Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Generating SSH RSA/DSA keys locally on devices running Junos OS

0

1

Article ID: KB30588 KB Last Updated: 31 May 2016Version: 1.0
Summary:

This article describes the procedure to generate SSH RSA/DSA keys on a device running Junos OS, and to configure the device to use a password-less public key-based encrypted SSH authentication.

Symptoms:

Users may need to generate SSH RSA/DSA keys locally to allow remote login using SSH RSA/DSA keys instead of using passwords stored locally.

Cause:

Solution:
  1. Enable SSH service on the switch using the following command:
  2. root@Juniper# set system services ssh

  3. Generate the SSH key on a device running Junos OS  by logging into the shell prompt as a root user:
    root@Juniper>start shell
    root@Juniper% ssh-keygen -t rsa

    Generating public/private rsa key pair.

    Enter file in which to save the key (/root/.ssh/id_rsa):
    Created directory '/root/.ssh'.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:

    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/id_rsa.pub.
    The key fingerprint is:
    91:6e:b9:52:fd:14:85:1e:8c:40:9a:7c:2d:c7:d4:0d root@SW_Jaffa_Monitor_104
    % ssh-keygen -t rsa/dsa
  4. Once the keys are generated we can associate the key with the "userid" using the following command.
    root@Juniper#set system login user <userid> uid 2000
    root@Juniper#set system login user <userid> class super-user
    root@Juniper#set system login user <userid> authentication load-key-file /root/.ssh/id_rsa.pub
After running the above configuration commands, it will create a directory with <userid> in /var/home and the authorized_key for SSH will be created.

When an upgrade/downgrade is performed, the files id_rsa and id_rsa.pub, which are locally created and are not part of configuration, will not be restored. Hence we will have to copy the contents of the /root/.ssh directory and put them back after the upgrade/downgrade is complete. We also will have to associate the user with the key using the following CLI command:
root@Juniper#set system login user <userid> authentication load-key-file /root/.ssh/id_rsa.pub
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search