Configuring a Network Device Collaborative Protection Profile Authorized Administrator
An account for root is always present in a configuration and is not intended for use in normal operation. In the evaluated configuration, the root account is restricted to the initial installation and configuration of the evaluated device.
An NDcPPv2 authorized administrator must have all permissions, including the ability to change the router configuration.
To configure an authorized administrator:
- Create a login class named security-admin with all permissions.[edit]root@host# set system login class security-admin permissions all
- Configure the hashed algorithm for plain-text passwords
as sha512.[edit]root@host# set system login password format sha512
- Commit the changes.[edit]root@host# commit
- Define your NDcPPv2 user authorized administrator.[edit]root@host# set system login user NDcPPv2-user full-name Common-Criteria-NDcPPv2-Authorized-Administrator class security-admin authentication encrypted-password <password>
- Load an SSH key file that was previously generated using
ssh-keygen. This command loads RSA (SSH version 2), or ECDSA (SSH
version 2).[edit]root@host#set system root-authentication load-key-file url:filename
- Set the log-key-changes configuration statement to log
when SSH authentication keys are added or removed.[edit]root@host#set system services ssh log-key-changes
- Commit the changes.[edit]root@host# commit
The root password should be reset following the change to sha256 / sha512 for the password storage format. This ensures the new password is protected using a sha256 / sha512 hash. To reset the root password, use set system root-authentication plain-text-password password command, and confirm the new password when prompted.