An account for root
is always present in a
configuration and is not intended for use in normal operation. In
the evaluated configuration, the root
account is restricted
to the initial installation and configuration of the evaluated device.
An NDcPP Version 2.2e authorized administrator must have all permissions, including the ability
to change the router configuration.
To configure an authorized administrator:
- Create a login class named security-admin with all permissions.
[edit]
security-administrator@host:fips# set system login class security-admin permissions all
-
Configure the hashing algorithm used for password storage as sha512.
security-administrator@host:fips# set system login password format sha512
Note:
For your security devices, the default password algorithm is sha512, and
it is not necessary to configure the plain-text passwords for EX4100
Series devices.
- Commit the changes.
[edit]
security-administrator@host:fips# commit
-
Define your NDcPPv2.2e user authorized administrator with class defined in step
1.
[edit]
security-administrator@host:fips# set system login user user-name class security-admin authentication encrypted-password
or
[edit]
security-administrator@host:fips# set system login user user-name class security-admin authentication plain-text-password
New password:
Retype new password:
- Load an SSH key file that was previously generated using
ssh-keygen. This command loads RSA (SSH version 2), or ECDSA (SSH
version 2).
[edit]
security-administrator@host:fips# set system root-authentication load-key-file url:filename
- Set the log-key-changes configuration statement to log
when SSH authentication keys are added or removed.
[edit]
security-administrator@host:fips#set system services ssh log-key-changes
Note: When the log-key-changes
configuration statement
is enabled and committed (with the commit
command in configuration
mode), Junos OS logs the changes to the set of authorized SSH keys
for each user (including the keys that were added or removed). Junos
OS logs the differences since the last time the log-key-changes
configuration statement was enabled. If the log-key-changes
configuration statement was never enabled, then Junos OS logs all
the authorized SSH keys.
- Commit the changes.
[edit]
security-administrator@host:fips# commit
For details on how to start with shell mode, see Overview for Junos OS
Guide.
Note:
The root password should be reset following the change to sha256 / sha512 for the
password storage format. This ensures the new password is protected using a
sha256 / sha512 hash. To reset the root password, use set system
root-authentication plain-text-password
password command, and
confirm the new password when prompted.