Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Administrative Credentials and Privileges


Understanding the Associated Password Rules for an Authorized Administrator

The authorized administrator is associated with a defined login class, and the administrator is assigned with all permissions. Data is stored locally for fixed password authentication.


Do not use control characters in passwords.

Use the following guidelines and configuration options for passwords and when selecting passwords for authorized administrator accounts. Passwords should be:

  • Easy to remember so that users are not tempted to write it down.

  • Changed periodically.

  • Private and not shared with anyone.

  • Contain a minimum of 10 characters. The minimum password length is 10 characters.

  • Include both alphanumeric and punctuation characters, composed of any combination of upper and lowercase letters, numbers, and special characters such as, “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”. There should be at least a change in one case, one or more digits, and one or more punctuation marks.

  • Contain character sets. Valid character sets include uppercase letters, lowercase letters, numbers, punctuation, and other special characters.

  • Contain the minimum number of character sets or character set changes. The minimum number of character sets required in plain-text passwords in Junos FIPS is 3.

  • The hashing algorithm for user passwords can be either SHA256 or SHA512 (SHA512 is the default hashing algorithm).


The device supports ECDSA (P-256, P-384, and P-521) and RSA (2048, 3072, and 4092 modulus bit length) key-types.

Weak passwords are:

  • Words that might be found in or exist as a permuted form in a system file such as /etc/passwd.

  • The hostname of the system (always a first guess).

  • Any words appearing in a dictionary. This includes dictionaries other than English, and words found in works such as Shakespeare, Lewis Carroll, Roget's Thesaurus, and so on. This prohibition includes common words and phrases from sports, sayings, movies, and television shows.

  • Permutations on any of the above. For example, a dictionary word with vowels replaced with digits (for example f00t) or with digits added to the end.

  • Any machine-generated passwords. Algorithms reduce the search space of password-guessing programs and so should not be used.

Strong reusable passwords can be based on letters from a favorite phrase or word, and then concatenated with other, unrelated words, along with additional digits and punctuation.

Configuring a Network Device Collaborative Protection Profile Authorized Administrator

An account for root is always present in a configuration and is not intended for use in normal operation. In the evaluated configuration, the root account is restricted to the initial installation and configuration of the evaluated device.

An NDcPPv2.1 authorized administrator must have all permissions, including the ability to change the device configuration.

To configure an authorized administrator:

  1. Create a login class named security-admin with all permissions.
  2. Configure the hashed algorithm for plain-text passwords as sha512.
  3. Commit the changes.
  4. Define your NDcPPv2.1 user authorized administrator.


  5. Load an SSH key file that was previously generated using ssh-keygen. This command loads RSA (SSH version 2), or ECDSA (SSH version 2).
  6. Set the log-key-changes configuration statement to log when SSH authentication keys are added or removed.

    When the log-key-changes configuration statement is enabled and committed (with the commit command in configuration mode), Junos OS logs the changes to the set of authorized SSH keys for each user (including the keys that were added or removed). Junos OS logs the differences since the last time the log-key-changes configuration statement was enabled. If the log-key-changes configuration statement was never enabled, then Junos OS logs all the authorized SSH keys.

  7. Commit the changes.

The root password should be reset following the change to sha256 / sha512 for the password storage format. This ensures the new password is protected using a sha256 / sha512 hash. To reset the root password, use set system root-authentication plain-text-password password command, and confirm the new password when prompted.

Customize Time

To customize time, disable NTP and set date.

  • Disable NTP.

  • Set date and time. Date and time format is

Configuring Inactivity Timeout Period, and Terminating Local and Remote Idle Session

Configuring Session Termination

Terminate the session after the security administrator specifies inactive timeout period.

  1. Set the idle timeout.
  2. Configure the login access privileges.
  3. Commit the configuration.
  4. Set the password.
  5. Define login class.
  6. Commit the configuration.

Sample Output for Local Administrative Session Termination

Sample Output for Remote Administrative Session Termination

Sample Output for User Initiated Termination