Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

User Accounts Overview

User accounts provide one way for users to access a device. For each account, you define the user's login name, password, and any additional user information. After you have created an account, the software creates a home directory for the user.

An account for the user root is always present in the configuration. You can configure the password for root using the root-authentication statement.

While it is common to use remote authentication servers to centrally store information about users, it is also good practice to configure at least one non-root user on each device. This way, you can still access the device if its connection to the remote authentication server is disrupted. This non-root user usually has a generic name such as admin.

For each user account, you can define the following:

  • Username (Required): Name that identifies the user. It must be unique. Avoid using spaces, colons, or commas in the username. The username can include up to 64 characters.

  • User’s full name: (Optional) If the full name contains spaces, enclose it in quotation marks. Avoid the use of colons or commas.

  • User identifier (UID): (Optional) Numeric identifier that is associated with the user account name. The UID is assigned automatically when you commit the configuration, so you do not need to set it manually. However, if you choose to configure the UID manually, use a unique value in the range from 100 through 64,000.

  • User’s access privilege: (Required) One of the login classes you defined in the class statement at the [edit system login] hierarchy or one of the default login classes.

  • Authentication method or methods and passwords for device access (Required): You can use a SSH key, a Message Digest 5 (MD5) password, or a plain-text password that Junos OS encrypts using MD5-style encryption before entering it in the password database. For each method, you can specify the user’s password. If you configure the plain-text-password option, you receive a prompt to enter and confirm the password:

    To create valid plain-text passwords, make sure that they:

    • Contain between 6 and 128 characters.

    • Include most character classes (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters) but do not include control characters.

    • Contain at least one change of case or character class.

    Junos-FIPS and Common Criteria have the following special password requirements. They must:

    • Be between 10 and 20 characters long.
    • Use at least three of the five defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and other special characters).

    If Junos-FIPS is installed on the device, you must adhere to the special password requirements, or the passwords are not configured.

For SSH authentication, you can copy the contents of an SSH key file into the configuration. You can also configure SSH key information directly. Use the load-key-file statement to load an SSH key file that was generated previously, (for example, by using ssh-keygen). The load-key-file argument is the path to the file location and name. The load-key-file statement loads RSA (SSH version 1 and SSH version 2) public keys. The contents of the SSH key file are copied into the configuration immediately after you configure the load-key-file statement.

Avoid using the following Transport Layer Security (TLS) version and cipher suite (RSA host key) combinations, which will fail:

With RSA host keys:

  • TLS_1.0@DHE-RSA-AES128-SHA

  • TLS_1.0@DHE-RSA-AES256-SHA

For each user account and for root logins, you can configure more than one public RSA key for user authentication. When a user logs in using a user account or as root, the configured public keys are referenced to determine whether the private key matches any of the user accounts.

To view the SSH key entries, use the configuration mode show command. For example: