized_key for SSH will be created.

When an upgrade/downgrade is performed, the files - id_rsa and, which are locally created and are not part of configuration, will not be restored. Hence we will have to copy the contents of the /root/.ssh directory and put them back after the upgrade/downgrade is complete. We also will have to associate the user with the key using the following CLI command:
root@Juniper#set system login user <userid> authentication load-key-file /root/.ssh/
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search