When an EX Series switch is downgraded from Junos OS release 15.1 to release 12.3 after implementing any changes, such as root-authentication password change or creation of new users, the password credentials will not work due to a difference in the hashing mechanism used in the two releases.
This article indicates the difference in hashing or encryption between the two releases, and provides a workaround to make password decryption successful after a downgrade.
There is a difference in the way a plain-text password is hashed and stored as encrypted in Junos OS release 15.1 and in release 12.3 and earlier.
In Junos OS release 12.3 and earlier images, encrypting and decrypting of passwords by using SHA-256 is not supported. This is a limitation in Junos OS release 12.3. Therefore, if a password that is encrypted by using SHA-256 in Junos OS release 15.1 is provided to Junos OS releases 12.3 and earlier, the password decryption will fail.
The encryption used is as follows:
- In Junos OS release 12.3 and earlier images, MD5 encryption is used and the password starts with $1$.
- In Junos OS release 15.1 image, SHA-256 encryption is used and the password starts with $5$.
- In Junos OS release 17.2 and later images, SHA-512 encryption is used and the password starts with $6$.
Behavior in Junos OS release 12.3
In Junos OS release 12.3 and earlier, when a password is configured as plain text, MD5 hashing is performed and the password is stored as encrypted text.
In MD5 hashing, passwords start with $1$:
root> show version
fpc0:
--------------------------------------
Model: ex4200-48t
JUNOS Base OS boot [12.3R12.4]
root> show configuration system root-authentication
encrypted-password "$1$ABC123."; ## SECRET-DATA >>#### MD5 hashed; starts with $1$
Behavior in Junos OS release 15.1
In Junos OS release 15.1, when a password is configured as plain text, SHA-256 hashing is performed and the password is stored as encrypted text.
In SHA-256 hashing, passwords start with $5$:
root> show version
fpc0:
-------------------------------------
Model: ex4200-48t
Junos: 15.1R6.7
root# ...system login user user1
uid 2009;
class super-user;
authentication {
encrypted-password "$5$ABC123"; ## SECRET-DATA >>####SHA-256 hashed; starts with $5$
}
This is a limitation in Junos OS 12.3 and earlier.
Before downgrading to Junos OS release 12.3, make sure to check that the encrypted passwords are stored as MD5 hashed passwords.
root@switch> show configuration system root-authentication
encrypted-password “$1$ABC123”; ## SECRET-DATA >>#### MD5 hashed; starts with $1$
Workaround:
Check whether the password is hashed to MD5 (password starts with $1) or SHA-256 (password starts with $5). If the password is hashed to SHA-256, then configure a new root authentication or configure new user credentials with MD5 hashing as shown below:
Syntax
set system login user test class super-user authentication encrypted-password "MD5 hashed encrypted password"
Example
root#set system login user test class super-user authentication encrypted-password “$1$ABC123”
root#commit
MD5-hashed encrypted passwords can also be obtained by configuring a plain-text password in any device that is running Junos OS release 12.3 or by looking up the device configuration file.
Users who are authenticated via RADIUS/TACACS+ servers will not be affected after a downgrade.
{master:0}[edit]
root@switch# show system radius-server
10.10.157.3 {
secret “$ABC123”; ## SECRET-DATA >>Encrypted secret password
source-address 10.10.146.94;
}
2020-02-23: Changed encrypted password to “$ABC123".
2018-07-10: Checked the article for accuracy and reworded the article; non-technical changes made
2019-05-02: Updated Title to reflect the content of the article.