Let's say you have a network of devices that are sitting behind a firewall and you can only access them through a jump-host. This means you need to first login to the jump-host, and from there you can access the devices.
Take for example the following setup: I have a laptop called jeremy-pc.corp.net and a jump-host called jumpy.corp.net. Behind "jumpy" I've got a few hundred EX switches, a few SRX firewalls, and a few MX routers: All of the network devices are in the private 10.1.0.0/16 network. A simplified view:
In order for my Python programs to connect from jeremy-pc to the SRX and MXs, I need to go through jumpy, I cannot ssh directly to they (which means I cannot open a NETCONF session directly either).
In order to make all this work, I need to do the following:
Create an ssh-key
Install the public ssh-key on the Junos devices, srx3600-1, mx960-1, and mx960-2
Setup my user account on jumpy.corp.net to allow ssh forwarding
Setup my user account on jeremy-pc.corp.net to ssh-port tunnel
Activate SSH tunnel and ssh-key from jeremy-pc.corp.net, then connect!
Let's go through each of these steps.
If you are not familiar with the process of generating ssh-keys, it is fairly straight forward, providing you have the ssh utilities installed. Use the ssh-keygen command to create the public and private keys. Here I am creating a pair called "jeremykey" (private key) and "jeremykey.pub" (public key). You will be prompted to enter a passphrase, which I recommend you use.
[email@example.com] ssh-keygen -f jeremykey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in jeremykey.
Your public key has been saved in jeremykey.pub.
INSTALL PUBLIC SSH-KEY ONTO JUNOS DEVICES
Now copy your public key file to each of the Junos devices. You will need to first copy them to your jump-host, and then from there scp them to each Junos device. Assuming that I've copied the file jeremykey.pub to each Junos device, I can install the key from the Junos CLI, for example on the SRX3600-1 device:
Entering configuration mode
jeremy@srx3600-1# set system login user jeremy authentication load-key-file jeremykey.pub
jeremy@srx1400-1# commit and-quit
SETUP "JUMPY" FOR SSH AGENT FORWARDING
I now need to setup my user account on jumpy.corp.net so that it will forward my SSH connections when I originate them from my laptop, jeremy-pc.corp.net. To do this, I need to edit the ssh config file in $HOME/.ssh/config so that it looks like this:
For more details on the ssh config file, you can do a "man ssh_config". The above example is considered very open since it applied to all hosts. You can get very specific on configs, but for the sake of this blog simplicity, we'll leave it like this.
Now on to the tricky part, setting up ssh port forwarding ...
SETUP "JEREMY-PC" FOR SSH PORT FORWRDING
The technique for ssh-port forwarding is to designate ports on jeremy-pc.corp.net that get mapped to specific hosts reachable from jumpy.corp.net. I can pick any ports that I want, but generally in the range above the range 1024. I use ports >= 8000. The following illustrates the mapping I want to create:
On jeremy-pc.corp.net, I create an ssh config file in $HOME/.ssh/config that looks like the following.
LocalForward 8001 10.1.0.12:22
LocalForward 8002 10.1.0.21:22
LocalForward 8003 10.1.0.22:22
There is a lot to dissect in this config file, but the main technique here is that the host jumpy-tunnel is what will be used to setup the port forwarding, then each unique host, e.g. srx3600-1.jumpy, is used to associate a name so we don't need to remember all the port mappings.
ACTIVATE SSH-KEY ON "JEREMY-PC"
In order for ssh-keys to work, you need to have an "ssh-agent" running and then add your keys to the agent. Depending on your system, the ssh-agent may be running already. Here is the process to startup the ssh-agent manually and add your ssh-key:
The first command starts the ssh-agent process. The use of eval is needed to capture the ENVIRONMENT variables that are returned by ssh-agent. The second command loads the ssh-key. You will be prompted for the passphrase at this point (not shown).
The next step is to create the port mapping tunnel to jumpy. The following command opens an ssh tunnel and puts the process in the background. Note here that the ssh target is jumpy-tunnel, which was the Host in the ssh config that defined all of the LocalForward definitions.
Now that the tunnel is active, and the ssh-key is active, you can directly ssh to the remote Junos device by referring to the host name defined in the ssh config file. For example, to ssh directly to the SRX3600-1 device, use the name srx3600-1.jumpy:
[firstname.lastname@example.org]$ ssh srx3600-1.jumpy
Warning: Permanently added '[localhost]:8001' (RSA) to the list of known hosts.
--- JUNOS 12.1X44-D20.3 built 2013-07-19 04:28:29 UTC
... NEXT IN PART 2
In Part 2 of this blog, I will illustrate a Python script that makes a NETCONF connection and performs a basic "hello, world" with the remote device.