Knowledge Search


[SRX/J-series] Simple procedure for preventing password recovery via console

  [KB22619] Show Article Properties

This article demonstrates a simple way of stopping a non-root user from performing password recovery using the console.
  • A lot of SRX deployments require the devices to be installed in unsecured locations.

  • Additionally, the device configurations may contain sensitive information and the devices may be forwarding sensitive traffic.

  • In such scenarios, it is advantageous to secure access to the CLI and to prevent an unauthorized user from performing password recovery.

One way of doing this is by disabling the console altogether. For more information, refer to KB18247 - [Junos] How to disable root/super user access through the console port.

However, it is not always suitable to disable the console; as console access is important during situations such as software upgrades.

Configure the following to mark the console port as insecure:
lab# set system ports console insecure

lab# commit
commit complete

After configuring the above, if a user attempts to perform password recovery by booting into single-user mode, the device will prompt for the root password:

Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [/kernel] in 1 second...

Type '?' for a list of commands, 'help' for more detailed help.
loader> boot -s
Kernel entry at 0x801000d8 ...
init regular console
GDB: debug ports: uart
GDB: current port: uart
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
Copyright (c) 1996-2011, Juniper Networks, Inc.
All rights reserved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
The Regents of the University of California. All rights reserved.
JUNOS 11.2R2.4 #0: 2011-09-01 08:36:41 UTC
JUNOS 11.2R2.4 #0: 2011-09-01 08:36:41 UTC
real memory = 1073741824 (1024MB)
avail memory = 526491648 (502MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 on motherboard
: CAVIUM's OCTEON 5020 CPU Rev. 0.1 with no FPU implemented
L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way.
L2 Cache: Size 128kb, 8 way
obio0 on motherboard
uart0: <Octeon-16550 channel 0> on obio0
uart0: console (9600,n,8,1)
twsi0 on obio0
dwc0: <Synopsis DWC OTG Controller Driver> on obio0
usb0: <USB Bus for DWC OTG Controller> on dwc0
usb0: USB revision 2.0
uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1
uhub0: 1 port with 1 removable, self powered
uhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2
uhub1: single transaction translator
uhub1: 3 ports with 2 removable, self powered
umass0: STMicroelectronics ST72682 High Speed Mode, rev 2.00/2.10, addr 3
pcib0: <Cavium on-chip PCI bridge> on obio0
Disabling Octeon big bar support
PCI Status: PCI 32-bit: 0xc041b
pcib0: Initialized controller
pci0: <PCI bus> on pcib0
pci0: <simple comms> at device 1.0 (no driver attached)
pci0: <serial bus, USB> at device 2.0 (no driver attached)
pci0: <serial bus, USB> at device 2.2 (no driver attached)
cpld0 on obio0
gblmem0 on obio0
octpkt0: <Octeon RGMII> on obio0
cfi0: <AMD/Fujitsu - 4MB> on obio0
Timecounter "mips" frequency 600000000 Hz quality 0
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
da0: 40.000MB/s transfers
da0: 1000MB (2048000 512 byte sectors: 64H 32S/T 1000C)
Trying to mount root from ufs:/dev/da0s2a
Attaching /cf/packages/junos via /dev/mdctl...
Mounted junos package on /dev/md0...
Booting single-user
** /dev/da0s2a
clean, 77029 free (37 frags, 9624 blocks, 0.0% fragmentation)
System watchdog timer disabled
Enter root password, or ^D to go multi-user

This way, the user will be unable to log into single-user mode for password recovery; unless the root password is known.
Related Links: