Junos OS

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  Junos Password and key storing hashes

    Posted 01-20-2018 05:18
      |   view attached

    Hi all ..

    Junos stores the user login plaintext passowrds in the form hashes using MD-5 hashing algorith. Theses hashes are visible in configuration and starts with "$1$". On the other hand the TACACS+ / Radius Server key and VPN Pre-shared key are stored in reversible encyption hashes and these hashes starts with $9$ (Sample config att). The reversible encryption hashes are easily decrypted to origional keys using online available tools .

    My question is what's the technical compulsion behind storing the authentication keys in reversible encryption hashes and is there a way to avoid this and use MD5 instead .. ?




    SRX-Config.txt   385 B 1 version

  • 2.  RE: Junos Password and key storing hashes
    Best Answer

    Posted 01-20-2018 10:33

    This has already been handled from Junos 15.1X49-D50 and 16.2R1 for MX/QFX.


    You can define a master password which then encrypt the $9$ strings. You can then only use the $9$ values if you know the master password.

    More information here: https://www.juniper.net/documentation/en_US/junos/topics/concept/harden-shared-secrets.html


    I hope this answers your question 🙂

  • 3.  RE: Junos Password and key storing hashes

    Posted 01-20-2018 10:43

    Thank You Jonashauge. Thats what i was looking for 🙂

  • 4.  RE: Junos Password and key storing hashes

    Posted 05-13-2024 19:01


    if I use master password, it will hash it as $9. when I pull a config file with hashed key $9, the srx errors out. if I replace the hashed key with $8, the newly loaded config file has no issue. is there a way to force the SRX to generate $8 hashed key so I can transit the config file from one SRX 340 to another with no key issue?

    thanks in advance