Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Login Settings

 

Junos OS allows you to specify various settings for the users after they have logged in. You can define what to notify for the users after they have logged in, display system alarms, provide login tips, or specify time-based user access, and limit the number of login attempts. Read this topic for more information.

Configuring Junos OS to Display a System Login Announcement

Sometimes you want to make announcements only to authorized users after they have logged in. For example, you might want to announce an upcoming maintenance event.

You can format the announcement using the following special characters:

  • \n—New line

  • \t—Horizontal tab

  • \'—Single quotation mark

  • \"—Double quotation mark

  • \\—Backslash

If the message text contains any spaces, enclose it in quotation marks.

By default, no login announcement is displayed.

To configure an announcement that can be seen only by authorized users:

  1. Include the announcement statement in the [edit system login] configuration.

    For example:

  2. Commit the configuration.
  3. Connect to the device in a new session to verify the presence of the new banner.

    The preceding login message configuration example produces a login message similar to the following:

If the announcement text contains any spaces, enclose the text in quotation marks.

A system login announcement appears after the user logs in. A system login message appears before the user logs in.

Tip

You can use the same special characters described to format your system login announcement.

Configuring System Alarms to Appear Automatically Upon Login

You can configure Juniper Networks routers and switches to run the show system alarms command whenever a user with the login class admin logs in to the router or switch. To do so, include the login-alarms statement at the [edit system login class admin] hierarchy level.

For more information on the show system alarms command, see the CLI Explorer.

Configuring Login Tips

The Junos OS CLI provides the option of configuring login tips for the user. By default, the tip command is not enabled when a user logs in.

  • To enable tips, include the login-tip statement at the [edit system login class class-name] hierarchy level:

Adding this statement enables the tip command for the class specified, provided the user logs in using the CLI.

Examples: Configuring Time-Based User Access

The following example shows how to configure user access for the operator-round-the-clock-access login class from Monday through Friday without any restriction on access time or duration of login:

The following example shows how to configure user access for the operator-day-shift login class on Monday, Wednesday, and Friday from 8:30 AM to 4:30 PM:

Alternatively, you can also specify the login start time and end time for the operator-day-shift login class to be from 8:30 AM to 4:30 PM in the following format:

The following example shows how to configure user access for the operator-day-shift-all-days-of-the-week login class to be on all days of the week from 8:30 AM to 4:30 PM:

Configuring the Timeout Value for Idle Login Sessions

An idle login session is one in which the CLI operational mode prompt is displayed but there is no input from the keyboard. By default, a login session remains established until a user logs out of the router or switch, even if that session is idle. To close idle sessions automatically, you must configure a time limit for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes. Idle-timeout can only be configured for user defined classes. Configuration won't work for the system predefined classes: operator, read-only, super-user. These classes’ values and permissions are not editable.

To define the timeout value for idle login sessions, include the idle-timeout statement at the [edit system login class class-name] hierarchy level:

Specify the number of minutes that a session can be idle before it is automatically closed.

If you have configured a timeout value, the CLI displays messages similar to the following when timing out an idle user. It starts displaying these messages 5 minutes before timing out the user.

If you configure a timeout value, the session closes after the specified time has elapsed, unless the user is running telnet or monitoring interfaces using the monitor interface or monitor traffic command.

Login Retry Options

The security administrator can configure the number of times a user can try to log in to the device with invalid login credentials. The device can be locked after the specified number of unsuccessful authentication attempts. This helps to protect the device from malicious users attempting to access the system by guessing an account’s password. The security administrator can unlock the user account or define a time period for the user account to remain locked.

The system lockout-period defines the amount of time the device can be locked for a user account after a specified number of unsuccessful login attempts.

The security administrator can configure a period of time after which an inactive session will be locked and require re-authentication to be unlocked. This helps to protect the device from being idle for a long period before the session times out.

The system idle-timeout defines length of time the CLI operational mode prompt remains active before the session times out.

The security administrator can configure a banner with an advisory notice to be displayed before the identification and authentication screen.

The system message defines the system login message. This message appears before a user logs in.

The number of reattempts the device allows is defined by the tries-before-disconnect option. The device allows 3 unsuccessful attempts by default or as configured by the administrator. The device prevents the locked users to perform activities that require authentication, until a security administrator manually clears the lock or the defined time period for the device to remain locked has elapsed. However, the existing locks are ignored when the user attempts to log in from the local console.

Note

To clear the console during an administrator-initiated logout, the administrator must configure the set system login message “message string” such that, the message-string contains newline (\n) characters and a login banner message at the end of the \n characters.

To ensure that configuration information is cleared completely, the administrator can enter 50 or more \n characters in the message-string of the command set system login message “message string”.

For example, set system login message "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n Welcome to Junos!!!"

Limiting the Number of User Login Attempts for SSH and Telnet Sessions

You can limit the number of times a user can attempt to enter a password while logging in through SSH or Telnet. The connection is terminated if a user fails to log in after the number of attempts specified. You can also specify a delay, in seconds, before a user can try to enter a password after a failed attempt. In addition, you can specify the threshold for the number of failed attempts before the user experiences a delay in being able to enter a password again.

To specify the number of times a user can attempt to enter a password while logging in, include the retry-options statement at the [edit system login] hierarchy level:

You can configure the following options:

  • tries-before-disconnect—Number of times a user can attempt to enter a password when logging in. The connection closes if a user fails to log in after the number specified. The range is from 1 through 10, and the default is 10.

  • backoff-threshold—Threshold for the number of failed login attempts before the user experiences a delay in being able to enter a password again. Use the backoff-factor option to specify the length of the delay in seconds. The range is from 1 through 3, and the default is 2.

  • backoff-factor—Length of time, in seconds, before a user can attempt to log in after a failed attempt. The delay increases by the value specified for each subsequent attempt after the threshold. The range is from 5 through 10, and the default is 5 seconds.

  • maximum-time seconds—Maximum length of time, in seconds, that the connection remains open for the user to enter a username and password to log in. If the user remains idle and does not enter a username and password within the configured maximum-time, the connection is closed. The range is from 20 through 300 seconds, and the default is 120 seconds.

  • minimum-time—Minimum length of time, in seconds, that a connection remains open while a user is attempting to enter a correct password. The range is from 20 through 60, and the default is 40.

The following example shows how to limit the user to four attempts when the user enters a password while logging in through SSH or Telnet:

Limiting the number of SSH and Telnet login attempts per user is one of the most effective methods of stopping brute force attacks from compromising your network security. Brute force attackers execute a large number of login attempts in a short period of time to illegitimately gain access to a private network. By configuring the retry-options command, you can create an increasing delay after each failed login attempt, eventually disconnecting any user who passes your set threshold of login attempts.

Set the backoff-threshold to 2, the back-off-factor to 5 seconds, and the minimum-time to 40 seconds. The user experiences a delay of 5 seconds after the second attempt to enter a correct password fails. After each subsequent failed attempt, the delay increases by 5 seconds. After the fourth and final failed attempt to enter a correct password, the user experiences an additional 10-second delay, and the connection closes after a total of 40 seconds.

The additional variables maximum-time and lockout-period are not set in this example.

Note

This sample only shows the portion of the [edit system login] hierarchy level being modified.

Example: Configuring Login Retry Options

This example shows how to configure system retry options to protect the device from malicious users.

Requirements

Before you begin, you should understand Login Retry Options.

No special configuration beyond device initialization is required before configuring this feature.

Overview

Malicious users sometimes try to log in to a secure device by guessing an authorized user account’s password. Locking out a user account after a number of failed authentication attempts helps protect the device from malicious users.

Device lockout allows you to configure the number of failed attempts before the user account is locked out of the device and configure the amount of time before the user can attempt to log in to the device again. You can configure the amount of time in-between failed login attempts of a user account and can manually lock and unlock user accounts.

Note

This example includes the following settings:

  • backoff-factor — Sets the length of delay in seconds after each failed login attempt. When a user incorrectly logs in to the device, the user must wait the configured amount of time before attempting to log in to the device again. The length of delay increases by this value for each subsequent login attempt after the value specified in the backoff-threshold statement. The default value for this statement is five seconds, with a range of five to ten seconds.

  • backoff-threshold — Sets the threshold for the number of failed login attempts on the device before the user experiences a delay when attempting to reenter a password. When a user incorrectly logs in to the device and hits the threshold of failed login attempts, the user experiences a delay that is set in the backoff-factor statement before attempting to log in to the device again. The default value for this statement is two, with a range of one through three.

  • lockout-period — Sets the amount of time in minutes before the user can attempt to log in to the device after being locked out due to the number of failed login attempts specified in the tries-before-disconnect statement. When a user fails to correctly login after the number of allowed attempts specified by the tries-before-disconnect statement, the user must wait the configured amount of minutes before attempting to log in to the device again. The lockout-period must be greater than zero. The range at which you can configure the lockout-period is one through 43,200 minutes.

  • tries-before-disconnect — Sets the maximum number of times the user is allowed to enter a password to attempt to log in to the device through SSH or Telnet. When the user reaches the maximum number of failed login attempts, the user is locked out of the device. The user must wait the configured amount of minutes in the lockout-period statement before attempting to log back in to the device. The tries-before-disconnect statement must be set when the lockout-period statement is set; otherwise, the lockout-period statement is meaningless. The default number of attempts is ten, with a range of one through ten attempts.

Once a user is locked out of the device, if you are the security administrator, you can manually remove the user from this state using the clear system login lockout <username> command. You can also use the show system login lockout command to view which users are currently locked out, when the lockout period began for each user, and when the lockout period ends for each user.

If the security administrator is locked out of the device, he can log in to the device from the console port, which ignores any user locks. This provides a way for the administrator to remove the user lock on their own user account.

In this example the user waits for the backoff-threshold multiplied by the backoff-factor interval, in seconds, to get the login prompt. In this example, the user must wait 5 seconds after the first failed login attempt and 10 seconds after the second failed login attempt to get the login prompt. The user gets disconnected after 15 seconds after the third failed attempt because the tries-before-disconnect option is configured as 3.

The user cannot attempt anther login until 120 minutes has elapsed, unless a security administrator manually clears the lock sooner.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure system retry-options:

  1. Configure the backoff factor.
  2. Configure the backoff threshold.
  3. Configure the amount of time the device gets locked after failed attempts.
  4. Configure the number of unsuccessful attempts during which, the device can remain unlocked.

Results

From configuration mode, confirm your configuration by entering the show system login retry-options command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Confirm that the configuration is working properly.

If you are done configuring the device, enter commit from configuration mode.

Verification

Displaying the Locked User Logins

Purpose

Verify that the login lockout configuration is enabled.

Action

Attempt three unsuccessful logins for a particular username. The device will be locked for that username; then log in to the device with a different username. From operational mode, enter the show system login lockout command.

Meaning

When you perform three unsuccessful login attempts with a particular username, the device is locked for that user for five minutes, as configured in the example. You can verify that the device is locked for that user by logging in to the device with a different username and entering the show system login lockout command.