How to Access Junos Devices with SSH

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

Junos OS supports telnet access to Junos devices, but to be more protective with your login credentials, you want to use Secure Shell (SSH). SSH differs from Telnet in that it enables the exchange of data between you and your device over a secure channel. You must explicitly enable the encrypted SSH service on the device:

[edit]
system {
  services {
    ssh;
    telnet;
  }
}

After you enable SSH on the device, you can access the device through an encrypted session. Because this session is encrypted, you can now log in to the device remotely using the root login:

> ssh -l root router
root@device's password:
--- JUNOS 11.1I (JUNIPER) #3: 2011-07-30 02:18:17 UTC
root@device%

When you log into the device as root, you log in directly to the FreeBSD shell. To start the CLI, issue the cli command at the prompt.

A fairly simple way to help strengthen your device against attack is to limit the number of access sessions that can be attempted per minute. If you imagine an automated script trying thousands, or even millions, of login/password combinations, you can see how a hacker might try to gain access to your device. Use the rate-limit statement to limit the number of tries to something reasonable:

[edit]
system {
  services {
    ssh {
      rate-limit 15;
    }
    telnet {
      rate-limit 15;
    }
  }
}

Although Telnet is the old-school original remote access method and it may hold a fond place in your heart, when it comes to accessing devices, Telnet can be fairly insecure.

Traffic exchanged via a Telnet session isn’t encrypted, and no safeguards ensure that traffic being sent across a Telnet session is received by the end device and not intercepted somewhere between you and the machine you’re accessing. Unfortunately, this setup makes it fairly simple to sniff the traffic and steal logins and passwords.