Junos Automation (Scripting)
Junos Automation (Scripting)

Juise & ssh keys

‎01-28-2013 07:29 PM

Is it possible to tell juise to use a particular ssh private key when connecting to a router?  Similar to the -i switch for the openssh client?

 

 

6 REPLIES 6
Junos Automation (Scripting)

Re: Juise & ssh keys

‎01-29-2013 06:15 AM

Try this and see if it works:

 

Create an entry in your .ssh/config for the router that you want to use a different identity file with, then re-run.

Something like this, where the file "id_ecdsa_alt1" is the alternate identity file you want to use for router1 and "d_ecdsa_alt2" is yet another one you'd use for router2

 

Host router1

  user admin

  IdentityFile ~/.ssh/id_ecdsa_alt1

 

Host router2

  user admin

  IdentityFile ~/.ssh/id_ecdsa_alt2

 

...

etc.

 

See the man page for ssh_config.   That's where I found this.

 

/doug

 

--
"There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die." --HST
Junos Automation (Scripting)

Re: Juise & ssh keys

‎01-29-2013 07:10 AM

Doug, this isn't exactly what I'm looking for.  If I update ~/.ssh/config, it will impact all sessions to that host.  I want to specify a different user and identify file, just when connecting using juise and/or jsnap.

 

With ssh client, you can use the -i switch to specify a identify file for that single session, I was hoping there was something similar for juise, but I've been unable to see anything like that thus far.

Junos Automation (Scripting)

Re: Juise & ssh keys

‎01-29-2013 07:40 AM

Sorry.   That's all I can come up with. 

Maybe someone else can help. 

Good luck.

 

/doug

 

p.s. I can't help but ask: Can you share what's the use case/requirement that's driving this ?

--
"There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die." --HST
Junos Automation (Scripting)

Re: Juise

‎01-29-2013 08:06 AM
Sure. I started working on a wrapper script to make 'typical' pre/post maintenance snaps a little easier, and realized that jsnap doesn't require r/w, which got me thinking that it could use one of our robot logins to connect. The idea is don't bother the end user with providing a user/pass, but just specify some other credentials (we don't use keys for typical users, but could easily set them up for a single r/o user) The problem with editing ~bob/.ssh/config, is that I'd specify the username and identity file for user 'robot' which is a r/o login, and if bob tries to ssh to the device w/out specifying username 'bob', he will login as 'robot'. I only want netconf sessions to log in as robot, not typical ssh sessions to the box. -Josh ________________________________ This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
Junos Automation (Scripting)

Re: Juise

‎01-29-2013 10:38 AM

Hrm...

Well, one (ugly, silly) way you could skin this cat would be to

1. add an alias in your /etc/hosts for the router, with the idea that you'd use *that* alias when you want to use juise or jsnap to access it.       E.g.

192.168.1.101   router1 router1-bot

192.168.1.102   router2 router2-bot

 

2. add an entry in your .ssh/config (per previous) for the "-bot" alias, specifiying the "robot" username and Identity file.

Host router1

   user admin

Host router2

   user admin

Host router1-bot

   user robot

   IdentityFile ~robot/.ssh/id_ecdsa

Host router2-bot

   user robot

   IdentityFile ~robot/.ssh/id_ecdsa

 ....

  

 

Any ssh connections to "router1" or "router2" would go out as user admin; any to "router1-bot" or "router2-bot" would use userid "robot" and the credentials for "~robot", even though router1 and router1-bot are the same IP address. 

 

It's ugly , but I'm pretty sure that it'll work.

 

/doug

 

--
"There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die." --HST
Junos Automation (Scripting)

Re: Juise

‎01-29-2013 10:40 AM

actually, that .ssh/config could be made even simpler using a wildcard:

 

Host router1

   user admin

 

Host router2

   user admin

 

Host *-bot

   user robot

   IdentityFile ~robot/.ssh/id_ecdsa

 

--
"There he goes. One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die." --HST