Setting and Erasing Passwords

You can set the following passwords:

Enable passwords that control access to different groups of commands.
A console password that controls access to the console.
Passwords for individual vty lines or groups of vty lines.

Privilege Levels

Different groups of commands are associated with privilege levels (Table 45). You can set enable passwords to allow users to access commands at different privilege levels.

Table 45: Commands Available at Different Privilege Levels

Privilege Level	Commands Available
0	help, exit, enable, and disable commands
1	User Exec commands plus commands at level 0
5	Privileged Exec show commands plus commands at levels 0 and 1
10	All commands except support commands
15	Support commands that Juniper Networks Technical Support may provide and all other commands

To maximize security and usability, set different passwords for levels 1, 5, 10, and 15. By default, no enable passwords exist.

Accessing Privilege Levels

If users have access to the console, they automatically have access to privilege level 0. To access higher levels of privilege, they must enter the enable privilege-level command. When users specify a privilege level, the system determines whether there is a password at that level. If there is not, the system prompts the user for the password for the lower level closest to the requested level.

Setting Enable Passwords

To set up enable passwords, use the commands described in Setting Basic Password Parameters .

Erasing Enable Passwords

If you forget an enable password or secret, you can erase all enable passwords and secrets.

Two commands allow you to erase passwords and secrets: erase secrets and service unattended-password-recovery. It is important to fully understand the purpose of these commands and how they work with each other.

The erase secrets command can be used to delete all existing passwords. To use this command, you must be physically present at the router to complete the operation. After the command has been executed, you have a finite number of seconds to press the software reset button on the SRP module. You can execute this command from the console or any vty.

The service unattended-password-recovery command provides you with a way to delete existing passwords and secrets without physically being present at the router. You must have the proper privilege level to execute the command, and you can execute it from either the console or any vty.

When you execute service unattended-password-recovery, you change the behavior of erase secrets. You can now delete passwords and secrets from the console by executing erase secrets without a time restraint or having to be physically present at the router. When you use the no version of service unattended-password-recovery, you revert the functionality of erase secrets to the factory default setting.

To erase all enable passwords or secrets:

Log in to the router.
Erase the existing enable password or secret. Specify the number of seconds to allow for the erase operation.
host1>erase secrets 60
Within the time limit that you specified for the erase secrets command, press the recessed software reset button on the primary SRP module (see Figure 25).
Figure 25: Location of the Software Reset Button
Note: If you do not press the software reset button within the time limit, the system will not erase the password, and you will need to repeat the process.

erase secrets

Use to delete all CLI passwords and secrets.
After you issue this command, press the software reset button (see Figure 25) within the time you specify for this command.
Allows you to set the number of seconds (1–60) for this procedure to be accomplished.
Allows you to set a new password when you have forgotten your password.
Can be used with the service unattended-password-recovery command.
Example
host1>erase secrets 60
There is no no version.
See erase secrets.

service unattended-password-recovery

Use to allow you to delete all passwords and secrets from the console without being physically present at the router.
When executed, this command changes the behavior of the erase secrets command, which will not take any parameters and will not be available through a vty session.
Example
host1(config)#service unattended-password-recovery
Use the no version to revert erase secrets to factory default settings.
See service unattended-password-recovery.

Setting a Console Password

By default, there is no console password. To set a console password:

Make sure that you know the enable password for the system.
If you need to reset the enable password, see Privilege Levels .
Access Privileged Exec mode, and enter the enable password if prompted.
Access Global Configuration mode.
Access Line Configuration mode.
host1(config)#line console 0
Enable password checking at login.
host1(config-line)#login
Specify a password.
host1(config-line)#password 7 dq]XG`,%N"SS7d}o)_?Y

line

Use to specify the vty lines or the console.
Example
host1(config)#line vty 1 4
Use the no version to remove a vty line or a range of lines from your configuration; users will not be able to run Telnet, SSH, or FTP to lines that you remove. When you remove a vty line, the system removes all lines above that line. For example, no line vty 6 causes the system to remove lines 6 through 29. You cannot remove lines 0 through 4.
See line.

login

Use to enable password checking at login.
The default setting is to enable a password.
Example
host1(config)#line vty 1 4 host1(config-line)#login
Use the no version to disable password checking and allow access without a password.
See login.

password

Use to specify a password on the console, a line, or a range of lines.
If you enable password checking, but do not configure a password, the system will not allow you to access virtual terminals.
Use the following keywords to specify the type of password you will enter:
- 0 (zero)—Unencrypted password
- 5—Secret
- 7—Encrypted password

Note: To use an encrypted password or a secret, you must follow the procedure in Setting Basic Password Parameters to obtain the encrypted password or secret. You cannot create your own encrypted password or secret; you must use a system-generated password or secret.

Example 1 (unencrypted password)
host1(config-line)#password 0 mypassword
Example 2 (secret)
host1(config-line)#password 5 bcA";+1aeJD8)/[1ZDP6
Example 3 (encrypted password)
host1(config-line)#password 7 dq]XG`,%N"SS7d}o)_?Y
Use the no version to remove the password. By default, no password is specified.
See password.

Erasing the Console Password

If you forget the console password, you can erase the existing value and configure a new one. This action deletes all authentication for the console line. To erase existing passwords:

Reboot the router by pressing the recessed software reset button on the primary SRP module (Figure 25) and then pressing the mb key sequence during the countdown.
Disable authentication at the console level.
:boot##disable console authentication
If you remember the password at this point, you can override this action by entering:
:boot##no disable console authentication
Reload the operating system.
:boot##reload

When the operating system reloads, you can access the console without a password.

Note: You can log in to the console without a password until you set a new password.

Monitoring Passwords

You can use the show secrets command to view all current passwords and secrets.

show secrets

Use to display all passwords and secrets.
Passwords and secrets appear in their encrypted form.
In the mode column, inherited indicates whether a secret was inherited from a lower password level. The show secrets command displays only secrets configured by the user; it does not display inherited secrets.

Example

host1#show secrets
                 Current Password Settings                 
                 -------------------------                 
         encryption         encrypted                   
level       type         password/secret         mode   
-----   ------------   --------------------   ----------
0                                                       
1                                                       
2                                                       
3                                                       
4                                                       
5       7 (password)   zRFj_6>^]1OkZR@e!|S$   configured
6       7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
7       7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
8       7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
9       7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
10      7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
11      7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
12      7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
13      7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited 
14      7 (password)   zRFj_6>^]1OkZR@e!|S$   inherited

See show secrets.