Root Password
When the device is powered on for the first time, it is ready to be configured.
Initially, you log in as the user root with no password. You must
configure a plain-text password for the root-level user (whose username is root)
the first time you modify and commit the configuration. Configuring a plain-text
password is one way to protect access to the root level by unauthorized users. If you
forget the root password for the device, you can use the password recovery procedure to
reset the root password.
Configure the Root Password
When you power on the router or switch, it is ready to be configured. Initially, you log
in as the user root with no password. The root directory is the entry
point to all other folders and files on that device. As a result, access to the root
directory is restricted by default to a predefined user account known as the root
user. The root user (also referred to as superuser) has unrestricted
access and full permissions within the system. The expression “log in as root” is
commonly used when an action requires the user to log in to the device as the root
user.
If you configure a blank password using the encrypted-password
statement at the [edit system root-authentication] hierarchy level
for root authentication, you can commit a configuration. You cannot,
however, log in as the root user and gain root level access to the router or
switch.
After you log in, you should configure the root (superuser) password by including the
root-authentication statement at the [edit
system] hierarchy level and configuring one of the password options:
[edit system] root-authentication { (encrypted-password "password"| plain-text-password); load-key-file URL filename; ssh-ecdsa “public-key” <from hostname>; ssh-rsa “public-key” <from hostname>; }
If you configure the plain-text-password option, you are prompted to
enter and confirm the password:
[edit system] user@host# set root-authentication plain-text-password New password: type password here Retype new password: retype password here
The default requirements for plain-text passwords are:
-
The password must be between 6 and 128 characters long.
-
You can include most character classes in a password (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters). Control characters are not recommended.
-
Valid passwords must contain at least one uppercase letter or one lowercase letter, or one character class.
Junos-FIPS software has special password requirements. FIPS passwords must be between 10 and 20 characters in length. Passwords must use at least three of the five defined character sets (uppercase letters, lowercase letters, digits, punctuation marks, and other special characters). If Junos-FIPS is installed on the router or switch, you cannot configure passwords unless they meet this standard.
Starting in Junos OS Release 23.1R1, we've removed the 20 characters limit for the root password. The previous requirements for complexity and minimum length were in effect prior to Junos OS Release 23.1R1.
If you use the encrypted-password option, then a null-password
(empty) is not permitted. You must configure a password whose number of characters
range from 1 through 128 characters and enclose the password in quotation marks.
You can use the load-key-file URL filename
statement to load an SSH key file that was previously generated using
ssh-keygen. The URL
filename option is the path to the file’s location and name.
When using this option, the contents of the key file are copied into the
configuration immediately after entering the load-key-file
URL statement. This command loads RSA (SSH
version 1 and SSH version 2) and DSA (SSH version 2) public keys.
Optionally, you can use the ssh-ecdsa or ssh-rsa
statements to directly configure SSH RSA and ECDSA keys to authenticate root logins.
You can configure more than one public key for SSH authentication of root logins as
well as for user accounts. When a user logs in as root, the device determines
whether the private key matches any of the configured public keys.
[edit system] user@host# set root-authentication load-key-file my-host:.ssh/id_rsa.pub .file.19692 | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%
In configuration mode, you can confirm your SSH key entries by entering the
show command. It should look similar to the following output:
[edit system]
user@host# show
root-authentication {
ssh-rsa "$ABC123"; ## SECRET-DATA
}
Example: Configure a Plain-Text Password for Root Logins
This example shows how to configure a plain-text password for the root-level user (the username is root). Configuring a plain-text password is one way to prevent unauthorized users from accessing the root level. You must prevent unauthorized users from gaining access to superuser commands that can be used to alter your system configuration.
Requirements
No special configuration beyond device initialization is required before configuring this example.
The default requirements for a plain-text password are as follows:
-
Must be from 6 up to 128 characters long.
-
Can include most character classes (uppercase letters, lowercase letters, numbers, punctuation marks, and other special characters). Control characters are not recommended.
-
Must contain at least one change of case or character class.
Overview
When you power on the router, it is ready to be configured. Initially, you log in as the root-level user with no password. To set the root password, you have several options. This example shows how to enter a plain-text password that the device then encrypts for you.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following command and paste it into the window. When prompted, type the new password, and then when prompted, retype it.
set system root-authentication plain-text-password
Configure a Plain-Text Password for User Root
Step-by-Step Procedure
To configure a plain-text password for the root-level user:
-
Type the
setcommand for the plain-text password and press Enter.[edit] user@host# set system root-authentication plain-text-password New password:
-
Type the new password next to the
New passwordprompt and press Enter.New password: new-password Retype new password:
-
Retype the same password next to the
Retype new passwordprompt and press Enter.New password: new-password Retype new password: new-password
Results
In configuration mode, confirm your configuration by using the show
system command. It should look something like this:
[edit]
user@host# show system
root-authentication {
encrypted-password "$ABC123"; ## SECRET-DATA
}
If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
After you have confirmed that the configuration is correct, enter
commit in configuration mode.
Verification
Verify the Configuration of a Plain-Text Password for User Root
Purpose
Verify the configuration of a plain-text password for the root-level user.
Action
In operational mode, confirm your configuration by entering the show
configuration system command.
user@host> show configuration system
root-authentication {
encrypted-password "$ABC123"; ## SECRET-DATA
}
Meaning
If you use a plain-text password, the device automatically encrypts the password as soon as you configure it. You do not have to configure the device to encrypt the password, as in some other systems. Plain-text passwords are hidden and marked as ## SECRET-DATA in the configuration. When a user views the configuration, the user sees only the encrypted string, not the unencrypted password.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
ssh-dss
and ssh-dsa hostkey algorithms are deprecated— rather than
immediately removed—to provide backward compatibility and a chance to bring your
configuration into compliance with the new configuration.