SRX JunOS Encryption User Password Type

Knowledge Search

 

패스워드 암호화

- ISMS/PIMS 인증심사 관련하여 정보보호시스템의 관리자 비밀번호 암호화는 SHA256 이상 암호화 권고.

 

In Junos OS release 12.3 and earlier images, MD5 encryption is used and the password starts with $1$.

In Junos OS release 15.1 image, SHA256 encryption is used and the password starts with $5$.

In Junos OS release 17.2 and later images, SHA512 encryption is used and the password starts with $6$.

 

OS 업그레이드를 해야한다는 . . .

그러나 SRX JunOS는 HW Cluster 구조라 Down time을 가져야 하는데 서비스 영향이 너무 크다.

- 방화벽 상.하단 스위치에 우회 Link로 트래픽 변경후 작업하는 Case1.

- 서비스 중단을 수용하고 업그레이드를 하는 Case2.

 

-----------------------------------------------------------------------------------------------------------------------------------------------

 

[EX] Password hashing/encryption differences between Junos OS release 15.1 and earlier releases

 

[KB31903] Show Article Properties
[KB31903] Hide Article Properties
	Article ID: KB31903 Last Updated: 18 Jul 2018 Version: 2.0

---

Summary:

When an EX Series switch is downgraded from Junos OS release 15.1 to release 12.3 after implementing any changes, such as root-authentication password change or creation of new users, the password credentials will not work due to a difference in the hashing mechanism used in the two releases.

This article indicates the difference in hashing or encryption between the two releases, and provides a workaround to make password decryption successful after a downgrade.

 

Symptoms:

When an EX Series switch is downgraded from Junos OS release 15.1 to release 12.3, the SHA256-hashed password does not work.

 

Cause:

There is a difference in the way a plain-text password is hashed and stored as encrypted in Junos OS release 15.1 and in release 12.3 and earlier.

In Junos OS release 12.3 and earlier images, encrypting and decrypting of passwords by using SHA256 is not supported. This is a limitation in Junos OS release 12.3. Therefore, if a password that is encrypted by using SHA256 in Junos OS release 15.1 is provided to Junos OS releases 12.3 and earlier, the password decryption will fail.

The encryption used is as follows:

• In Junos OS release 12.3 and earlier images, MD5 encryption is used and the password starts with $1$.
• In Junos OS release 15.1 image, SHA256 encryption is used and the password starts with $5$.
• In Junos OS release 17.2 and later images, SHA512 encryption is used and the password starts with $6$.

Behavior in Junos OS release 12.3

In Junos OS release 12.3 release and earlier, when a password is configured as plain text, MD5 hashing is performed and the password stored as encrypted text.

In MD5 hashing, passwords start with $1$:

root> show version
fpc0:
--------------------------------------
Model: ex4200-48t
JUNOS Base OS boot [12.3R12.4]

root> show configuration system root-authentication
encrypted-password "$1$XPioD6/t$Bp0WQzJEJ/K.VArjFEBLm."; ## SECRET-DATA  >>#### MD5 hashed; starts with $1$

Behavior in Junos OS release 15.1

In Junos OS release 15.1, when a password is configured as plain text, SHA256 hashing is performed and the password stored as encrypted text.

In SHA256 hashing, passwords start with $5$:

root> show version
fpc0:
-------------------------------------
Model: ex4200-48t
Junos: 15.1R6.7

root# ...system login user jegan1                        
uid 2009;
class super-user;
authentication {
encrypted-password "$5$bGGp.1bp$mGm5mTKY4OYcsdVx.OaWA5utujyMfKiRgujsWiWK5.6"; ## SECRET-DATA  >>####SHA256 hashed; starts with $5$
}

 

Solution:

This is a limitation in Junos OS 12.3 and earlier.

Before downgrading to Junos OS release 12.3, make sure to check that the encrypted passwords are stored as MD5 hashed passwords.

root@switch> show configuration system root-authentication
encrypted-password "$1$XPioD6/t$Bp0WQzJEJ/K.VArjFEBLm."; ## SECRET-DATA    >>#### MD5 hashed; starts with $1$

Workaround

Check whether the password is hashed to MD5 (password starts with $1) or SHA256 (password starts with $5). If the password is hashed to SHA256, then configure a new root authentication or configure new user credentials with MD5 hashing as shown below:

Syntax

set system login user test class super-user authentication encrypted-password "MD5 hashed encrypted password"

Example

root#set system login user test class super-user authentication encrypted-password "$1$XPioD6/t$Bp0WQzJEJ/K.VArjFEBLm."
root#commit

MD5-hashed encrypted passwords can also be obtained by configuring a plain-text password in any device that is running Junos OS release 12.3 or by looking up the device configuration file.

Users who are authenticated via RADIUS/TACACS+ servers will not be affected after a downgrade.

{master:0}[edit]
root@switch# show system radius-server
10.10.157.3 {
    secret "$9$CxTepORreW-VYhSVYgojiAp0"; ## SECRET-DATA   >>Encrypted secret password   
    source-address 10.10.146.94;                            starts with $9$ in both   
}                                                            12.3 and 15.1.