Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Root Password

When the device is powered on for the first time, it is ready to be configured. Initially, you log in as the user root with no password. You must configure a plain-text password for the root-level user (whose username is root) the first time you modify and commit the configuration. Configuring a plain-text password is one way to protect access to the root level by unauthorized users. If you forget the root password for the device, you can use the password recovery procedure to reset the root password.

Configure the Root Password

When you power on the router or switch, it is ready to be configured. Initially, you log in as the user root with no password. The root directory is the entry point to all other folders and files on that device. As a result, access to the root directory is restricted by default to a predefined user account known as the root user. The root user (also referred to as superuser) has unrestricted access and full permissions within the system. The expression “log in as root” is commonly used when an action requires the user to log in to the device as the root user.

Note:

If you configure a blank password using the encrypted-password statement at the [edit system root-authentication] hierarchy level for root authentication, you can commit a configuration. You cannot, however, log in as the root user and gain root level access to the router or switch.

After you log in, you should configure the root (superuser) password by including the root-authentication statement at the [edit system] hierarchy level and configuring one of the password options:

If you configure the plain-text-password option, you are prompted to enter and confirm the password:

The default requirements for plain-text passwords are:

  • The password must be between 6 and 128 characters long.

  • You can include most character classes in a password (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters). Control characters are not recommended.

  • Valid passwords must contain at least one uppercase letter or one lowercase letter, or one character class.

If you use the encrypted-password option, then a null-password (empty) is not permitted. You must configure a password whose number of characters range from 1 through 128 characters and enclose the password in quotation marks.

You can use the load-key-file URL filename statement to load an SSH key file that was previously generated using ssh-keygen. The URL filename option is the path to the file’s location and name. When using this option, the contents of the key file are copied into the configuration immediately after entering the load-key-file URL statement. This command loads RSA (SSH version 1 and SSH version 2) and DSA (SSH version 2) public keys.

Optionally, you can use the ssh-ecdsa or ssh-rsa statements to directly configure SSH RSA and ECDSA keys to authenticate root logins. You can configure more than one public key for SSH authentication of root logins as well as for user accounts. When a user logs in as root, the device determines whether the private key matches any of the configured public keys.

In configuration mode, you can confirm your SSH key entries by entering the show command. It should look similar to the following output:

Example: Configure a Plain-Text Password for Root Logins

This example shows how to configure a plain-text password for the root-level user (the username is root). Configuring a plain-text password is one way to prevent unauthorized users from accessing the root level. You must prevent unauthorized users from gaining access to superuser commands that can be used to alter your system configuration.

Requirements

No special configuration beyond device initialization is required before configuring this example.

The default requirements for a plain-text password are as follows:

  • Must be from 6 up to 128 characters long.

  • Can include most character classes (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters). Control characters are not recommended.

  • Must contain at least one change of case or character class.

Overview

When you power on the router, it is ready to be configured. Initially, you log in as the root-level user with no password. To set the root password, you have several options. This example shows how to enter a plain-text password that the device then encrypts for you.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following command and paste it into the window. When prompted, type the new password, and then when prompted, retype it.

Configure a Plain-Text Password for User Root

Step-by-Step Procedure

To configure a plain-text password for the root-level user:

  1. Type the set command for the plain-text password and press Enter.

  2. Type the new password next to the New password prompt and press Enter.

  3. Retype the same password next to the Retype new password prompt and press Enter.

Results

In configuration mode, confirm your configuration by using the show system command. It should look something like this:

If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

After you have confirmed that the configuration is correct, enter commit in configuration mode.

Verification

Verify the Configuration of a Plain-Text Password for User Root

Purpose

Verify the configuration of a plain-text password for the root-level user.

Action

In operational mode, confirm your configuration by entering the show configuration system command.

Meaning

If you use a plain-text password, the device automatically encrypts the password as soon as you configure it. You do not have to configure the device to encrypt the password, as in some other systems. Plain-text passwords are hidden and marked as ## SECRET-DATA in the configuration. When a user views the configuration, the user sees only the encrypted string, not the unencrypted password.