Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Login Settings

Junos OS enables you to define various settings for users when they log in to a device. You (the system administrator) can configure:

  • Messages or announcements to display before or after login
  • Whether to display system alarms upon login
  • Login tips
  • Time-based user access
  • Timeout values for idle sessions
  • Limits on the number of login attempts
  • Whether to lock a user account after a number of failed authentication attempts

Display a System Login Announcement or Message

Sometimes you want to make announcements only to authorized users after they log in to a device. For example, you might want to announce an upcoming maintenance event. At other times, it might be appropriate to display a message, such as a security warning, to any user that connects to the device.

By default, Junos OS does not display any login message or announcement. You can configure the device to display a login message or announcement by including the message statement or the announcement statement at the [edit system login] hierarchy level. Whereas the device displays a login message after a user connects to the device but before the user logs in, it displays an announcement only after the user successfully logs in to the device.

You can format the message or announcement text using the following special characters. If the text contains spaces, enclose it in quotation marks:

  • \n—New line

  • \t—Horizontal tab

  • \'—Single quotation mark

  • \"—Double quotation mark

  • \\—Backslash

To configure an announcement that only authorized users can see and a message that any user can see:

  1. Include the announcement statement and the message statement at the [edit system login] hierarchy level.

    For example:

  2. Commit the configuration.
  3. Connect to the device to verify the presence of the new message.

    The preceding configuration example displays the following login message after the user connects to the device. The example displays the announcement after the user logs in:

Display System Alarms Upon Login

You can configure Juniper Networks devices to execute the show system alarms command whenever a user in a given login class logs in to the device.

To display alarms whenever a user in a specific login class logs in to the device:

  1. Configure the login-alarms statement for the appropriate login class.

    For example, to display alarms whenever a user in the admin login class logs in to the device:

  2. Commit the configuration.

When a user in the given login class logs in to the device, the device displays the current alarms.

Configure Login Tips

You can configure the Junos OS CLI to display a tip whenever a user in the given login class logs in to the device. The device does not display tips by default.

To enable tips:

  1. Configure the login-tip statement at the [edit system login class class-name] hierarchy level.
  2. Commit the configuration.

When you configure the login-tip statement, the device displays a tip to any user in the specified class who logs in to the device.

Configure Time-Based User Access

You can configure supported Juniper Networks devices to enforce time-based user access for users in a given class. Time-based user access restricts the time and duration of user logins for all users belonging to the class. You can restrict user access based on the time of day or day of the week.

To restrict user access to certain days or times, include the following statements at the [edit system login class class-name] hierarchy level:

  • allowed-days—Configure user access on specific days of the week.

  • access-start and access-end—Configure user access between the specified start time and end time (hh:mm).

To configure time-based user access:

  1. Enable access on specific days of the week.

    For example, to configure user access for the operator-round-the-clock-access login class from Monday through Friday without any restriction on access time:

  2. Enable access at specific times of the day.

    For example, to configure user access for the operator-day-shift-all-days-of-the-week login class from 8:30 AM through 4:30 PM on all days of the week:

You can also configure access to include both days and times. The following example configures user access for the operator-day-shift login class on Monday, Wednesday, and Friday from 8:30 AM through 4:30 PM:

Alternatively, you can specify the login start time and end time for the operator-day-shift login class by using the following format:

Note:

The access start and end times might span across 12:00 AM on a given day. In that case, the user still has access until the next day, even if you do not explicitly configure that day in the allowed-days statement.

Configure the Timeout Value for Idle Login Sessions

An idle login session is one in which the CLI displays the operational mode or configuration mode prompt but there is no input from the keyboard. By default, a login session remains established until a user logs out of the device, even if that session is idle. To close idle sessions automatically, you must configure a time limit for each login class. If a session established by a user in that class remains idle for the configured time limit, the session automatically closes. Automatically closing idle login sessions helps to prevent malicious users from gaining access to the device and performing operations with an authorized user account.

You can configure an idle timeout only for user-defined classes. You cannot configure this option for the system predefined classes: operator, read-only, super-user or superuser, and unauthorized.

To define the timeout value for idle login sessions:

  1. Specify the number of minutes that a session can be idle before the system automatically closes the session.

    For example, to automatically disconnect idle sessions of users in the admin class after fifteen minutes:

  2. Commit the configuration.

If you configure a timeout value, the CLI displays messages similar to the following when timing out an idle user. The CLI starts displaying these messages 5 minutes before disconnecting the user.

If you configure a timeout value, the session closes after the specified time elapses, except in the following cases:

  • The user is running the ssh or telnet command.

  • The user is logged into the local UNIX shell.

  • The user is monitoring interfaces using the monitor interface or the monitor traffic command.

Login Retry Options

You can configure login retry options on Juniper Network devices to protect the devices from malicious users. You can configure the following options:

  • The number of times a user can enter invalid login credentials before the system closes the connection.

  • Whether and for how long to lock a user account after the user reaches the threshold of failed authentication attempts.

Limiting the login attempts and locking the user account help to protect the device from malicious users attempting to access the system by guessing the password of an authorized user account. You can unlock the user account or define a time period for the user account to remain locked.

You configure login retry options at the [edit system login retry-options] hierarchy level. The tries-before-disconnect statement defines the threshold of failed login attempts before the device disconnects the user. The device allows three unsuccessful login attempts by default.

The lockout-period statement instructs the device to lock the user account for the specified amount of time if the user reaches the threshold of unsuccessful login attempts. The lock prevents the user from performing activities that require authentication, until the lockout time period has elapsed or a system administrator manually clears the lock. Any existing locks are ignored when the user attempts to log in from the local console.

To configure login retry options:

  1. Configure the number of times a user can attempt to enter a password.

    For example, to enable a user to enter a password four times before the device closes the connection:

  2. Configure the number of minutes that the user account remains locked after a user reaches the threshold of failed login attempts.

    For example, to lock a user account for 120 minutes after a user reaches the threshold of failed login attempts:

  3. Commit the configuration.

Note:

To clear the console during an administrator-initiated logout, include newline (\n) characters when you configure the message statement at the [edit system login] hierarchy level. To completely clear the console, the administrator can enter 50 or more \n characters in the message string. For example:

Limit the Number of User Login Attempts for SSH and Telnet Sessions

You can limit the number of times a user can attempt to enter a password while logging in to a device through SSH or Telnet. The device terminates the connection if a user fails to log in after the number of specified attempts. You can also specify a delay, in seconds, before a user can try to enter a password after a failed attempt. In addition, you can specify the threshold for the number of failed attempts before the user experiences a delay in being able to enter a password again.

To specify the number of times a user can attempt to enter a password while logging in, include the retry-options statement at the [edit system login] hierarchy level:

You can configure the following options:

  • tries-before-disconnect—Maximum number of times a user can enter a password when logging in to the device through SSH or Telnet. The connection closes if a user fails to log in after the number specified. The range is from 1 through 10, and the default is 3.

  • backoff-threshold—Threshold for the number of failed login attempts before the user experiences a delay in being able to enter a password again. The range is from 1 through 3, and the default is 2. Use the backoff-factor option to specify the length of the delay.

  • backoff-factor—Length of time, in seconds, that the user must wait after a failed login attempt above the backoff-threshold. The delay increases by the specified value for each subsequent attempt after the backoff-threshold value. The range is from 5 through 10, and the default is 5 seconds.

  • lockout-period—Length of time, in minutes, that a user account is locked after reaching the tries-before-disconnect threshold. The range is 1 through 43,200 minutes.

  • maximum-time seconds—Maximum length of time, in seconds, that the connection remains open for the user to enter a username and password to log in. If the user remains idle and does not enter a username and password within the configured maximum-time, the connection closes. The range is from 20 through 300 seconds, and the default is 120 seconds.

  • minimum-time—Minimum length of time, in seconds, that a connection remains open while a user is attempting to enter a correct password. The range is from 20 through 60, and the default is 20 seconds.

Limiting the number of SSH and Telnet login attempts per user is one of the most effective methods of stopping brute force attacks from compromising your network security. Brute force attackers execute a large number of login attempts in a short period of time to illegitimately gain access to a private network. By configuring the retry-options statements, you can create an increasing delay after each failed login attempt, eventually disconnecting any user who passes your set threshold of login attempts.

To limit the login attempts when a user logs in through SSH or Telnet:

  1. Configure the limit on the number of login attempts.
  2. Configure the number of login attempts before the user experiences a delay.
  3. Configure the number of seconds the user must wait for the login prompt after reaching the backoff-threshold value.
  4. Configure the number of seconds that the connection remains open while a user attempts to log in.

For the following configuration, the user experiences a delay of 5 seconds after the second attempt to enter a correct password fails. After each subsequent failed attempt, the delay increases by 5 seconds. After the fourth and final failed attempt to enter a correct password, the user experiences an additional 10-second delay. The connection closes after a total of 40 seconds.

Example: Configure Login Retry Options

This example shows how to configure login retry options to protect a device from malicious users.

Requirements

Before you begin, you should understand Limit the Number of User Login Attempts for SSH and Telnet Sessions.

No special configuration beyond device initialization is required before configuring this feature.

Overview

Malicious users sometimes try to log in to a secure device by guessing the password of an authorized user account. You can lock a user account after a certain number of failed authentication attempts. This precaution helps protect devices from malicious users.

You can configure the number of failed login attempts before the device locks the user account, and you can configure the amount of time that the account remains locked. You can also configure the amount of time the user must wait between failed login attempts.

Note:

This example includes the following settings:

  • backoff-factor—Length of delay in seconds that the user must wait after each failed login attempt above the backoff-threshold. The delay increases by this value for each subsequent login attempt after the value specified in the backoff-threshold statement.

  • backoff-threshold—Threshold for the number of failed login attempts on the device before the user experiences a delay when attempting to reenter a password. When a user reaches the threshold of failed login attempts, the user experiences the delay set in the backoff-factor statement. After the delay, the user can make another login attempt.

  • lockout-period—Number of minutes that the user account is locked after the user reaches the tries-before-disconnect threshold. The user must wait the configured number of minutes before they can log in to the device again.

  • tries-before-disconnect—Maximum number of times the user can enter a password to attempt to log in to the device through SSH or Telnet.

Note:

If you are locked out of the device, you can log in to the device's console port, which ignores any user locks. This provides a way for administrators to remove the user lock on their own user account.

This example sets the tries-before-disconnect option to 3. As a result, the user has three attempts to log in to the device. If the number of failed login attempts is equal to the value specified in the backoff-threshold statement, the user must wait for the backoff-threshold multiplied by the backoff-factor interval, in seconds, to get the login prompt. In this example, the user must wait 5 seconds after the first failed login attempt and 10 seconds after the second failed login attempt to get the login prompt. The device disconnects the user after the third failed attempt.

If the user does not successfully log in after three attempts, the user account is locked. The user cannot log in until 120 minutes have elapsed, unless a system administrator manually clears the lock during that time.

A system administrator can manually unlock an account by issuing the clear system login lockout user <username> command. The show system login lockout command displays which user accounts are locked and when the lockout period begins and ends for each user.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure system retry-options:

  1. Configure the backoff factor.

  2. Configure the backoff threshold.

  3. Configure the number of minutes that the user account remains locked after a user reaches the threshold of failed login attempts.

  4. Configure the number of times a user can attempt to enter a password.

Results

From configuration mode, confirm your configuration by entering the show system login retry-options command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Display the Locked User Logins

Purpose

Verify that the login lockout configuration is enabled.

Action

Attempt three unsuccessful logins for a particular username. The device will be locked for that username. Then log in to the device with a different username. From operational mode, issue the show system login lockout command to view the locked accounts.

Meaning

After you perform three unsuccessful login attempts with a particular username, the device is locked for that user for 120 minutes, as configured in the example. You can verify that the device is locked for that user by logging in to the device with a different username and entering the show system login lockout command.