Secure Password Recovery on Junos

Every network vendor always has their own procedure to perform password recovery. But you know what, you can add extra security layer to those procedure. Here are some reasons why you want to do that.

  • Your network device might be installed in an unsecured location.
  • The device configuration may contain sensitive information and the devices may be forwarding sensitive traffic.
  • In some circumstances, you may want to secure access to the CLI and to prevent an unauthorized user from performing password recovery.

By default, Junos does not require any password when you perform the recovery. Below is the step you can secure it.

root@R1# set system ports console insecure
root@R1# commit
commit complete

After you applied the above configuration, if a user attempts to perform password recovery by booting into single-user mode, the device will prompt for the root password.

Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [/kernel] in 1 second… 
Type ‘?’ for a list of commands, ‘help’ for more detailed help.
loader> boot -s
Kernel entry at 0x801000d8 …
init regular console
GDB: debug ports: uart
GDB: current port: uart
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
Copyright (c) 1996-2011, Juniper Networks, Inc.
All rights reserved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
JUNOS 11.2R2.4 #0: 2011-09-01 08:36:41 UTC
[email protected]:/volume/build/junos/11.2/release/11.2R2.4/obj-octeon/bsd/kernels/JSRXNLE/kernel
JUNOS 11.2R2.4 #0: 2011-09-01 08:36:41 UTC
[email protected]:/volume/build/junos/11.2/release/11.2R2.4/obj-octeon/bsd/kernels/JSRXNLE/kernel
real memory = 1073741824 (1024MB)
avail memory = 526491648 (502MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 on motherboard
: CAVIUM’s OCTEON 5020 CPU Rev. 0.1 with no FPU implemented
L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way.
L2 Cache: Size 128kb, 8 way
obio0 on motherboard
uart0: <Octeon-16550 channel 0> on obio0
uart0: console (9600,n,8,1)
twsi0 on obio0
dwc0: <Synopsis DWC OTG Controller Driver> on obio0
usb0: <USB Bus for DWC OTG Controller> on dwc0
usb0: USB revision 2.0
uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1
uhub0: 1 port with 1 removable, self powered
uhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2
uhub1: single transaction translator
uhub1: 3 ports with 2 removable, self powered
umass0: STMicroelectronics ST72682 High Speed Mode, rev 2.00/2.10, addr 3
pcib0: <Cavium on-chip PCI bridge> on obio0
Disabling Octeon big bar support
PCI Status: PCI 32-bit: 0xc041b
pcib0: Initialized controller
pci0: <PCI bus> on pcib0
pci0: <simple comms> at device 1.0 (no driver attached)
pci0: <serial bus, USB> at device 2.0 (no driver attached)
pci0: <serial bus, USB> at device 2.2 (no driver attached)
cpld0 on obio0
gblmem0 on obio0
octpkt0: <Octeon RGMII> on obio0
cfi0: <AMD/Fujitsu – 4MB> on obio0
Timecounter “mips” frequency 600000000 Hz quality 0
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device 
da0: 40.000MB/s transfers
da0: 1000MB (2048000 512 byte sectors: 64H 32S/T 1000C)
Trying to mount root from ufs:/dev/da0s2a
Attaching /cf/packages/junos via /dev/mdctl…
Mounted junos package on /dev/md0…
Booting single-user
** /dev/da0s2a
clean, 77029 free (37 frags, 9624 blocks, 0.0% fragmentation)
System watchdog timer disabled
Enter root password, or ^D to go multi-user
This way, the user will not be able to log into single-user mode unless the root password is known.

Leave a Reply

Your email address will not be published. Required fields are marked *