Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Authentication and Access Control

  • Harden shared secrets in Junos OS Evolved (ACX7100, ACX7509, ACX7024, PTX10001-36MR, PTX10003, PTX10004,PTX10008, PTX10016, QFX5130, QFX5700, QFX5220, and QFX5230-64CD)—Starting in Junos OS Evolved Release 22.4R1, you can configure a system primary password and request to decrypt encrypted secrets, allowing for hardening of shared secrets, such as pre-shared keys and RADIUS passwords.

    Setting a primary password enables devices to encrypt passwords so that only devices with knowledge of the primary password can decrypt the encrypted passwords. The following CLI commands are supported:

    • request system decrypt password

    • set system master-password

    [See Master Password for Configuration Encryption.]

  • VRF support for TCP keychains (ACX7100, ACX7509, ACX7024, PTX10004, PTX10008, PTX10016, QFX5130-32CD, and QFX5700)—Starting in Junos OS Evolved Release 22.4R1, we support virtual routing and forwarding (VRF) for TCP connections with keychain-based authentication. VRF enables you to isolate traffic traversing the network without using multiple devices to segment your network.

    [See authentication-key-chains.]

  • OpenSSH certificate support (PTX10008, PTX10016)—Starting in Junos OS Evolved Release 22.4R1, you can configure SSH certificate-based authentication for users and hosts. This feature enables you to set up SSH access to a device with password-less login for users and gives the capability to trust hosts without the need to verify key fingerprints.

    You can use the following new CLI configuration statements to configure SSH certificate-based authentication:

    • [system services ssh trusted-user-ca-key-file filename]—Configure the TrustedUserCAKey file at /etc/ssh/sshd_config, which contains the public keys of an SSH certificate.

    • [system services ssh host-certificate-file filename]—Configure the HostCertificatefile at /etc/ssh/sshd_config, which contains the signed host certificate.

    • [system services ssh authorized-principals-file filename]—Configure the AuthorizedPrincipalsFile at /var/etc, which contains a list of names, one of which must appear in the certificate for it to be accepted for authentication.

    • [system services ssh authorized-principals-command program-path]—Specify a program to be used for generating the list of allowed certificate principals found in the AuthorizedPrincipalsFile.

    [See Configure SSH Service for Remote Access to the Router or Switch.]