An account for root is always present in a
configuration and is not intended for use in normal operation. In
the evaluated configuration, the root account is restricted
to the initial installation and configuration of the evaluated device.
An NDcPP Version 3.0e authorized administrator must have all permissions, including the ability
to change the device configuration. Other non-admin user classes such as the
'read-only' class do not have access to any of the security management
functions.
To configure an authorized administrator:
- Create a login class named security-admin with all permissions.
[edit]
root@host:fips# set system login class security-admin permissions all
- Configure the hashing algorithm used for password storage
as sha512.
[edit]
root@host:fips# set system login password format sha512
'sha256' can also be configured as the password hashing algorithm.
- Commit the changes.
[edit]
root@host:fips# commit
-
Define the NDcPPv3.0e user authorized administrator using the command below.
The same command is used to change the password.
[edit]
root@host:fips# set system login user crypto-officer class security-admin authentication plain-text-password
New password: <enter password>
Retype new password: <enter password>
-
To delete the user, use the command below:
[edit]
root@host:fips# delete system login user crypto-officer
- Set the
log-key-changes configuration statement
to log when SSH authentication keys are added or removed.[edit]
root@host:fips# set system services ssh log-key-changes
Note: When the log-key-changes configuration statement
is enabled and committed (with the commit command in configuration
mode), Junos OS logs the changes to the set of authorized SSH keys
for each user (including the keys that were added or removed). Junos
OS logs the differences since the last time the log-key-changes configuration statement was enabled. If the log-key-changes configuration statement was never enabled, then Junos OS logs all
the authorized SSH keys.
Login users can be configured with either password or public-key based
authentication as below:
[edit]
root@host:fips# set system login user crypto-officer class security-admin authentication plain-text-password
New password: <enter password>
Retype new password: <enter password>
[edit]
root@host:fips# set system login user crypto-officer class security-admin authentication ssh-ecdsa <ecdsa-public-key>
[edit]
root@host:fips# set system login user crypto-officer class security-admin authentication ssh-rsa <rsa-public-key>
To delete a configured login credential, use the following command:
[edit]
root@host:fips#delete system login user crypto-officer class security-admin authentication
The set commands used to configure the credentials as shown
above can be repeated to overwrite the currently configured credentials.
Note: ssh-ed25519 is not supported in FIPS mode.
The Keyboard-Interactive Based authentication for SSH is supported by default
and needs no additional configuration apart from a password being configured
for the user. Providing multifactor authentication mechanism would require
the use of an external AAA server, which is outside the CC scope, as a
result of which the keyboard-interactive authentication method works
similarly to the password-based method in the evaluated configuration.
- Commit the changes.
[edit]
root@host:fips# commit
Note: The root password should be reset following the change to sha256 / sha512 for the password
storage format. This ensures the new password is protected using a sha256 /
sha512 hash, rather than the default password hashing algorithm (sha1). To reset
the root password, use the set system root-authentication
plain-text-password password command, and confirm the
new password when prompted.
Note: Users need to set up IP reachability configurations to
enable service access on the device.
To import and delete SSH public keys, see Managing Cryptographic Keys, Trust Stores, and Encryption Parameters in Junos OS 23.4R1 (NFX Series).
