Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Protect Network Security by Configuring the Root Password

Configure the root password on your Juniper Networks device to help prevent unauthorized users from making changes to your network. The root user (also referred to as superuser) has unrestricted access and full permissions within the system, so it is crucial that you protect this account by setting a strong password when setting up a new device.

After you initially power on a new device, you log in as the user root with no password. The software requires you to configure the root password before it accepts a commit operation.

To set the root password, you have three options:

  • Enter a plain-text password that the software encrypts.

  • Enter a password that is already encrypted.

  • Enter a Secure Shell (SSH) public key string.

Among these options, using a pre-encrypted password or an SSH public key string is the most secure. If you use one of these methods, then the plain-text version of your password will never be transferred over the Internet, protecting it from being intercepted by a man-in-the-middle attack.

Best Practice:

Optionally, instead of configuring the root password at the [edit system] hierarchy level, you can use a configuration group to strengthen security.

To set the root password:

  1. Use one of these methods to configure the root password:
    • To enter a plain-text password that the system encrypts for you:

      As you enter a plain-text password into the CLI, the device software hides it from view and encrypts it immediately. You don't have to configure the software to encrypt the password. In the resulting configuration, the encrypted password is marked as ## SECRET-DATA so that it cannot be seen.

    • To enter a password that is already encrypted:

      CAUTION:

      Do not use the encrypted-password option unless the password is already encrypted and you are entering that encrypted password.

      If you accidentally configure the encrypted-password option with a plain-text password or with blank quotation marks (" "), you will not be able to log in to the device as the root user. You will then need to complete the root password recovery process.

    • To enter an SSH public key string:

  2. If you used a configuration group, replace the group-name variable with the configuration group's name.
  3. Commit the changes.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
18.3R1
Starting in Junos OS Release 18.3R1, the ssh-dss and ssh-dsa hostkey algorithms are deprecated—rather than immediately removed—to provide backward compatibility and a chance to bring your configuration into compliance with the new configuration.