SRX

Expand all | Collapse all

Is it possible to use SSH-key based auth for system archival transfer-on-commit ?

  • 1.  Is it possible to use SSH-key based auth for system archival transfer-on-commit ?

    Posted 03-16-2015 05:55

    Given I have configuration like:

     

    {primary:node0}[edit system archival]
    user@SRX550-1-a# show
    configuration {
    transfer-on-commit;
    archive-sites {
    "scp://firewall@192.168.1.100/configs/";
    }
    } 

     

    I'd like to set up ~firewall/.ssh/authorized_keys to control access to the server I'm copying the configs to.

    This implies the use of an SSH private key from the firewall cluster.   Essentially the same idea as in

    security-ssh-hostkeys-secure-copying but with the direction reversed. 

     

    Is this possible?  Either by uploading or creating an SSH public/private key pair on the SRX550, or by allowing the SRX550 to access the keys of the currently logged-in user via ssh-agent?

     



  • 2.  RE: Is it possible to use SSH-key based auth for system archival transfer-on-commit ?

     
    Posted 03-16-2015 14:51

    Their are a lot of options todo archival of juniper configs.

     

    I like to use something like rancid http://www.shrubbery.net/rancid/, pulling the configs from the network equipment rather then pushing them. Rancid also keeps trac of changes.

     

    For you you have two options :

     

    1 do scp with a predefined password in the config and your problem is solved.

     

    2. as normal user do a start shell

     

    marctb@srx04.lab> start shell
    %

     

    Su to root

    % su -
    Password:

     

    Type in your root password if you have one.

     

    run ssh-keygen as root

    root@srx04.lab% ssh-keygen -t rsa -b 4096

     

    cat the .ssh/id_rsa.pub

     

    put the output of the id_rsa.pub in the homedir of the user firewall@192.168.1.100

     

    paste the output in the ~firewall/.ssh/authorized_keys file

     

    exit the root shell of your srx

    make some changes to the config and see if your archival on commit works

     

    The commit is supposed to give you the standard ssh prompt, to which you need to answer "yes", to save the ssh key. I also recommend that you do a test change and commit, and check if the configuration archive gets uploaded to the target host.



  • 3.  RE: Is it possible to use SSH-key based auth for system archival transfer-on-commit ?

    Posted 03-17-2015 03:11

    > For you you have two options :

     

    > 1 do scp with a predefined password in the config and your problem is solved.

     

    > 2. as normal user do a start shell

     

    > marctb@srx04.lab> start shell
    > %

     

    > Su to root

    > % su -
    > Password:

     

    > Type in your root password if you have one.

     

    > run ssh-keygen as root

    > root@srx04.lab% ssh-keygen -t rsa -b 4096

     

    > cat the .ssh/id_rsa.pub

     

    > put the output of the id_rsa.pub in the homedir of the user firewall@192.168.1.100

     

    > paste the output in the ~firewall/.ssh/authorized_keys file

     

    > exit the root shell of your srx

    > make some changes to the config and see if your archival on commit works

     

    > The commit is supposed to give you the standard ssh prompt, to which you need to answer "yes", to save the ssh key. > I also recommend that you do a test change and commit, and check if the configuration archive gets uploaded to the > target host.

     
    Thank you -- that's a nice idea, which I have implemented.  I could ssh from the root shell on the SRX to the backup box using the SSH key for authentication -- no problem.  Unfortunately it doesn't seem to work on commit: there is no prompt for the SSH key passphrase.
     
    Rancid looks nice, but it's overkill for us -- we don't have enough kit to justify it.  I guess I'll just use the password authentication.
     
     
     


  • 4.  RE: Is it possible to use SSH-key based auth for system archival transfer-on-commit ?

     
    Posted 03-17-2015 07:42

    What you have to do is remove the passphrase from the ssh-key so it can

    be used on commit. I forgot to mention that 🙂