Knowledge Search


×
 

[EX] Unable to login to the switch after downgrading from Junos version 15.1 to 12.3

  [KB31903] Show Article Properties


Summary:

When an EX Series switch is downgraded from Junos OS release 15.1 to release 12.3 after implementing any changes, such as root-authentication password change or creation of new users, the password credentials will not work due to a difference in the hashing mechanism used in the two releases.

This article indicates the difference in hashing or encryption between the two releases, and provides a workaround to make password decryption successful after a downgrade.

 

Symptoms:
  • When an EX Series switch is downgraded from Junos OS release 15.1 to release 12.3, the SHA-256-hashed password does not work.
  • I'm using the correct root password, but still cannot log in
  • This applies to both root and non-root passwords.
  • What are the password hashing and encryption differences between Junos OS releases?

 

Cause:

There is a difference in the way a plain-text password is hashed and stored as encrypted in Junos OS release 15.1 and in release 12.3 and earlier.

In Junos OS release 12.3 and earlier images, encrypting and decrypting of passwords by using SHA-256 is not supported. This is a limitation in Junos OS release 12.3. Therefore, if a password that is encrypted by using SHA-256 in Junos OS release 15.1 is provided to Junos OS releases 12.3 and earlier, the password decryption will fail.

The encryption used is as follows:

  • In Junos OS release 12.3 and earlier images, MD5 encryption is used and the password starts with $1$.
  • In Junos OS release 15.1 image, SHA-256 encryption is used and the password starts with $5$.
  • In Junos OS release 17.2 and later images, SHA-512 encryption is used and the password starts with $6$.

Behavior in Junos OS release 12.3

In Junos OS release 12.3 and earlier, when a password is configured as plain text, MD5 hashing is performed and the password is stored as encrypted text.

In MD5 hashing, passwords start with $1$:

root> show version
fpc0:
--------------------------------------
Model: ex4200-48t
JUNOS Base OS boot [12.3R12.4]

root> show configuration system root-authentication
encrypted-password "$1$XPioD6/t$Bp0WQzJEJ/K.VArjFEBLm."; ## SECRET-DATA  >>#### MD5 hashed; starts with $1$

Behavior in Junos OS release 15.1

In Junos OS release 15.1, when a password is configured as plain text, SHA-256 hashing is performed and the password is stored as encrypted text.

In SHA-256 hashing, passwords start with $5$:

root> show version
fpc0:
-------------------------------------
Model: ex4200-48t
Junos: 15.1R6.7

root# ...system login user jegan1                        
uid 2009;
class super-user;
authentication {
encrypted-password "$5$bGGp.1bp$mGm5mTKY4OYcsdVx.OaWA5utujyMfKiRgujsWiWK5.6"; ## SECRET-DATA  >>####SHA-256 hashed; starts with $5$
}

 

Solution:

This is a limitation in Junos OS 12.3 and earlier.

Before downgrading to Junos OS release 12.3, make sure to check that the encrypted passwords are stored as MD5 hashed passwords.

root@switch> show configuration system root-authentication
encrypted-password "$1$XPioD6/t$Bp0WQzJEJ/K.VArjFEBLm."; ## SECRET-DATA    >>#### MD5 hashed; starts with $1$

Workaround:

Check whether the password is hashed to MD5 (password starts with $1) or SHA-256 (password starts with $5). If the password is hashed to SHA-256, then configure a new root authentication or configure new user credentials with MD5 hashing as shown below:

Syntax

set system login user test class super-user authentication encrypted-password "MD5 hashed encrypted password"

Example

root#set system login user test class super-user authentication encrypted-password "$1$XPioD6/t$Bp0WQzJEJ/K.VArjFEBLm."
root#commit

MD5-hashed encrypted passwords can also be obtained by configuring a plain-text password in any device that is running Junos OS release 12.3 or by looking up the device configuration file.

Users who are authenticated via RADIUS/TACACS+ servers will not be affected after a downgrade.

{master:0}[edit]
root@switch# show system radius-server
10.10.157.3 {
    secret "$9$CxTepORreW-VYhSVYgojiAp0"; ## SECRET-DATA   >>Encrypted secret password   
    source-address 10.10.146.94;                            starts with $9$ in both   
}                                                            12.3 and 15.1.

 

Modification History:

2018-07-10: Checked the article for accuracy and reworded the article; non-technical changes made
2019-05-02: Updated Title to reflect the content of the article.

 

Related Links: