Hi all ..
Junos stores the user login plaintext passowrds in the form hashes using MD-5 hashing algorith. Theses hashes are visible in configuration and starts with "$1$". On the other hand the TACACS+ / Radius Server key and VPN Pre-shared key are stored in reversible encyption hashes and these hashes starts with $9$ (Sample config att). The reversible encryption hashes are easily decrypted to origional keys using online available tools .
My question is what's the technical compulsion behind storing the authentication keys in reversible encryption hashes and is there a way to avoid this and use MD5 instead .. ?
This has already been handled from Junos 15.1X49-D50 and 16.2R1 for MX/QFX.
You can define a master password which then encrypt the $9$ strings. You can then only use the $9$ values if you know the master password.
More information here: https://www.juniper.net/documentation/en_US/junos/topics/concept/harden-shared-secrets.html
I hope this answers your question 🙂
Thank You Jonashauge. Thats what i was looking for 🙂