How to Tighten the Password on Junos Root Login
During the initial configuration of a new router, you set the root password as a plain-text password. Because the root user is able to perform any and all operations on the router, tightening access to the root login account is a good idea. One way to do so is to configure the root password using SSH key authentication, which is more secure than the plain-text password:
[edit system] fred@router# set root-authentication ssh-dsa "ssh-dss AAAAB3NzaC1kc3MAAACBAMQrfP2bZyBXJ6PC7XXZ+MzErI8Jl6jah5L4/ O8BsfP2hC7EvRfNoX7MqbrtCX/9gUH9gChVuBCB+ERULMdgRvM5uGhC/ gs4UX+4dBbfBgKYYwgmisM8EoT25m7qI8ybpl2YZvHNznvO8h7kr4kpYuQEpKvgsTdH/ Jle4Uqnjv7DAAAAFQDZaqA6QAgbW3O/zveaLCIDj6p0dwAAAIB1iL+krWrXiD8NPpY+ w4dWXEqaV3bnobzPC4eyxQKBUCOr80Q5YBlWXVBHx9elwBWZwj0SF4hLKHznExnLer VsMuTMA846RbQmSz62vM6kGM13HFonWeQvWia0TDr78+ rOEgWF2KHBSIxL51lmIDW8Gql9hJfD/Dr/NKP97w3L0wAAAIEAr3FkWU8XbYy tQYEKxsIN9P1UQ1ERXB3G40YwqFO484SlyKyYCfaz+yNsaAJu2C8UebDIR 3GieyNcOAKf3inCG8jQwjLvZskuZwrvlsz/xtcxSoAh9axJcdUfSJYMW/ g+mD26JK1Cliw5rwp2nH9kUrJxeI7IReDp4egNkM4i15o= mike@server"; ## SECRET-DATA
As you can see, this is a lot to type! If you don’t feel like entering so much text, you can also load an SSH key file from a network server:
[edit system] fred@router# set root-authentication load-key-file server-name:/dir/filename
When SSH is enabled, anyone with the root password or SSH private key can log in as the root user from anywhere on the network. This capability is useful in large networks or when you can’t get physical access to the router.
Generally, however, no one on the network should have any reason to log in to the router using the root account, so you can ratchet up the router security one level by forcing anyone logging in as root to log in directly from the router’s console port. To do so, you disable root login through SSH:
[edit system] fred@router# set services ssh root-login deny
The console port is enabled by default on Junos routers. Although you can disable it, don’t! The only way you can remain logged in to a router while its rebooting is by connecting to the console port. This is helpful when troubleshooting router problems. Also, if you lose network access to the router, the only way to access the router is to connect a laptop or terminal to the router’s console port.
Password selection is one of the most important ways to protect a router from hackers and other types of unwanted attacks. Be sure that the root and user accounts you create on the router all have passwords and that the passwords are strong:
Choose a password that is a combination of uppercase and lowercase letters, digits, and punctuation characters.
Choose a password that is a phrase or a shortened version of a phrase that you can easily remember without writing it down.
Don’t choose the router vendor name (such as juniper), the string admin, or the string password.
Don’t choose an easily guessable password, such as your birthday or spouse’s name.
Don’t use a word that’s in a dictionary in any language. Brute-force, automated programs can rapidly try all words in all online dictionaries when attempting to break into a router.