An account for root
is always present in a
configuration and is not intended for use in normal operation. In
the evaluated configuration, the root
account is restricted
to the initial installation and configuration of the evaluated device.
An NDcPPv2.2e authorized administrator must have all permissions, including the ability to change
the device configuration.
To configure an authorized administrator:
- Create a login class named security-admin with all permissions.
[edit]
security-administrator@host:fips# set system login class security-admin permissions all
- Configure the hashed algorithm for plain-text passwords
as sha512.
[edit]
security-administrator@host:fips# set system login password format sha512
- Commit the changes.
[edit]
security-administrator@host:fips# commit
-
Define your NDcPPv2.2e user authorized administrator.
[edit]
security-administrator@host:fips# set system login user NDcPPv2-user class security-admin authentication encrypted-password
or
[edit]
security-administrator@host:fips# set system login user NDcPPv2-user class security-admin authentication plain-text-password
- Load an SSH key file that was previously generated using
ssh-keygen. This command loads RSA (SSH version 2), or ECDSA (SSH
version 2).
[edit]
security-administrator@host:fips# set system root-authentication load-key-file url:filename
- Set the log-key-changes configuration statement to log
when SSH authentication keys are added or removed.
[edit]
security-administrator@host:fips# set system services ssh log-key-changes
Note: When the log-key-changes
configuration statement
is enabled and committed (with the commit command in configuration
mode), Junos OS logs the changes to the set of authorized SSH keys
for each user (including the keys that were added or removed). Junos
OS logs the differences since the last time the log-key-changes
configuration statement was enabled. If the log-key-changes
configuration statement was never enabled, then Junos OS logs all
the authorized SSH keys.
- Commit the changes.
[edit]
security-administrator@host:fips# commit
For details on how to start with shell mode, see Overview for Junos OS
Guide.
Note: The root password should be reset following the change to sha256 / sha512 for the password
storage format. This ensures the new password is protected using a sha256 /
sha512 hash. To reset the root password, use set system
root-authentication plain-text-password
password
command, and confirm the new password when prompted.