Preventing Unauthorized Access to EX Series Switches Using Unattended Mode for U-Boot
Junos OS allows you to configure anattended mode for U-Boot to prevent unauthorized access to the switch during the boot process. When you configure unattended mode, an user can access the CLI during the boot process by supplying the boot-loader password. This prevents unauthorized access during boot process. Read this topic for more information.
Understanding Unattended Mode for U-Boot on EX Series Switches
Unattended mode for U-Boot can be configured to prevent unauthorized access to the switch that can occur during the boot process. After the CPU has been reset, there are several known methods of accessing the system before the JUNOS OS login prompt appears that do not require the user to enter authorization credentials. By gaining unauthorized access, the user can view, modify, or corrupt the switch configuration, or make the switch unavailable on the network.
When unattended mode is configured, the user can access the CLI during the boot process only by pressing <Ctrl+c> and entering the correct password, which is known as the boot-loader password. The boot-loader password must have been previously configured on the switch. Entering the correct boot-loader password will place the user in the U-Boot CLI. If the password is incorrect, or if no password is entered within one minute, access to the U-Boot CLI is blocked and the boot process continues automatically.
Access to the bootstrap loader command prompt (loader>) is blocked in unattended mode, which prevents the use of the following
recovery mechanisms: root password recovery by using single-user mode,
and booting the switch by using a software package stored on a USB
flash drive.
If the root password is lost while the switch is in unattended mode, the switch must be reset to the factory default configuration using the LCD panel. For more information see Reverting to the Default Factory Configuration for the EX Series Switch.
If unattended mode is not configured, but a boot-loader password has been configured, the user must enter the correct password to access the U-Boot CLI. If a boot-loader password has not been configured, the user can access the U-Boot CLI without entering a password. In either case, the user can access the bootstrap loader command prompt, which enables root password recovery by using single-user mode as well as booting from a USB flash drive.
Unattended mode is not enabled by default. When configured, unattended mode is turned on and will block unauthorized access to the switch. Table 1 summarizes the behaviors for U-Boot mode.
Unattended Mode |
Boot-loader password |
Behavior |
|---|---|---|
On |
Set |
|
On |
Not Set |
|
Off |
Set |
|
Off |
Not Set |
|
See Also
Using Unattended Mode for U-Boot to Prevent Unauthorized Access
Unattended mode for U-Boot can be used to prevent unauthorized access to the switch that can occur during the boot process. When unattended mode is configured, the user can access the CLI during the boot process only by entering the correct password, which is known as the boot-loader password. The boot-loader password must have been previously configured on the switch.
When unattended mode is configured, access to the bootstrap
loader command prompt (loader>) is blocked, which prevents
the use of the following recovery mechanisms: root password recovery
by using single-user mode, and booting the switch by using a software
package stored on a USB flash drive.
On EX2200 switches, if both the root and unattended mode password are lost while the switch is in unattended mode, there is no alternative recovery method available. The switch must be returned to Juniper Networks. For more information, see Returning an EX2200 Switch or Component for Repair or Replacement.
To use unattended mode, follow the following procedures:
- Configuring the Boot Loader Password
- Configuring Unattended Mode for U-Boot
- Accessing the U-Boot CLI
Configuring the Boot Loader Password
To configure the boot loader password, you can use either a plain-text password that the system encrypts for you, or a password that has already been encrypted. If you use a plain-text password, Junos OS displays the password as an encrypted string so that users viewing the configuration cannot see it. As you enter the password in plain text, Junos OS encrypts it immediately. You do not have to configure Junos OS to encrypt the password. Plain-text passwords are hidden and marked as ## SECRET-DATA in the configuration.
To configure the boot-loader password:
Configuring Unattended Mode for U-Boot
Before enabling unattended mode for U-Boot, you must download and install the jloader firmware package /volume/build/junos/13.2/service/13.2X51-D20.2/ship/jloader-ex-2200-13.2X51-D20.2-signed.tgz, as described in TSB16425.
Unattended mode for U-Boot is not enabled by default. Use the following procedure to configure unattended mode:
Accessing the U-Boot CLI
When unattended mode for U-Boot is configured and the boot-loader password has been set, you can access the U-Boot CLI during the boot process by pressing <Ctrl+c> and entering the password at the prompt:
Press Ctrl-C in next 1 seconds to enter u-boot prompt... Enter password: password correct... =>
The correct password must be entered within one minute after the prompt appears. If the password is not entered within one minute, or if the password is incorrect or has not been configured, access to the U-Boot CLI will be blocked, and the boot process will continue. For more information about unattended mode behavior, see Understanding Unattended Mode for U-Boot on EX Series Switches.