This article describes the procedure to generate SSH RSA/DSA keys on a device running Junos OS, and to configure the device to use a password-less public key-based encrypted SSH authentication.
Users may need to generate SSH RSA/DSA keys locally to allow remote login using SSH RSA/DSA keys instead of using passwords stored locally.
- Enable SSH service on the switch using the following command:
root@Juniper# set system services ssh
- Generate the SSH key on a device running Junos OS by logging into the shell prompt as a root user:
root@Juniper>start shell
root@Juniper% ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is: 91:6e:b9:52:fd:14:85:1e:8c:40:9a:7c:2d:c7:d4:0d root@SW_Jaffa_Monitor_104
% ssh-keygen -t rsa/dsa
- Once the keys are generated we can associate the key with the "userid" using the following command.
root@Juniper#set system login user <userid> uid 2000
root@Juniper#set system login user <userid> class super-user
root@Juniper#set system login user <userid> authentication load-key-file /root/.ssh/id_rsa.pub
After running the above configuration commands, it will create a directory with <userid> in
/var/home and the
authorized_key for SSH will be created.
When an upgrade/downgrade is performed, the files
id_rsa and
id_rsa.pub, which are locally created and are not part of configuration, will not be restored. Hence we will have to copy the contents of the
/root/.ssh directory and put them back after the upgrade/downgrade is complete. We also will have to associate the user with the key using the following CLI command:
root@Juniper#set system login user <userid> authentication load-key-file /root/.ssh/id_rsa.pub