SRX

Expand all | Collapse all

SRX340 - Disable password recovery

Jump to Best Answer
  • 1.  SRX340 - Disable password recovery

     
    Posted 10-29-2018 02:35

    We will be supplying SRX300 and SRX340 devices to customers on an ethernet core as an NTE device.

     

    Currently I have everything configured to protect the NTE from any customer access, except one issue:

     

    The customer could easily perform a password recovery by rebooting the device and pressing the spacebar. I have tested this and can confirm that the root password can be reset and then the configuration becomes visible to the customer.

     

    To stop this I have logged onto the SRX340 as "root" and have entered the shell and navigated to "boot/defaults" and then vi "loader.conf" .... I set the line "autoboot_delay="10" " to be -1 as per recommendations, however, when I try and "save and quit" from vi.... I get told that root does not have permission.

     

    Any ideas on how to get around this issue please?



  • 2.  RE: SRX340 - Disable password recovery

    Posted 10-29-2018 02:41

    Hi,

    Follow the KB to prevent password recovery via console:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB22619&actp=METADATA

     



  • 3.  RE: SRX340 - Disable password recovery

     
    Posted 10-29-2018 03:18

    Hi, (Edited response)

     

    Yes, already completed this and it does indeed stop console access. 

     

    So, I understand that it does not matter what the customer changes the "root" password to, they still cannot access via the console (possibly, this I have not tested), but would still like to stop them being able to change it during boot up.

     

    Is there any chance that the customer changing any passwords during bootup could access the config in anyway at all?

     

    Currently they cannot access the device at all, no SSH or telnet or any other means, but I am concerend about this?

     

    I can test anyway and post results here. I was just wondering why I could not change that file when logged on as root via SSH.



  • 4.  RE: SRX340 - Disable password recovery

     
    Posted 10-29-2018 07:00

    I'll close this issue as it's not really an issue, more a pointer in the right direction.

     

    Thanks



  • 5.  RE: SRX340 - Disable password recovery

     
    Posted 10-29-2018 09:03

    Unfortunately, as suspected, this does not work.

     

    So, if you enable the command: "set system ports console insecure", what it does do is secure the Console from root access. This I have tested and it is successful. Now, here is the problem:

     

    I am the customer and I decide to reboot the NTE (SRX340) to see if I can "recover" the password. So, at the point during boot up where it says "Hit [Enter] to boot immediately, or space bar for command prompt." I decide to hit the spacebar.  At the "loader >" prompt, I type "boot -s" and it goes through some POST and then comes up woth the following:

     

    "Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:"

     

    So, I type "recovery".... the device then boots to this:

    root>

     

    And, guess what.... I can access everything, including the Configuration.

     

    The ability to press the spacebar so that "recovery" cannot be chosen is what I want to stop.

     

    Any ideas please?

     

    By the way, I know the answer is located in changing a line in "/boot/defaults/loader.conf" and I have changed the line but it won't let me save it, even when I'm logged into the shell as root.

     



  • 6.  RE: SRX340 - Disable password recovery

     
    Posted 10-29-2018 09:36

    Okay, so I know why I can't change it as it is listed as follows:

     

    -r--r--r-- 1 root wheel 16602 May 25 15:57 loader.conf

     

    So, it is read only.

     

    Now I want to change this to "write" as well as read..... so I used "chmod -w loader.conf" --- not working.... Still read only.... any ideas anyone...

     

    So, I've got the file to read, write and execute by using "chmod 764 loader.conf"..... thought this would work but it hasn't.... it still says "This operation not permitted".... 

     

     



  • 7.  RE: SRX340 - Disable password recovery

    Posted 10-29-2018 12:44

    Hi,

    I understand your main goal is to disable password recovery via console. If you follow the the KB mentioned earlier, this can be achieved. Once you configured "set system ports console insecure" , customer should know the current root password to go recovery mode even after rebooting and executing "boot -s". I tested this and the difference in boot process is given below:

     

    With "set system ports console insecure":

    +++++++++++++++++++++++++++++++

    .............

    System watchdog timer disabled
    Enter root password, or ^D to go multi-user <--- Current root password to be provided to go to recover mode
    Password:
    Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:recovery

     

    Without ""set system ports console insecure":-

    +++++++++++++++++++++++++++++++++++++

    ...........

    System watchdog timer disabled <----- no root password prompt here
    Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

     

    Modifying the loader.conf file is not recommeded. This is a system protected file. You can modify the contents using vi (use 'x' key to delete the character and :wq to save the contents) after changing the file permissions (chmod 644 loader.conf). However, system will restore the contents ( more specifically, it will restore the file itself. note file timestamp) to default once you reboot the system. That means, there is no use of modifying the loader.conf file. I tested this multiple times. 



  • 8.  RE: SRX340 - Disable password recovery

     
    Posted 10-31-2018 01:34

    Hi Nellikka,

     

    Well, in the case of the SRX340 I have on my desk, even after setting the command recommended, when I type recover, it does not ask for a password, it goes straight to "root>" and the config can be viewed.

     

    Is it tied down to a code version maybe?

     



  • 9.  RE: SRX340 - Disable password recovery

     
    Posted 10-31-2018 02:36

    I will type this as I complete the process:

     

    So, I have recommited "set system ports console insecure".

     

    Now, I will pretend I am the customer and will pull the power cable.

     

    At the "Hit [Enter] to boot immediately, or space bar for command prompt." I press the spacebar and I get the following:

     

    "Type '?' for a list of commands, 'help' for more detailed help.
    loader> boot -s"

     

    Then there's some more POST and then I get the following:

     

    "Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh:" 

     

    So, I type "recovery" and the system goes through the rest of the boot up process ( does not ask for a password) and ends up with the following:

     

    "Starting CLI ...
    root>"

     

    I can now see the complete configuration and can enter "configuration" mode.

     

    This is NOT secure as then the customer can see the IP ranges involved with management and can even access our core systems through this process if they so wished.

     

    There must be a simple way of disabling this?

     

    The /boot/defaults/loader.conf file even suggests changing the 10 second default to -1 to stop this action from being allowed...... It doesn't make sense that this action cannot be stopped.

     

    Junos OS version:

    Model: srx340
    Junos: 15.1X49-D140.2
    JUNOS Software Release [15.1X49-D140.2]

     

     



  • 10.  RE: SRX340 - Disable password recovery
    Best Answer

    Posted 10-31-2018 03:36

    Hi,

    I tested the KB on srx340 version 15.1X49-D140.2. It is working for me as explained in KB. It is very strange that the same was not working for you with same hardware and software. Are you able to login via console using root account after setting the command?



  • 11.  RE: SRX340 - Disable password recovery

     
    Posted 10-31-2018 06:09

    Hi Nellikka,

     

    No. That works fine and is not the problem.

     

    The problem is that the password recovery process is just defaulting straight to root with the configuration available to view.

     

    The point is that the customer can insert the console cable, pull the power and use the recover process without needing a root passowrd or any password for that matter.

     

    Strangely, our JTAC contact confirms what you are stating and the KB, but it just does not work on our SRX340.

     

    It goes to the root> prompt every time....



  • 12.  RE: SRX340 - Disable password recovery

     
    Posted 10-31-2018 06:49

    Hi Nellikka,

     

    Interestingly, I have just tried this on an SRX300 and it works exactly as you stated and also the KB, which is perfect....

     

    But it does not work on the SRX340 ----  Maybe I have found a bug for you... 🙂

     

    So, I will close this issue as "resolved" on the SRX300, but maybe you guys would like to do some testing on the SRX340, becasue I cannot get it to work on that device.

     



  • 13.  RE: SRX340 - Disable password recovery

     
    Posted 11-02-2018 02:12

    Hi Nellikka,

     

    Thought I would give you an update on this. As a test, I upgraded the OS to "JUNOS Software Release [15.1X49-D140.3]" and everything works exactly as it should.

     

    So, it appears there was a software issue.



  • 14.  RE: SRX340 - Disable password recovery

    Posted 10-29-2018 23:40

    Hello,

    If You want extreme esecurity to cover all possible cases including reverting the unit to a factory default via Reset button then buy an RJ-45 port lock 

    https://www.lindy.co.uk/accessories-c9/security-c388/10-x-rj-45-port-blockers-with-key-black-p7393

    Otherwise pressing Reset button could revert the SRX340 to a factory-default config without password and if the console is not blocked, then password recovery is not even required to access the root prompt.

    HTH

    Thx

    Alex