Configure SSH RSA authentication on Qfabric

Starting with 13.1X50-D15, Juniper Qfabric supports SSH RSA authentication.

This post will show you how you can do this.

First, generate your key on the client from where you will be logging to the Qfabric:

paris@evora:~$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/paris/.ssh/id_rsa): 
Created directory '/home/paris/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/paris/.ssh/id_rsa.
Your public key has been saved in /home/paris/.ssh/id_rsa.pub.
The key fingerprint is:
59:20:88:3f:25:14:05:9e:64:17:93:ae:57:8a:5f:74 paris@evora
The key's randomart image is:
+--[ RSA 2048]----+
|   o*=*o.        |
|  .+oooo .       |
|   .o+    .      |
|    o . ooE      |
|     + +S.       |
|    o o .        |
|     o .         |
|      .          |
|                 |
+-----------------+
paris@evora:~$

Copy the public key to a location from where you will be referencing it later. I chose to copy the key to DirectorGroup:

paris@evora:~$ ssh-copy-id root@172.30.145.217
The authenticity of host '172.30.145.217 (172.30.145.217)' can't be established.
RSA key fingerprint is ec:94:d0:6e:18:8b:ad:a2:5f:af:70:de:32:55:03:54.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.30.145.217' (RSA) to the list of known hosts.
root@172.30.145.217's password: 
stty: standard input: Invalid argument
Now try logging into the machine, with "ssh 'root@172.30.145.217'", and check in:

  ~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

paris@evora:~$

This is the confirmation that the public key was copied:

[root@dg0 .ssh]# pwd
/root/.ssh
[root@dg0 .ssh]# cat authorized_keys 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4bAWd9m4jdF5D6pwjaIhiMrzw0ysToNatXGBnr0YZQtTkgi0b/IdCFcAAUe
8G3bzlEJ+aui2Tzo4wH9uRaLyDSQ4ASnYAJeg8EeI665Dd+5ih3nBu2+6inOiuTFI5frD9Y+IM2+es9hQgpaj3z3E2nnA6y9mi
x60Y/8mxJalzQuCltSrGY4FDTUoVQQqtlsgF7MDP9ZAO34xRWJmLcGK7hs22C6uvrnODr+zsoXX+qTRGFpzjeCz+R6gqqZp+JU
oMOZLHr6zg5Or+9LmqcAjfczC7LWwEdI6+5Lt09FY2y5vMb1H1LDcU5NaZuPxm7rCvP06xmZvn44UuBwIBHB13 paris@evora
[root@dg0 .ssh]#

Now configure Qfabric to use SSH RSA authentication for root user and reference the location where you previously copied the public key:

[edit]
root@Qfabric# set system root-authentication load-key-file /root/.ssh/authorized_keys 

[edit]
root@Qfabric#

Before you commit,  do a ‘show system root-authentication’ and confirm that the string matches the one from the file copied to DG0:

[edit]
root@Qfabric# show system root-authentication 
encrypted-password "$1$ojkivzMa$Pvn9gpDnlwwZ/5vVAkWq61"; ## SECRET-DATA
ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC4bAWd9m4jdF5D6pwjaIhiMrzw0ysToNatXGBnr0YZQtTkgi0b/IdCFcA
AUe8G3bzlEJ+aui2Tzo4wH9uRaLyDSQ4ASnYAJeg8EeI665Dd+5ih3nBu2+6inOiuTFI5frD9Y+IM2+es9hQgpaj3z3E2nnA6y9mix60
Y/8mxJalzQuCltSrGY4FDTUoVQQqtlsgF7MDP9ZAO34xRWJmLcGK7hs22C6uvrnODr+zsoXX+qTRGFpzjeCz+R6gqqZp+JUoMOZLHr6z
g5Or+9LmqcAjfczC7LWwEdI6+5Lt09FY2y5vMb1H1LDcU5NaZuPxm7rCvP06xmZvn44UuBwIBHB13 paris@evora"; ## SECRET-DATA
remote-debug-permission qfabric-admin;

[edit]
root@Qfabric#

Now you can commit and try to login from the client machine to Qfabric:

paris@evora:~$ ssh root@172.30.145.219
The authenticity of host '172.30.145.219 (172.30.145.219)' can't be established.
RSA key fingerprint is ec:94:d0:6e:18:8b:ad:a2:5f:af:70:de:32:55:03:54.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.30.145.219' (RSA) to the list of known hosts.
Last login: Mon Feb 24 14:15:19 2014 from 172.30.144.28
Juniper QFabric Director 13.1.8347 2013-11-05 04:54:03 UTC

root@Qfabric>
The following two tabs change content below.

Paris ARAU

Paris ARAU is a networking professional with strong background on routing and switching technologies. He is a holder of CCIE R&S and dual JNCIE(SP and ENT). The day to day work allows him to dive deeply in networking technologies. Part of the continuously training, he is focusing on Software Defined Network and cloud computing.

Comments

So empty here ... leave a comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

Sidebar



%d bloggers like this: