Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Establishing Root Password Access (FIPS Mode)


When Junos OS is installed on a router or switch and the router or switch is powered on, it is ready to be configured. Initially, you log in as the user root with no password. When you log in as root, your SSH connection is enabled by default.

As Crypto Officer, you must establish a root password conforming to the FIPS password requirements in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode. When you enable FIPS mode in Junos OS on the router or switch, you cannot configure passwords unless they meet this standard.

After you log in, configure the root (superuser) password to be used to access the router or switch as follows:

  1. Log in to the router or switch if you have not already done so, and enter configuration mode:
  2. To set the password format, include the format statement at the [edit system password] hierarchy level.
  3. Configure a temporary root password so that you can commit the configuration changes.
  4. Commit the configuration changes.
  5. Reset the root password to meet FIPS requirements.
  6. Change the password format to a FIPS-compliant hash algorithm:


    When establishing root password access after zeroization, the password format must be changed from the default of md5. MD5 is not a FIPS-compliant hash algorithm.

    1. Configure the FIPS-compliant hash algorithm for plain-text passwords by including the format statement at the [edit system login] hierarchy level and selecting sha256, or sha512:
    2. Configure a temporary root password to be able to commit the password format change.
    3. Commit the configuration:
  7. Configure the root password by including the root-authentication statement at the [edit system] hierarchy level and selecting one of the password options.
    • To configure a plain-text password, select the plain-text-password option. Enter and confirm the password at the prompts.

      Ensure that you follow the password guidelines in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode.

    • To configure public keys for SSH authentication of root logins, use the ssh-ecdsa option. You can configure more than one public key for SSH authentication of root logins as well as for user accounts. When a user logs in as root, the public keys are referenced to determine whether the private key matches any of them.


    The system is now ready to execute the set system fips level 1 command.

  8. If you are finished configuring the router or switch, commit the configuration and exit:

Related Documentation