Junos OS

Expand all | Collapse all

Encrypted password scenario

Jump to Best Answer
  • 1.  Encrypted password scenario

    Posted 04-17-2020 13:04

    Hi every body,

    Please consider following exampe:

    User name test

    pass word test123

    class supre-user

    Below ,we confgure above user name test plain text password test 123

    DEVICE_B# set system login user test class super-user authentication plain-text-password
    New password:
    Retype new password:

    DEVICE_B# show system login | display set
    set system login user test uid 2001
    set system login user test class super-user
    set system login user test authentication encrypted-password "$1$vlMfeeRv$yEgd0/q9HPqyr7.2FFi9C0"

     

    Note the encryption is $1$vlMfeeRv$yEgd0/q9HPqyr7.2FFi9C0

     

    We delete the username test123, class super user , password, and re entered it :

     

    DEVICE_B# delete system login

    DEVICE_B# set system login user test class super-user authentication plain-text-password
    New password:
    Retype new password:

    DEVICE_B# show system login | display set
    set system login user test uid 2001
    set system login user test class super-user
    set system login user test authentication encrypted-password "$1$SbP8N8Mc$.PWPRCflxvzIyHpg4RLn0/"

     

    Note encrption is different $1$SbP8N8Mc$.PWPRCflxvzIyHpg4RLn0/ for the same password test 123.

    So far, we establish, JUNOS has different encrpytion strings for same plain text password test 123.

    2) Let say we want to configure ssh access on our juniper device, we will use username test, and encrypted string" $1$SbP8N8Mc$.PWPRCflxvzIyHpg4RLn0/"  from above,  as  shown below:

    set system login user test uid 2001
    set system login user test class super-user
    set system login user test authentication encrypted-password "$1$SbP8N8Mc$.PWPRCflxvzIyHpg4RLn0/"

     

    We are able to login using user test and password test 123

     

    JUNOS was able to determine the password test123 from encrypted string "$1$SbP8N8Mc$.PWPRCflxvzIyHpg4RLn0/"

     

    We delete the user name and this time enter user name test , with encrypted string from above $1$vlMfeeRv$yEgd0/q9HPqyr7.2FFi9C0.

    Junos was able to determine the password test 123 from encrypted string $1$vlMfeeRv$yEgd0/q9HPqyr7.2FFi9C0

    Based on the above, is it not correct to assume JunOS for each given passoword , has defined set of encryption strings?

     

    Thanks and have  a good weekend!!

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     



  • 2.  RE: Encrypted password scenario
    Best Answer

     
    Posted 04-17-2020 16:31

    Hi sarahr202,

     

    You are correct!, every time you delete and readd the same password, or if you copy and paste the configuration into a new device, the strings will changed, but the hashing algorithm remains the same. For a single character, you may see a single encrypted character, o a line of multiple encrypted characters. This also makes it hard for someone to easily decrypt your credentials.

     Just to add more info, Juniper uses MD5-style encryption before adding the password on the database.  When MD5 encryption is used the password starts with $1$ as in your examples.

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-user-accounts.html#id-junos-os-user-accounts-overview

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB31903&pmv=print&actp=LIST&searchid=&type=currentpaging

     

    Best regards!,

     

    If it clears your concerns, please mark as solved!



  • 3.  RE: Encrypted password scenario

    Posted 04-17-2020 19:50

    Hi Egarro,

    These are my thoughts:

    1) MD5 Hashing is one way i.e we feed password into MD5 Hashing engine, output comes out as bunch of random characters.

    We can not ( in general,) recover the passowrd from the those random chacters in a forseeable time period.

    2)Given above, when we provide encrpyted password as in my earlier post, how could JUNOS  determine the password?

     

    Appreciated!!

     



  • 4.  RE: Encrypted password scenario

     
    Posted 04-17-2020 22:31

    1. MD5 hashing is not random, it is generated. Adding a dynamic salt will result in a different hash each time but it is still not random.

    2. Hashed != encrypted. Junos doesn't need to know the password. It just confirms that the supplied password, when hashed with the same salt, equals the stored hash.

     

     



  • 5.  RE: Encrypted password scenario

    Posted 04-17-2020 17:07

    Hi sarahr202,

     

    It works as per design, exact same behavior with root credentials when the same passcoded is being used.   


    {master:0}[edit]
    root@AM-USPAL-B4C-IDF1-SWIACC01# show system root-authentication
    encrypted-password "$6$9vJy1cK8$YEC7oy.E0Ih9h0BkawCVMUCkbD6aNNqdEvF4rH/5ksE/AVFVN7lZ0Kfk0TFLcu/e3Sc4YuYT2Ia2nGZjeroZE0"; ## SECRET-DATA 

     

    {master:0}[edit]
    root@AM-USPAL-B4C-IDF1-SWIACC01# show system root-authentication
    encrypted-password "$6$nAN4T0/z$IehYIB5OeWdeeae76JUvBlh07RRkXTWSo1zbyph7ieqSCVhryL2bhwufsTc9G/iFN5V5.gW1zDlnMf/rdgNEd1"; ## SECRET-DATA 

     

    thanks,   

     

    If it clears your concerns, please mark as solved!