Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] Generating SSH RSA keys locally on devices running Junos OS



Article ID: KB30588 KB Last Updated: 26 Mar 2021Version: 2.0

This article describes the procedure to generate SSH keys on a device running Junos OS, and to configure the device to use a password-less public key-based encrypted SSH authentication.


Users may need to generate SSH keys locally to allow remote login using SSH keys instead of using passwords stored locally.

root@Juniper# set system services ssh
  1. Enable SSH service on the switch using the following command:

  2. Generate the SSH key on a device running Junos OS  by logging into the shell prompt as a root user:
    root@Juniper>start shell
    root@Juniper% ssh-keygen -t rsa

    Generating public/private rsa key pair.

    Enter file in which to save the key (/root/.ssh/id_rsa):
    Created directory '/root/.ssh'.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:

    Your identification has been saved in /root/.ssh/id_rsa.
    Your public key has been saved in /root/.ssh/
    The key fingerprint is:
    91:6e:b9:52:fd:14:85:1e:8c:40:9a:7c:2d:c7:d4:0d root@SW_Jaffa_Monitor_104
  3. Once the keys are generated we can associate the key with the "userid" using the following command.
    root@Juniper#set system login user <userid> uid 2000
    root@Juniper#set system login user <userid> class super-user
    root@Juniper#set system login user <userid> authentication load-key-file /root/.ssh/
After running the above configuration commands, it will create a directory with <userid> in /var/home and the authorized_key for SSH will be created.

When an upgrade/downgrade is performed, the files "", which are locally created and are not part of the configuration, will not be restored. Hence we will have to copy the contents of the /root/.ssh directory and put them back after the upgrade/downgrade is complete. We also will have to associate the user with the key using the following CLI command:
root@Juniper#set system login user <userid> authentication load-key-file /root/.ssh/
Modification History:
2021-03-26 Removing references of "DSA" since the "DSA" key type has been deprecated.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search