Establishing Root Password Access
When Junos OS is installed on a switch and the switch is powered on, it is ready to be configured. Initially, you log in as the user root with no password.
As Crypto Officer, you must establish a root password conforming to the FIPS password requirements in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode. When you enable FIPS mode in Junos OS on the switch, you cannot configure passwords unless they meet this standard.
Local passwords are encrypted with the secure hash algorithm SHA-1, SHA-256 or SHA-512. Password recovery is not possible in Junos OS in FIPS mode. Junos OS in FIPS mode cannot boot into single-user mode without the correct root password.
After you log in, configure the root (superuser) password to be used to access the switch as follows:
- Log in to the switch if you have not already done so,
and enter configuration mode:% cli
— JUNOS 18.1-20171129.0 built 2017-11-29 04:12:22 UTCroot@switch> configure
Entering configuration mode
Change the password format to a FIPS-compliant hash algorithm:
- Configure the FIPS-compliant hash algorithm for plain-text
passwords by including the format statement at the [edit system login] hierarchy level and selecting sha256, or sha512: root@switch# set system login password format ( sha256 | sha512)
- Configure the FIPS-compliant hash algorithm for plain-text passwords by including the format statement at the [edit system login] hierarchy level and selecting sha256, or sha512:
- Configure the root password by including the root-authentication statement at the [edit system] hierarchy level and selecting
one of the password options.
To configure a plain-text password, select the plain-text-password option. Enter and confirm the password at the prompts.root@switch# set system root-authentication plain-text-passwordNew password: type password hereRetype new password: retype password here
Ensure that you follow the password guidelines in Understanding Password Specifications and Guidelines for Junos OS in FIPS Mode.
To configure public keys for SSH authentication of root logins, use the ssh-ecdsa option. You can configure more than one public key for SSH authentication of root logins and for user accounts. When a user logs in as root, the public keys are referenced to determine whether the private key matches any of them.
- If you are finished configuring the switch, commit the
configuration and exit:root@switch# commit
commit completeroot@switch# exitroot@switch> exit