6.9.1 Ensure a complex Root Password is Set

Information

A complex Root Password should be set for the system.

Rationale:

Due to the importance of the Root user account, which has full control of the JUNOS system and underlying Unix OS, a complex password should be employed to help prevent attackers employing 'brute force' or 'dictionary' attacks to gain full control of the router. Passwords are stored, automatically by JUNOS, as a SHA1 hash in the configuration under the [edit system root-authentication] hierarchy.

A complex password should be employed which meets or exceeds the following requirements:

Does not contain Dictionary words, names, dates, phone numbers or addresses.

Is at least 8 characters in length.

Contains at least one each of upper & lower case letters, numbers and special characters.

Avoids more than 4 digits or same case letters in a row.

Because Root Authentication must be set before JUNOS will permit the first configuration commit on a new JUNOS system, password complexity requirements covered in other Recommendations may not yet be configured and do not apply to passwords retrospectively. Therefore it is important to manually ensure that a complex password is used for the Root account.

Impact:

Root Authentication must be set prior to JUNOS allowing the first commit on a new system. Ensure that, while the Root password is complex, it is safely stored in a Password Vault or remembered as it will be required for access to the system until other accounts are configured or to perform certain tasks.

Solution

Root Authentication must be configured prior to the first commit on a new system. A Root password may be set from the CLI using either of the two methods below, from the [edit system] hierarchy.
To enter a new Root Password in plain text type:

[edit system]
user@host#set root-authentication plain-text-password

You will be prompted to enter the new Password twice and, if the Passwords match, JUNOS will add a SHA1 hash of the Password to the configuration.
Alternatively, if you are copying the configuration from an existing JUNOS system (using the same hashing algorithm) or template, you may apply an existing hash of the Root password:

[edit system]
user@host#set root-authentication encrypted-password '<hash>'

Default Value:

The Root Authentication is blank by default, but must be set prior to JUNOS allowing the first configuration to be committed.

See Also

https://workbench.cisecurity.org/files/3069

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-5(1), CSCv7|4.4

Plugin: Juniper

Control ID: 9af50ab2d6f58febf1907ff6aa97c232b67044184f50e18d2a6dbf0cd7025ff7