Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Protecting Network Security by Configuring the Root Password (Junos OS)

Configuring the root password on your Juniper Networks device helps prevent unauthorized users from making changes to your network. The root user (also referred to as superuser) has unrestricted access and full permissions within the system, so it is crucial to protect this account by setting a strong password when setting up a new device.

After a new device is initially powered on, you log in as the user root with no password. The software requires configuration of the root password before it accepts a commit operation.

To set the root password, you have a few options as shown in the following procedure.

  • Enter a plain-text password the software encrypts.

  • Enter a password that is already encrypted.

  • Enter a secure shell (ssh) public key string.

The most secure options of these three are using an already encrypted password or an ssh public key string. Pre-encrypting your password or using a ssh public key string means the plain-text version of your password will never be transferred over the internet, protecting it from being intercepted by a man-in-the-middle attack.

Best Practice:

Optionally, instead of configuring the root password at the [edit system] hierarchy level, you can use a configuration group to strengthen security.

To set the root password:

  1. Use one of these methods to configure the root password:
    • To enter a plain-text password that the system encrypts for you:

      As you enter a plain-text password into the CLI, the device software hides it from view and encrypts it immediately. You do not have to configure the software to encrypt the password as in some other systems. In the resulting configuration, the encrypted password is marked as ## SECRET-DATA so that it cannot be seen.

    • To enter a password that is already encrypted:


      Do not use the encrypted-password option unless the password is already encrypted, and you are entering the encrypted version of the password.

      If you accidentally configure the encrypted-password option with a plain-text password or with blank quotation marks (" "), you will not be able to log in to the device as root, and you will need to complete the root password recovery process.

    • To enter an ssh public key string:

  2. If you used a configuration group, apply it with the command set apply-groups, replacing <group name> with the configuration group name.

    For example:

  3. Commit the changes.