Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[vSRX on Microsoft Azure Cloud] How to configure SSH Public Key authentication on vSRX on Microsoft Azure Cloud after initial deployment with SSH Password authentication

0

0

Article ID: KB35522 KB Last Updated: 03 Mar 2020Version: 1.0
Summary:
Currently when deploying a vSRX instance on Microsoft Azure Cloud, for SSH authentication only the Password option is supported. Public Key authentication is not supported in the initial deployment.

This article describes how to change to using Public Key authentication on the vSRX instance after an initial deployment with Password authentication on Microsoft Azure Cloud.

 
Solution:
In order to change the SSH authentication from Password to Public Key authentication on the vSRX instance on Microsoft Azure Cloud, you can follow the below steps.

1) Deploy a vSRX instance on Azure using SSH Password authentication.

The relevant section of the Azure deploy page for selecting the SSH authentication type:




2) Login to the vSRX using SSH to the public IP address.

johndoe@workstation ~ % ssh jtacuser@xx.xx.xx.xx
The authenticity of host 'xx.xx.xx.xx (xx.xx.xx.xx)' can't be established.
RSA key fingerprint is SHA256:Q765dS/q1bmoPs/lR+L+l11UDiUI8aWBcTVOlVI+DCg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'xx.xx.xx.xx' (RSA) to the list of known hosts.
Password:
--- JUNOS 19.4R1.10 Kernel 64-bit XEN JNPR-11.0-20191115.14c2ad5_buil


jtacuser@vsrx1>

jtacuser@vsrx1> show version
Hostname: vsrx1
Model: vSRX
Junos: 19.4R1.10



3) On the client machine, generate an SSH key pair. The following command creates an SSH key pair using RSA encryption and a bit length of 4096 on a Mac or Linux machine.

johndoe@workstation ~ % ssh-keygen -t rsa -b 4096 -f ~/azure-vsrx1
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/johndoe/azure-vsrx1.
Your public key has been saved in /Users/johndoe/azure-vsrx1.pub.
The key fingerprint is:
SHA256:p15cAlgLsm4B4St8Grekt4gLGAeTvHZk98ZzTKewQPg johndoe@workstation
The key's randomart image is:
+---[RSA 4096]----+
|  o.o.. .        |
|.o o.o + .       |
|+..o+o..o. .     |
|.o+o.E+ =.o      |
|o=o=o  *S+o .    |
|o+O.. . o+ o     |
|oo o    . o      |
|o o .  . .       |
|oo .    .        |
+----[SHA256]-----+
johndoe@workstation ~ % ls -al azure-vsrx1*
-rw-------  1 johndoe  group  3389 Feb 24 18:10 azure-vsrx1
-rw-r--r--  1 johndoe  group   749 Feb 24 18:10 azure-vsrx1.pub


When using Windows, a tool such as PuTTYgen can be used to generate the key pair.

4) Display the public key content

johndoe@workstation ~ % cat azure-vsrx1.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDf/Vh1Bos5ws2BlgE3eiCoYdk8P6YbwRAb4/Uf0lV9BgBhql4Awoq/tIVZsQM1FXWY3Y45m/imtiOSVHRh/xC89+x/rNkOWSuzw2zW3w5+jjcHavjyajVBimPk3ttdWSu5NwyFTPvtL6QhkHhXUk4MEYrX5ML7veRPIrPj73FQ4QUZAG/Xgvarj2dAFkZ5Gm5LST2jRSpdDsozeCeXBiiPsL7fQ2s8xhySzj6psZjPE5cky7hsLoKlMV0IrDRWSTHPu21mxEglWfqznurIjiHeRXGAl3GhfZOa8u8ZD9dMUL61is35QcYE6McJvwYdmdRx8yi15epY2pgfX4aDyJeJAntyCTPxNh6VL7sQzBEFGnLN+X1H3l34EZDsR6ndAoh7hQITATmBQXoh/6czCOBK7Ngcd3hszzhNVPHtsvnn6tWsyuyadtQPRg6aC9pfGVn3Bfek6fzcebbgwGAPSIBfyPLaa8J8xMVJSOm0rWki3h5GakV2EAQ5SCvgZ6IGW/cVC9XgrRXDpwOvCSed0ObDouplTZHU6ECvVvUaGV4j/5ZoJmCXKl1sp/ovfIMAN4M1yi5ngjM+GI+74hISAT6J8q0LOUplbi8PGQes25N4fnIXLMkS3ECxKYKKT7dQcYAwWTtw3Cy6fOOMdQoZQtmnNcFKSyGm0VnFal1cAcp9Gw== johndoe@workstation
johndoe@workstation ~ %



5) On the vSRX, configure the Azure vSRX user with ssh-rsa authentication using the new SSH public key. Paste the exact public key contents between the quotes. Delete the password authentication.

jtacuser@vsrx1> configure
Entering configuration mode

[edit]
jtacuser@vsrx1# set groups azure-provision system login user jtacuser authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDf/Vh1Bos5ws2BlgE3eiCoYdk8P6YbwRAb4/Uf0lV9BgBhql4Awoq/tIVZsQM1FXWY3Y45m/imtiOSVHRh/xC89+x/rNkOWSuzw2zW3w5+jjcHavjyajVBimPk3ttdWSu5NwyFTPvtL6QhkHhXUk4MEYrX5ML7veRPIrPj73FQ4QUZAG/Xgvarj2dAFkZ5Gm5LST2jRSpdDsozeCeXBiiPsL7fQ2s8xhySzj6psZjPE5cky7hsLoKlMV0IrDRWSTHPu21mxEglWfqznurIjiHeRXGAl3GhfZOa8u8ZD9dMUL61is35QcYE6McJvwYdmdRx8yi15epY2pgfX4aDyJeJAntyCTPxNh6VL7sQzBEFGnLN+X1H3l34EZDsR6ndAoh7hQITATmBQXoh/6czCOBK7Ngcd3hszzhNVPHtsvnn6tWsyuyadtQPRg6aC9pfGVn3Bfek6fzcebbgwGAPSIBfyPLaa8J8xMVJSOm0rWki3h5GakV2EAQ5SCvgZ6IGW/cVC9XgrRXDpwOvCSed0ObDouplTZHU6ECvVvUaGV4j/5ZoJmCXKl1sp/ovfIMAN4M1yi5ngjM+GI+74hISAT6J8q0LOUplbi8PGQes25N4fnIXLMkS3ECxKYKKT7dQcYAwWTtw3Cy6fOOMdQoZQtmnNcFKSyGm0VnFal1cAcp9Gw== johndoe@workstation"

[edit]
jtacuser@vsrx1# delete groups azure-provision system login user jtacuser authentication encrypted-password

[edit]
jtacuser@vsrx1# commit confirmed
commit confirmed will be automatically rolled back in 10 minutes unless confirmed
commit complete



6) On the client machine, SSH to the vSRX, now using the private key for authentication. When this is successful, commit the configuration again to confirm.

johndoe@workstation ~ % ssh -i azure-vsrx1 jtacuser@xx.xx.xx.xx
Last login: Mon Feb 24 18:18:10 2020 from xx.xx.xx.xx
--- JUNOS 19.4R1.10 Kernel 64-bit XEN JNPR-11.0-20191115.14c2ad5_buil

# commit confirmed will be rolled back in 8 minutes
jtacuser@vsrx1> configure
Entering configuration mode

[edit]
jtacuser@vsrx1# commit
commit complete



 
Modification History:
2020-03-03: Initial posting of this article.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search