Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to prevent password recovery via console



Article ID: KB22619 KB Last Updated: 29 Sep 2020Version: 2.0

This article demonstrates a simple way of stopping a non-root user from performing password recovery using the console.


Many SRX deployments require the devices to be installed in unsecured locations. Additionally, the device configurations may contain sensitive information and the devices may be forwarding sensitive traffic. In such scenarios, it is advantageous to secure access to the CLI and to prevent an unauthorized user from performing password recovery.

One way of doing this is by disabling the console altogether. For more information, refer to KB18247 - [Junos] How to disable root/super user access through the console port. However, it is not always suitable to disable the console; as console access is important during situations such as software upgrades, RE tuck states etc.


Configure the following to mark the console port as insecure:

lab# set system ports console insecure

lab# commit
commit complete

After configuring the above, if a user attempts to perform password recovery by booting into single-user mode, the device will prompt for the root password:

Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [/kernel] in 1 second...

Type '?' for a list of commands, 'help' for more detailed help.
loader> boot -s
Kernel entry at 0x801000d8 ...
init regular console
GDB: debug ports: uart
GDB: current port: uart
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
OK boot -s
platform_early_bootinit: M/T/EX Series Early Boot Initialization
GDB: debug ports: sio
GDB: current port: sio
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
Copyright (c) 1996-2018, Juniper Networks, Inc.
All rights reserved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
        The Regents of the University of California. All rights reserved.
JUNOS 12.3X48-D70.4 #0: 2018-09-07 00:03:26 UTC
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Intel(R) Celeron(R) M processor         1300MHz (1296.76-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x695  Stepping = 5
real memory  = 2147483648 (2048 MB)
avail memory = 2089185280 (1992 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 on motherboard
: CAVIUM's OCTEON 5020 CPU Rev. 0.1 with no FPU implemented
L1 Cache: I size 32kb(128 line), D size 8kb(128 line), sixty four way.
L2 Cache: Size 128kb, 8 way
obio0 on motherboard
uart0: <Octeon-16550 channel 0> on obio0
uart0: console (9600,n,8,1)
twsi0 on obio0
dwc0: <Synopsis DWC OTG Controller Driver> on obio0
usb0: <USB Bus for DWC OTG Controller> on dwc0
usb0: USB revision 2.0
uhub0: vendor 0x0000 DWC OTG root hub, class 9/0, rev 2.00/1.00, addr 1
uhub0: 1 port with 1 removable, self powered
uhub1: vendor 0x0409 product 0x005a, class 9/0, rev 2.00/1.00, addr 2
uhub1: single transaction translator
uhub1: 3 ports with 2 removable, self powered
umass0: STMicroelectronics ST72682 High Speed Mode, rev 2.00/2.10, addr 3
pcib0: <Cavium on-chip PCI bridge> on obio0
Disabling Octeon big bar support
PCI Status: PCI 32-bit: 0xc041b
pcib0: Initialized controller
pci0: <PCI bus> on pcib0
pci0: <simple comms> at device 1.0 (no driver attached)
pci0: <serial bus, USB> at device 2.0 (no driver attached)
pci0: <serial bus, USB> at device 2.2 (no driver attached)
cpld0 on obio0
gblmem0 on obio0
octpkt0: <Octeon RGMII> on obio0
cfi0: <AMD/Fujitsu - 4MB> on obio0
Timecounter "mips" frequency 600000000 Hz quality 0
da0 at umass-sim0 bus 0 target 0 lun 0
da0: <ST ST72682 2.10> Removable Direct Access SCSI-2 device
da0: 40.000MB/s transfers
da0: 1000MB (2048000 512 byte sectors: 64H 32S/T 1000C)
Trying to mount root from ufs:/dev/da0s2a
Attaching /cf/packages/junos via /dev/mdctl...
Mounted junos package on /dev/md0...
Booting single-user
** /dev/da0s2a
clean, 77029 free (37 frags, 9624 blocks, 0.0% fragmentation)
System watchdog timer disabled
Enter root password, or ^D to go multi-user
This way, the user will be unable to log into single-user mode for password recovery; unless the root password is known.
Modification History:
2020-09-26: Updated outputs to the latest Junos output.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search