Protecting Network Security by Configuring the Root Password
Configuring the root password on your Junos OS-enabled router helps prevent unauthorized users from making changes to your network. The root user (also referred to as superuser) has unrestricted access and full permissions within the system, so it is crucial to protect this account by setting a strong password when setting up a new router.
After a new router is initially powered on, you log in as the user root with no password. Junos OS requires configuration of the root password before it accepts a commit operation.
To set the root password, you have a few options as shown in the following procedure.
Enter a plain-text password that Junos OS encrypts.
Enter a password that is already encrypted.
Enter a secure shell (ssh) public key string.
The most secure options of these three are using an already encrypted password or an ssh public key string. Pre-encrypting your password or using a ssh public key string means the plain-text version of your password will never be transferred over the internet, protecting it from being intercepted by a man-in-the-middle attack.
Optionally, instead of configuring the root password at the [edit system] hierarchy level, you can use a configuration group to strengthen security.
To set the root password:
- Use one of these methods to configure the root password:
To enter a plain-text password that the system encrypts for you:[edit groups global system]root@# set root-authentication plain-text-passwordNew Password: type password hereRetype new password: retype password here
As you enter a plain-text password into the CLI, Junos OS hides it from view and encrypts it immediately. You do not have to configure Junos OS to encrypt the password as in some other systems. In the resulting configuration, the encrypted password is marked as
## SECRET-DATAso that it cannot be seen.
To enter a password that is already encrypted:
Do not use the encrypted-password option unless the password is already encrypted, and you are entering the encrypted version of the password.
If you accidentally configure the encrypted-password option with a plain-text password or with blank quotation marks (" "), you will not be able to log in to the device as root, and you will need to complete the root password recovery process.[edit groups global system]root@# set root-authentication encrypted-password password
To enter an ssh public key string:[edit groups global system]root@# set root-authentication (ssh-dsa | ssh-ecdsa | ssh-rsa key)
- If you used a configuration group, apply it with the command set apply-groups, replacing <group name> with the configuration group name.
For example:root@# set apply-groups <group name>
- Commit the changes.root@# commit