Junos OS Login Settings
Junos OS allows you to specify various settings for the users after they have logged in. You can define what to notify for the users after they have logged in, display system alarms, provide login tips, or specify time-based user access, and limit the number of login attempts. Read this topic for more information.
Configuring Junos OS to Display a System Login Announcement
Sometimes you want to make announcements only to authorized users after they have logged in. For example, you might want to announce an upcoming maintenance event.
You can format the announcement using the following special characters:
\n—New line
\t—Horizontal tab
\'—Single quotation mark
\"—Double quotation mark
\\—Backslash
If the message text contains any spaces, enclose it in quotation marks.
By default, no login announcement is displayed.
To configure an announcement that can be seen only by authorized users:
If the announcement text contains any spaces, enclose the text in quotation marks.
A system login announcement appears after the user logs in. A system login message appears before the user logs in.
You can use the same special characters described to format your system login announcement.
Configuring System Alarms to Appear Automatically Upon Login
You can configure Juniper Networks routers and
switches to run the show system alarms
command whenever
a user with the login class admin
logs in to the router
or switch. To do so, include the login-alarms
statement
at the [edit system login class admin]
hierarchy level.
[edit system login class admin] login-alarms;
For more information on the show system alarms
command, see the CLI Explorer.
See Also
Configuring Login Tips
The Junos OS CLI provides the option of configuring
login tips for the user. By default, the tip
command is
not enabled when a user logs in.
To enable tips, include the
login-tip
statement at the[edit system login class class-name]
hierarchy level:
[edit system login class class-name] login-tip;
Adding this statement enables the tip
command for the class specified, provided the user logs in using
the CLI.
Examples: Configuring Time-Based User Access
The following example shows how to configure user access for
the operator-round-the-clock-access
login class from Monday
through Friday without any restriction on access time or duration
of login:
[edit system] login { class operator-round-the-clock-access { allowed-days [ monday tuesday wednesday thursday friday ]; }
The following example shows how to configure user access for
the operator-day-shift
login class on Monday, Wednesday,
and Friday from 8:30 AM to 4:30 PM:
[edit system] login { class operator-day-shift { allowed-days [ monday wednesday friday ]; access-start 0830; access-end 1630; } }
Alternatively, you can also specify the login start time and
end time for the operator-day-shift
login class to be from
8:30 AM to 4:30 PM in the following format:
[edit system] login { class operator-day-shift { allowed-days [ monday wednesday friday ]; access-start 08:30am; access-end 04:30pm; } }
The following example shows how to configure user access for
the operator-day-shift-all-days-of-the-week
login class
to be on all days of the week from 8:30 AM to 4:30 PM:
[edit system] login { class operator-day-shift-all-days-of-the-week { access-start 0830; access-end 1630; } }
See Also
Configuring the Timeout Value for Idle Login Sessions
An idle login session is one in which the CLI operational
mode prompt is displayed but there is no input from the keyboard.
By default, a login session remains established until a user logs
out of the router or switch, even if that session is idle. To close
idle sessions automatically, you must configure a time limit for each
login class. If a session established by a user in that class remains
idle for the configured time limit, the session automatically closes. Idle-timeout
can only be configured for user defined classes.
Configuration won't work for the system predefined classes: operator
, read-only
, super-user
. These classes’
values and permissions are not editable.
To define the timeout value for idle login sessions,
include the idle-timeout
statement at the [edit system
login class class-name]
hierarchy level:
[edit system login class class-name] idle-timeout minutes;
Specify the number of minutes that a session can be idle before it is automatically closed.
If you have configured a timeout value, the CLI displays messages similar to the following when timing out an idle user. It starts displaying these messages 5 minutes before timing out the user.
user@host# Session will be closed in 5 minutes if there is no activity. Warning: session will be closed in 1 minute if there is no activity Warning: session will be closed in 10 seconds if there is no activity Idle timeout exceeded: closing session
If you configure a timeout value, the session closes
after the specified time has elapsed, unless the user is running telnet
or monitoring interfaces using the monitor interface
or monitor traffic
command.
Login Retry Options
The security administrator can configure the number of times a user can try to log in to the device with invalid login credentials. The device can be locked after the specified number of unsuccessful authentication attempts. This helps to protect the device from malicious users attempting to access the system by guessing an account’s password. The security administrator can unlock the user account or define a time period for the user account to remain locked.
The system lockout-period
defines the amount of time
the device can be locked for a user account after a specified number
of unsuccessful login attempts.
The security administrator can configure a period of time after which an inactive session will be locked and require re-authentication to be unlocked. This helps to protect the device from being idle for a long period before the session times out.
The system idle-timeout
defines length of time the
CLI operational mode prompt remains active before the session times
out.
The security administrator can configure a banner with an advisory notice to be displayed before the identification and authentication screen.
The system message
defines the system login message.
This message appears before a user logs in.
The number of reattempts the device allows is defined by the tries-before-disconnect
option. The device allows 3 unsuccessful
attempts by default or as configured by the administrator. The device
prevents the locked users to perform activities that require authentication,
until a security administrator manually clears the lock or the defined
time period for the device to remain locked has elapsed. However,
the existing locks are ignored when the user attempts to log in from
the local console.
To clear the console during an administrator-initiated
logout, the administrator must configure the set system login
message “message string”
such that, the message-string
contains newline (\n) characters and a login banner message at the
end of the \n characters.
To ensure that configuration information is cleared completely,
the administrator can enter 50 or more \n characters in the message-string of the command set system login message
“message string”
.
For example, set system login message "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Welcome to Junos!!!"
Limiting the Number of User Login Attempts for SSH and Telnet Sessions
You can limit the number of times a user can attempt to enter a password while logging in through SSH or Telnet. The connection is terminated if a user fails to log in after the number of attempts specified. You can also specify a delay, in seconds, before a user can try to enter a password after a failed attempt. In addition, you can specify the threshold for the number of failed attempts before the user experiences a delay in being able to enter a password again.
To specify the number of times a user can attempt
to enter a password while logging in, include the retry-options
statement at the [edit system login]
hierarchy level:
[edit system login] retry-options { tries-before-disconnect number; backoff-threshold number; backoff-factor seconds; maximum-time seconds minimum-time seconds; }
You can configure the following options:
tries-before-disconnect
—Number of times a user can attempt to enter a password when logging in. The connection closes if a user fails to log in after the number specified. The range is from 1 through 10, and the default is 10.backoff-threshold
—Threshold for the number of failed login attempts before the user experiences a delay in being able to enter a password again. Use thebackoff-factor
option to specify the length of the delay in seconds. The range is from 1 through 3, and the default is 2.backoff-factor
—Length of time, in seconds, before a user can attempt to log in after a failed attempt. The delay increases by the value specified for each subsequent attempt after the threshold. The range is from 5 through 10, and the default is 5 seconds.maximum-time seconds
—Maximum length of time, in seconds, that the connection remains open for the user to enter a username and password to log in. If the user remains idle and does not enter a username and password within the configuredmaximum-time
, the connection is closed. The range is from 20 through 300 seconds, and the default is 120 seconds.minimum-time
—Minimum length of time, in seconds, that a connection remains open while a user is attempting to enter a correct password. The range is from 20 through 60, and the default is 40.
The following example shows how to limit the user to four attempts when the user enters a password while logging in through SSH or Telnet:
Limiting the number of SSH and Telnet login attempts per user
is one of the most effective methods of stopping brute force attacks
from compromising your network security. Brute force attackers execute
a large number of login attempts in a short period of time to illegitimately
gain access to a private network. By configuring the retry-options
command, you can create an increasing delay after each failed login
attempt, eventually disconnecting any user who passes your set threshold
of login attempts.
Set the backoff-threshold
to 2, the back-off-factor
to 5 seconds, and the minimum-time
to 40 seconds. The
user experiences a delay of 5 seconds after the second attempt to
enter a correct password fails. After each subsequent failed attempt,
the delay increases by 5 seconds. After the fourth and final failed
attempt to enter a correct password, the user experiences an additional
10-second delay, and the connection closes after a total of 40 seconds.
The additional variables maximum-time
and lockout-period
are not set in this example.
[edit] system { login { retry-options { backoff-threshold 2; backoff-factor 5; minimum-time 40; tries-before-disconnect 4; } password { } } }
This sample only shows the portion of the [edit system login] hierarchy level being modified.
Example: Configuring Login Retry Options
This example shows how to configure system retry options to protect the device from malicious users.
Requirements
Before you begin, you should understand Login Retry Options.
No special configuration beyond device initialization is required before configuring this feature.
Overview
Malicious users sometimes try to log in to a secure device by guessing an authorized user account’s password. Locking out a user account after a number of failed authentication attempts helps protect the device from malicious users.
Device lockout allows you to configure the number of failed attempts before the user account is locked out of the device and configure the amount of time before the user can attempt to log in to the device again. You can configure the amount of time in-between failed login attempts of a user account and can manually lock and unlock user accounts.
This example includes the following settings:
backoff-factor
— Sets the length of delay in seconds after each failed login attempt. When a user incorrectly logs in to the device, the user must wait the configured amount of time before attempting to log in to the device again. The length of delay increases by this value for each subsequent login attempt after the value specified in thebackoff-threshold
statement. The default value for this statement is five seconds, with a range of five to ten seconds.backoff-threshold
— Sets the threshold for the number of failed login attempts on the device before the user experiences a delay when attempting to reenter a password. When a user incorrectly logs in to the device and hits the threshold of failed login attempts, the user experiences a delay that is set in thebackoff-factor
statement before attempting to log in to the device again. The default value for this statement is two, with a range of one through three.lockout-period
— Sets the amount of time in minutes before the user can attempt to log in to the device after being locked out due to the number of failed login attempts specified in thetries-before-disconnect
statement. When a user fails to correctly login after the number of allowed attempts specified by thetries-before-disconnect
statement, the user must wait the configured amount of minutes before attempting to log in to the device again. The lockout-period must be greater than zero. The range at which you can configure the lockout-period is one through 43,200 minutes.tries-before-disconnect
— Sets the maximum number of times the user is allowed to enter a password to attempt to log in to the device through SSH or Telnet. When the user reaches the maximum number of failed login attempts, the user is locked out of the device. The user must wait the configured amount of minutes in thelockout-period
statement before attempting to log back in to the device. Thetries-before-disconnect
statement must be set when thelockout-period
statement is set; otherwise, thelockout-period
statement is meaningless. The default number of attempts is ten, with a range of one through ten attempts.
Once a user is locked out of the device, if you are the security
administrator, you can manually remove the user from this state using
the clear system login lockout <username>
command. You can also use the show system login lockout
command to view which users are currently locked out, when the lockout
period began for each user, and when the lockout period ends for each
user.
If the security administrator is locked out of the device, he can log in to the device from the console port, which ignores any user locks. This provides a way for the administrator to remove the user lock on their own user account.
In this example the user waits for the backoff-threshold multiplied by the backoff-factor interval,
in seconds, to get the login prompt. In this example, the user must
wait 5 seconds after the first failed login attempt and 10 seconds
after the second failed login attempt to get the login prompt. The
user gets disconnected after 15 seconds after the third failed attempt
because the tries-before-disconnect
option is configured
as 3.
The user cannot attempt anther login until 120 minutes has elapsed, unless a security administrator manually clears the lock sooner.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
set system login retry-options backoff-factor 5 set system login retry-options backoff-threshold 1 set system login retry-options lockout-period 120 set system login retry-options tries-before-disconnect 3
Step-by-Step Procedure
To configure system retry-options:
Configure the backoff factor.
[edit ] user@host# set system login retry-options backoff-factor 5
Configure the backoff threshold.
[edit] user@host# set system login retry-options backoff-threshold 1
Configure the amount of time the device gets locked after failed attempts.
[edit] user@host# set system login retry-options lockout-period 5
Configure the number of unsuccessful attempts during which, the device can remain unlocked.
[edit] user@host# set system login retry-options tries-before-disconnect 3
Results
From configuration mode, confirm your configuration
by entering the show system login retry-options
command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit] user@host# show system login retry-options backoff-factor 5; backoff-threshold 1; lockout-period 5; tries-before-disconnect 3;
Confirm that the configuration is working properly.
If you are done configuring the device, enter commit
from configuration mode.
Verification
Displaying the Locked User Logins
Purpose
Verify that the login lockout configuration is enabled.
Action
Attempt three unsuccessful logins for a particular username.
The device will be locked for that username; then log in to the device
with a different username. From operational mode, enter the show
system login lockout
command.
Meaning
When you perform three unsuccessful login attempts
with a particular username, the device is locked for that user for
five minutes, as configured in the example. You can verify that the
device is locked for that user by logging in to the device with a
different username and entering the show system login lockout
command.