When the router, switch, or security device is powered on first time, it is ready to be configured. Initially, you log in as the user root with no password. Later, you must configure a plain-text password for the root-level user (whose username is root). Configuring a plain-text password is one way to protect access to the root level by unauthorized users. If you forget the root password for the router, you can use the password recovery procedure to reset the root password. Read this topic for more information.
Configuring the Root Password
The Junos OS is preinstalled on the router or switch. When the router or switch is powered on, it is ready to be configured. Initially, you log in as the user root with no password. The root directory of a UNIX device is the entry point to all other folders and files on that device. As a result, access to the root directory is restricted by default to a predefined user account known as the root user. The root user (also referred to as superuser) has unrestricted access and full permissions within the system. The expression “log in as root” is commonly used when an action requires the user to log into the device as the root user.
If you configure a blank password using the encrypted-password statement at the [edit system root-authentication] hierarchy level for root authentication, you can commit a configuration but you cannot log in as the root user and gain root level access to the router or switch.
After you log in, you should configure the root (superuser) password by including the root-authentication statement at the [edit system] hierarchy level and configuring one of the password options:
If you configure the plain-text-password option, you are prompted to enter and confirm the password:
The default requirements for plain-text passwords are:
The password must be between 6 and 128 characters long
You can include most character classes in a password (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters). Control characters are not recommended.
Valid passwords must contain at least one uppercase letter or one lowercase letter, or one character class.
You can use the load-key-file URL filename statement to load an SSH key file that was previously generated using ssh-keygen. The URL filename is the path to the file’s location and name. When using this option, the contents of the key file are copied into the configuration immediately after entering the load-key-file URL statement. This command loads RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2) public keys.
Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are deprecated— rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.
Optionally, you can use the ssh-dsa, ssh-ecdsa, or ssh-rsa statements to directly configure SSH RSA, DSA, or ECDSA keys to authenticate root logins. You can configure more than one public key for SSH authentication of root logins as well as for user accounts. When a user logs in as root, the public keys are referenced to determine whether the private key matches any of them.
From configuration mode, you can confirm your SSH key entries by entering the show command. It should look something like this:
Junos-FIPS software has special password requirements. FIPS passwords must be between 10 and 20 characters in length. Passwords must use at least three of the five defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and other special characters). If Junos-FIPS is installed on the router or switch, you cannot configure passwords unless they meet this standard.
If you use the encrypted-password option, then a null-password (empty) is not permitted. You must configure a password whose number of characters range from 1 through 128 characters and enclose the password in quotation marks.
Example: Configuring a Plain-Text Password for Root Logins
This example shows how to configure a plain-text password for the root-level user (whose username is root). Configuring a plain-text password is one way to protect access to the root level by unauthorized users. You must prevent unauthorized users from gaining access to superuser commands that can be used to alter your system configuration.
No special configuration beyond device initialization is required before configuring this example.
Make sure that you understand the requirements for a valid plain-text password. For Junos OS, the default requirements for a plain-text password are as follows:
Must be from 6 up to 128 characters long.
Can include most character classes (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters). Control characters are not recommended.
Must contain at least one change of case or character class.
Junos OS is preinstalled on the router. When the router is powered on, it is ready to be configured. Initially, you log in as the root-level user with no password. To set the root password, you have several options. This example shows how to enter a plain-text password that Junos OS then encrypts for you.
CLI Quick Configuration
To quickly configure this example, copy the following command and paste it into the window. When prompted, type the new password, and then when prompted, retype it.
Configuring a Plain-Text Password for User Root
To configure a plain-text password for the root-level user:
- Type the set command for the plain-text password
and press Enter.user@host# set system root-authentication plain-text-passwordNew password:
- Type the new password next to the New password prompt and press Enter. New password: new-passwordRetype new password:
- Retype the same password next to the Retype new password prompt and press Enter.
From configuration mode, confirm your configuration by using the show command. It should look something like this:
If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
After you have confirmed that the configuration is correct, enter commit from configuration mode.
Verifying the Configuration of a Plain-Text Password for User Root
Verify the configuration of a plain-text password for the root-level user.
From operational mode, confirm your configuration by entering the show configuration system command.
If you use a clear-text password, Junos OS displays the password as an encrypted string so that users viewing the configuration cannot see the unencrypted password. That is, as you enter the password in plain text, Junos OS encrypts it immediately. You do not have to configure Junos OS to encrypt the password as in some other systems. Plain-text passwords are hidden and marked as ## SECRET-DATA in the configuration.
Example: Configuring SSH Authentication for Root Logins
The following example shows how to configure two public DSA keys for SSH authentication of root logins: