Currently when deploying a vSRX instance on Microsoft Azure Cloud, for SSH authentication only the Password option is supported. Public Key authentication is not supported in the initial deployment.
This article describes how to change to using Public Key authentication on the vSRX instance after an initial deployment with Password authentication on Microsoft Azure Cloud.
In order to change the SSH authentication from Password to Public Key authentication on the vSRX instance on Microsoft Azure Cloud, you can follow the below steps.
1) Deploy a vSRX instance on Azure using SSH Password authentication.
The relevant section of the Azure deploy page for selecting the SSH authentication type:
2) Login to the vSRX using SSH to the public IP address.
johndoe@workstation ~ % ssh jtacuser@xx.xx.xx.xx
The authenticity of host 'xx.xx.xx.xx (xx.xx.xx.xx)' can't be established.
RSA key fingerprint is SHA256:Q765dS/q1bmoPs/lR+L+l11UDiUI8aWBcTVOlVI+DCg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'xx.xx.xx.xx' (RSA) to the list of known hosts.
Password:
--- JUNOS 19.4R1.10 Kernel 64-bit XEN JNPR-11.0-20191115.14c2ad5_buil
jtacuser@vsrx1>
jtacuser@vsrx1> show version
Hostname: vsrx1
Model: vSRX
Junos: 19.4R1.10
3) On the client machine, generate an SSH key pair. The following command creates an SSH key pair using RSA encryption and a bit length of 4096 on a Mac or Linux machine.
johndoe@workstation ~ % ssh-keygen -t rsa -b 4096 -f ~/azure-vsrx1
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/johndoe/azure-vsrx1.
Your public key has been saved in /Users/johndoe/azure-vsrx1.pub.
The key fingerprint is:
SHA256:p15cAlgLsm4B4St8Grekt4gLGAeTvHZk98ZzTKewQPg johndoe@workstation
The key's randomart image is:
+---[RSA 4096]----+
| o.o.. . |
|.o o.o + . |
|+..o+o..o. . |
|.o+o.E+ =.o |
|o=o=o *S+o . |
|o+O.. . o+ o |
|oo o . o |
|o o . . . |
|oo . . |
+----[SHA256]-----+
johndoe@workstation ~ % ls -al azure-vsrx1*
-rw------- 1 johndoe group 3389 Feb 24 18:10 azure-vsrx1
-rw-r--r-- 1 johndoe group 749 Feb 24 18:10 azure-vsrx1.pub
When using Windows, a tool such as
PuTTYgen can be used to generate the key pair.
4) Display the public key content
johndoe@workstation ~ % cat azure-vsrx1.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDf/Vh1Bos5ws2BlgE3eiCoYdk8P6YbwRAb4/Uf0lV9BgBhql4Awoq/tIVZsQM1FXWY3Y45m/imtiOSVHRh/xC89+x/rNkOWSuzw2zW3w5+jjcHavjyajVBimPk3ttdWSu5NwyFTPvtL6QhkHhXUk4MEYrX5ML7veRPIrPj73FQ4QUZAG/Xgvarj2dAFkZ5Gm5LST2jRSpdDsozeCeXBiiPsL7fQ2s8xhySzj6psZjPE5cky7hsLoKlMV0IrDRWSTHPu21mxEglWfqznurIjiHeRXGAl3GhfZOa8u8ZD9dMUL61is35QcYE6McJvwYdmdRx8yi15epY2pgfX4aDyJeJAntyCTPxNh6VL7sQzBEFGnLN+X1H3l34EZDsR6ndAoh7hQITATmBQXoh/6czCOBK7Ngcd3hszzhNVPHtsvnn6tWsyuyadtQPRg6aC9pfGVn3Bfek6fzcebbgwGAPSIBfyPLaa8J8xMVJSOm0rWki3h5GakV2EAQ5SCvgZ6IGW/cVC9XgrRXDpwOvCSed0ObDouplTZHU6ECvVvUaGV4j/5ZoJmCXKl1sp/ovfIMAN4M1yi5ngjM+GI+74hISAT6J8q0LOUplbi8PGQes25N4fnIXLMkS3ECxKYKKT7dQcYAwWTtw3Cy6fOOMdQoZQtmnNcFKSyGm0VnFal1cAcp9Gw== johndoe@workstation
johndoe@workstation ~ %
5) On the vSRX, configure the Azure vSRX user with ssh-rsa authentication using the new SSH public key. Paste the exact public key contents between the quotes. Delete the password authentication.
jtacuser@vsrx1> configure
Entering configuration mode
[edit]
jtacuser@vsrx1# set groups azure-provision system login user jtacuser authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDf/Vh1Bos5ws2BlgE3eiCoYdk8P6YbwRAb4/Uf0lV9BgBhql4Awoq/tIVZsQM1FXWY3Y45m/imtiOSVHRh/xC89+x/rNkOWSuzw2zW3w5+jjcHavjyajVBimPk3ttdWSu5NwyFTPvtL6QhkHhXUk4MEYrX5ML7veRPIrPj73FQ4QUZAG/Xgvarj2dAFkZ5Gm5LST2jRSpdDsozeCeXBiiPsL7fQ2s8xhySzj6psZjPE5cky7hsLoKlMV0IrDRWSTHPu21mxEglWfqznurIjiHeRXGAl3GhfZOa8u8ZD9dMUL61is35QcYE6McJvwYdmdRx8yi15epY2pgfX4aDyJeJAntyCTPxNh6VL7sQzBEFGnLN+X1H3l34EZDsR6ndAoh7hQITATmBQXoh/6czCOBK7Ngcd3hszzhNVPHtsvnn6tWsyuyadtQPRg6aC9pfGVn3Bfek6fzcebbgwGAPSIBfyPLaa8J8xMVJSOm0rWki3h5GakV2EAQ5SCvgZ6IGW/cVC9XgrRXDpwOvCSed0ObDouplTZHU6ECvVvUaGV4j/5ZoJmCXKl1sp/ovfIMAN4M1yi5ngjM+GI+74hISAT6J8q0LOUplbi8PGQes25N4fnIXLMkS3ECxKYKKT7dQcYAwWTtw3Cy6fOOMdQoZQtmnNcFKSyGm0VnFal1cAcp9Gw== johndoe@workstation"
[edit]
jtacuser@vsrx1# delete groups azure-provision system login user jtacuser authentication encrypted-password
[edit]
jtacuser@vsrx1# commit confirmed
commit confirmed will be automatically rolled back in 10 minutes unless confirmed
commit complete
6) On the client machine, SSH to the vSRX, now using the private key for authentication. When this is successful, commit the configuration again to confirm.
johndoe@workstation ~ % ssh -i azure-vsrx1 jtacuser@xx.xx.xx.xx
Last login: Mon Feb 24 18:18:10 2020 from xx.xx.xx.xx
--- JUNOS 19.4R1.10 Kernel 64-bit XEN JNPR-11.0-20191115.14c2ad5_buil
# commit confirmed will be rolled back in 8 minutes
jtacuser@vsrx1> configure
Entering configuration mode
[edit]
jtacuser@vsrx1# commit
commit complete