Configure SSH Host Keys For Secure Copying Of Data | Junos OS

X

Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Yes Maybe Later  

ON THIS PAGE

• Configure SSH Known Hosts

• Configure Support for SCP File Transfer

• Update SSH Host Key Information

  Configure SSH Known Host Keys for Secure Copying of Data

Secure Shell (SSH) uses encryption algorithms to generate a host, server, and session key system that ensures secure data transfer. You can configure SSH host keys to support secure copy (SCP) as an alternative to FTP for the background transfer of data such as configuration archives and event logs. To configure SSH support for SCP, you must complete the following tasks:

• Specify SSH known hosts by including hostnames and host key information in the Routing Engine configuration hierarchy.

• Set an SCP URL to specify the host from which to receive data. Setting this attribute automatically retrieves SSH host key information from the SCP server.

• Verify that the host key is authentic.

• Accept the secure connection. Accepting this connection automatically stores host key information in the local host key database. Storing host key information in the configuration hierarchy automates the secure handshake and allows background data transfer using SCP.

Tasks to configure SSH host keys for secure copying of data are:

Configure SSH Known Hosts

To configure SSH known hosts, include the host statement, and specify hostname and host key options for trusted servers at the [edit security ssh-known-hosts] hierarchy level:

[edit security ssh-known-hosts] host corporate-archive-server { dsa-key key; } host archive-server-url { rsa-key key; } host server-with-ssh-version-1 { rsa1-key key; }

Host keys are one of the following:

• dsa-key key—Base64 encoded Digital Signature Algorithm (DSA) key for SSH version 2.

• ecdsa-sha2-nistp256-key key—Base64 encoded ECDSA-SHA2-NIST256 key.

• ecdsa-sha2-nistp384-key key—Base64 encoded ECDSA-SHA2-NIST384 key.

• ecdsa-sha2-nistp521-key key—Base64 encoded ECDSA-SHA2-NIST521 key.

• ed25519-key key—Base64 encoded ED25519 key.

• rsa-key key—Base64 encoded public key algorithm that supports encryption and digital signatures for SSH version 1 and SSH version 2.

• rsa1-key key—Base64 encoded RSA public key algorithm, which supports encryption and digital signatures for SSH version 1.

Configure Support for SCP File Transfer

To configure a known host to support background SCP file transfers, include the archive-sites statement at the [edit system archival configuration] hierarchy level.

[edit system archival configuration] archive-sites { scp://username<:password>@host<:port>/url-path; } Note:

When specifying a URL in a Junos OS statement using an IPv6 host address, you must enclose the entire URL in quotation marks (" ") and enclose the IPv6 host address in brackets ([ ]). For example, “scp://username<:password>@[host]<:port>/url-path”;

Setting the archive-sites statement to point to an SCP URL triggers automatic host key retrieval. At this point, Junos OS connects to the SCP host to fetch the SSH public key, displays the host key message digest or fingerprint as output to the console, and terminates the connection to the server.

user@host# set system archival configuration archive-sites “<scp-url-path>” The authenticity of host <my-archive-server (<server-ip-address>)> can’t be established. RSA key fingerprint is <ascii-text key>. Are you sure you want to continue connecting (yes/no)?

To verify that the host key is authentic, compare this fingerprint with a fingerprint that you obtain from the same host using a trusted source. If the fingerprints are identical, accept the host key by entering yes at the prompt. The host key information is then stored in the Routing Engine configuration and supports background data transfers using SCP.

Update SSH Host Key Information

Typically, SSH host key information is automatically retrieved when you set a URL attribute for SCP using the archival configuration archive-sites statement at the [edit system] hierarchy level. However, if you need to manually update the host key database, use one of the following methods.

• Retrieve Host Key Information Manually
• Import Host Key Information from a File

Retrieve Host Key Information Manually

To manually retrieve SSH public host key information, configure the fetch-from-server option at the [edit security ssh-known-hosts] hierarchy level. You must to specify the host from which to retrieve the SSH public key.

user@host# set security ssh-known-hosts fetch-from-server <hostname>

Import Host Key Information from a File

To manually import SSH host key information from a known_hosts file, include the load-key-file option at the [edit security ssh-known-hosts] hierarchy level. You must specify the path to the file from which to import host key information.

user@host# set security ssh-known-hosts load-key-file /var/tmp/known-hosts

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

ReleaseDescription18.3R1Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are deprecated— rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.