Technical Documentation

Configuring the Root Password

The JUNOS Software is preinstalled on the router or switch. When the router or switch is powered on, it is ready to be configured. Initially, you log in as the user “root” with no password.

Note: If you configure a blank password using the encrypted-password statement at the [edit system root-authentication] hierarchy level for root authentication, you can commit a configuration, but you are not able to log in as superuser and gain root level access to the router or switch.

After you log in, you should configure the root (superuser) password by including the root-authentication statement at the [edit system] hierarchy level:

[edit system]root-authentication {(encrypted-password "password"| plain-text-password);ssh-dsa "public-key";ssh-rsa "public-key";}

If you configure the plain-text-password option, you are prompted to enter and confirm the password:

[edit system]user@host# set root-authentication plain-text-passwordNew password: type password hereRetype new password: retype password here

To load an SSH key file, enter the load-key-file command. This command loads RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2) public keys.

You can also configure SSH RSA keys and SSH DSA keys to authenticate root logins. You can configure more than one public RSA or DSA key for SSH authentication of root logins as well as for user accounts. When a user logs in as root, the public keys are referenced to determine whether the private key matches any of them.

If you load the SSH keys file, the contents of the file are copied into the configuration immediately after you enter the load-key-file statement. To view the SSH keys entries, use the configuration mode show command. For example:

[edit system]user@host# set root-authentication load-key-file my-host:.ssh/identity.pub.file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%[edit system]user@host# showroot-authentication {ssh-rsa "1024 35 9727638204084251055468226757249864241630322
20740496252839038203869014158453496417001961060835872296
15634757491827360336127644187426594689320773910834481012
68312595772262546166799927831612350043866091586628382248
97467326056611921489539813965561563786211940327687806538
16960202749164163735913269396344008443 boojum@juniper.net"; #
SECRET-DATA
}

JUNOS-FIPS software has special password requirements. FIPS passwords must be between 10 and 20 characters in length. Passwords must use at least three of the five defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and other special characters). If JUNOS-FIPS is installed on the router or switch, you cannot configure passwords unless they meet this standard. If you use the encrypted-password option, then a null-password (empty) is not permitted.

You cannot configure a blank password for encrypted-password using blank quotation marks (" "). You must configure a password whose number of characters range from 1 through 128 characters and enclose the password in quotation marks.


Published: 2010-04-26